Tighten Nmap Data File Replacement Rules and Security Permissions #2051
Description
We received a report from a company using Nmap that was concerned about reducing that risk that an attacker could replace Nmap's data files, since that could potentially allow code execution. The data file replacement behavior is all documented at https://nmap.org/book/data-files-replacing-data-files.html, but we think this could be tightened up without substantially reducing usability. So our current plans are:
-
Remove C:\Nmap from the Windows search path. Even though it is documented, I doubt many people use it. And it does introduce security concerns since Windows (at least sometimes) ships with insecure C: root filesystem permissions, probably for legacy app compatibility reasons. On Linux/UNIX/Mac platforms, all of the data directories are places that should only be writable by privileged users (or the user running Nmap themselves).
-
Remove the "updates" directory searches since those relate to a feature that we never really introduced.
-
We will make sure the current working directly isn't searched when specifying NSE scripts by category (though keep it for running scripts). Also, there is a feature where you can specify a directory and have all NSE scripts in that directory automatically run. We are thinking about requiring a forward slash at the end of the directory name for that feature so that it doesn't happen accidentally.