Hi,
the update to OpenVAS Scanner 6.0 broke one of my scan jobs. On closer inspection, /var/log/gvm/openvassd.log
shows that the scanner tries to resolve interesting host names and subsequently falls over:
[...]
base hosts:WARNING:2019-05-24 09h09.08 utc:27074: Couldn't resolve hostname 0
base hosts:WARNING:2019-05-24 09h09.08 utc:27074: Couldn't resolve hostname
base hosts:WARNING:2019-05-24 09h09.09 utc:27074: Couldn't resolve hostname ) $|crea1
sd main:WARNING:2019-05-24 09h09.09 utc:27074: SIGSEGV occurred!
sd main:WARNING:2019-05-24 09h09.09 utc:27074: openvassd: Serving /var/run/openvassd.sock(sighand_segv+0x39) [0x40dc29]
sd main:WARNING:2019-05-24 09h09.09 utc:27074: /lib64/libc.so.6(+0x36280) [0x7f20d21dc280]
sd main:WARNING:2019-05-24 09h09.09 utc:27074: /lib64/libgvm_base.so.10(gvm_hosts_resolve+0x40) [0x7f20d3a67dc0]
sd main:WARNING:2019-05-24 09h09.09 utc:27074: openvassd: Serving /var/run/openvassd.sock(attack_network+0x213) [0x407923]
sd main:WARNING:2019-05-24 09h09.09 utc:27074: openvassd: Serving /var/run/openvassd.sock() [0x40ab0e]
sd main:WARNING:2019-05-24 09h09.09 utc:27074: openvassd: Serving /var/run/openvassd.sock(create_process+0xdd) [0x40d9dd]
sd main:WARNING:2019-05-24 09h09.09 utc:27074: openvassd: Serving /var/run/openvassd.sock(main+0x34b) [0x405c9b]
sd main:WARNING:2019-05-24 09h09.09 utc:27074: /lib64/libc.so.6(__libc_start_main+0xf5) [0x7f20d21c83d5]
sd main:WARNING:2019-05-24 09h09.09 utc:27074: openvassd: Serving /var/run/openvassd.sock() [0x405eb8]
[...]
This very much looks like a buffer overflow to me, and some bisection testing shows that for a hostname list that is 242 characters long, everything works fine, but one hostname more (for a total of 265 characters) triggers the problem. This suspiciously looks like a static buffer of size 256 to me.
Can anyone comment on this? This problem is a show stopper here, unfortunately – chunking up host lists to short-enough strings is not really an option.
Thanks a lot and cheers,
Toby.