Regression with afp-showmount on nmap 7.80

[MikeRich88]

Attached is the log with -d

Works fine on 7.70

Maybe related to all the other unpack issues I am seeing? What changed with unpack in 7.80?

[user@quinn ~]# nmap -d --script=afp-showmount -Pn -p548 -n xx.xx.xx.xx
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-01 11:08 CDT
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
NSE: Using Lua 5.3.
NSE: Arguments from CLI: 
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 11:08
Completed NSE at 11:08, 0.00s elapsed
Initiating SYN Stealth Scan at 11:08
Scanning xx.xx.xx.xx [1 port]
Packet capture filter (device enp0s25): dst host yy.yy.yy.yy and (icmp or icmp6 or ((tcp or udp or sctp) and (src host xx.xx.xx.xx)))
Discovered open port 548/tcp on xx.xx.xx.xx
Completed SYN Stealth Scan at 11:08, 0.09s elapsed (1 total ports)
Overall sending rates: 11.00 packets / s, 484.06 bytes / s.
NSE: Script scanning xx.xx.xx.xx.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 11:08
NSE: Starting afp-showmount against xx.xx.xx.xx:548.
NSE: afp-showmount against xx.xx.xx.xx:548 threw an error!
/usr/bin/../share/nmap/nselib/afp.lua:2041: bad argument #3 to 'unpack' (initial position out of string)
stack traceback:
	[C]: in function 'string.unpack'
	/usr/bin/../share/nmap/nselib/afp.lua:2041: in field 'decode_dir_bitmap'
	/usr/bin/../share/nmap/nselib/afp.lua:1010: in method 'fp_get_file_dir_parms'
	/usr/bin/../share/nmap/nselib/afp.lua:1673: in method 'GetSharePermissions'
	/usr/bin/../share/nmap/scripts/afp-showmount.nse:85: in function </usr/bin/../share/nmap/scripts/afp-showmount.nse:46>
	(...tail calls...)

Completed NSE at 11:08, 1.45s elapsed
Nmap scan report for xx.xx.xx.xx
Host is up, received user-set (0.076s latency).
Scanned at 2020-08-01 11:08:39 CDT for 1s

PORT    STATE SERVICE REASON
548/tcp open  afp     syn-ack ttl 51
Final times for host: srtt: 75885 rttvar: 75885  to: 379425

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 11:08
Completed NSE at 11:08, 0.00s elapsed
Read from /usr/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 1.94 seconds
           Raw packets sent: 1 (44B) | Rcvd: 1 (44B)

[nnposter]

Here is a quick assessment:

Works fine on 7.70

The underlying AFP packet parser in earlier versions is just as broken but the bug is masked in this particular case. See below.

Maybe related to all the other unpack issues I am seeing? What changed with unpack in 7.80?

There was a large code conversion from library bin, which provided pack and unpack, to native string.pack and string.unpack in Lua 5.3. Many of the issues are related to the fact that the bin implementation was tolerating unpacking from out of bounds positions. Strings just got truncated, other values returned as nil, etc.

A partial patch for your issue is here. Please give it a try and report back. If it does not work for you then please run nmap with -ddd and provide the output, together with a pcap.

P.S. At the moment it is safe to refresh the content of folders nselib and scripts from SVN or GitHub. There is a chance that some of the other unpack issues have been already resolved there.

[nnposter]

A fix has been committed as r37971. Please re-open the issue if the problem persists.