View Issue Details

IDProjectCategoryView StatusLast Update
0002387Kali LinuxKali Package Bugpublic2015-08-09 22:35
Reporterferdinandg Assigned Torhertzog  
Status resolvedResolutionfixed 
Product Version1.1.0 
Fixed in Version2.0 
Summary0002387: OpenVAS 8 + Kali 1.1.0 / dirb scanner bug

Hi there!

I recently set up OpenVAS 8 on Kali 1.1.0 and ran into a funny problem.

While running a scan, the Kali VM would use up more and more RAM at
high CPU load until finally crashing. I quickly identified the dirb scanner
as the culprit.

While strace’ing the scanner, I noticed its last action was running stat()
on the cache directory. Then there would just be requests for more and
more RAM.

I noticed that the bug did not occur while running stand alone from the
command line. The one thing different with OpenVAS was that the scanner
was running with HOME=/.

After looking at the source I found a bug in the mkpath() function in resume.c
and in the way the cache directory string is built. If HOME=/, the cache
directory string will end up like //.cache/…
In mkpath(), the recursion exits only if the last directory being returned by
dirname() is either “.” or “/“. But in the special case of HOME=/, the last
directory is “//“. So there’s a nice endless recursion here.

I just added a simple patch to fix the path string when HOME=/
The scanner works ok now.

Kind regards,

--- dirb222/src/resume.c 2013-12-03 13:17:38.000000000 +0100
+++ dirb222.patched/src/resume.c 2015-07-02 09:35:35.384410838 +0200
@@ -35,7 +35,11 @@
// Comprobamos si existe el directorio y sino intentamos crealo

home = getenv("HOME");

  • asprintf(&dumppath,"%s/%s", home, DUMP_DIR);
  • if (strcmp(home, "/") == 0) {
  • asprintf(&dumppath,"%s%s", home, DUMP_DIR);
  • } else {
  • asprintf(&dumppath,"%s/%s", home, DUMP_DIR);
  • }
    asprintf(&optionspath, "%s/%s", home, OPTIONS_DUMP);
    asprintf(&wordlistpath, "%s/%s", home, WORDLIST_DUMP);
    asprintf(&dirlistpath, "%s/%s", home, DIRLIST_DUMP);
Steps To Reproduce

run OpenVAS with dirb scanner.




2015-07-28 12:48

administrator   ~0003608

This looks like a very useful bug report except that the source code of OpenVAS scanner does not contain any resume.c file. I tried to find it in other openvas-* packages but failed to do so as well.

After more web search, it looks like you are referring to a bug in the "dirb" software (version 2.21-1kali0 in kali).

I guess that you are running dirb within openvas-scanner... If yes, how can we reproduce this setup? (Sorry I'm not a pentester, just a developer/packager)

While your suggested patch might fix the infinite loop, it doesn't look like a proper fix either. No tool should ever write anything to /.cache and I'm not sure that the tool would have the required rights anyway. Maybe the dirb integration in openvas should be enhanced ?



2015-07-28 13:47

reporter   ~0003611

Yes, I am indeed referring to the dirb scanner. The proper fix would probably be to ensure that OpenVAS is running with a different HOME directory than /. A different approach might be to just create a tmp cache directory for dirb under /tmp or somewhere like that.

To reproduce the setup: I did a standard Kali install, and then upgraded to OpenVAS 8 via the steps advised here:



2015-07-28 16:14

administrator   ~0003615

And then how do you run the "dirb" scanner through OpenVAS?



2015-07-30 10:54

reporter   ~0003643

You do not exactly need to specify or do anything. OpenVAS will check for the scanner in several locations, and if found, will run the scanner by itself.



2015-08-09 22:35

administrator   ~0003671

Fixed in dirb_2.22-0kali2.dsc uploaded to kali-dev that I will push to sana too.

Issue History

Date Modified Username Field Change
2015-07-03 10:30 ferdinandg New Issue
2015-07-22 16:28 rhertzog Assigned To => rhertzog
2015-07-22 16:28 rhertzog Status new => assigned
2015-07-28 12:48 rhertzog Note Added: 0003608
2015-07-28 12:48 rhertzog Status assigned => feedback
2015-07-28 13:47 ferdinandg Note Added: 0003611
2015-07-28 13:47 ferdinandg Status feedback => assigned
2015-07-28 16:14 rhertzog Note Added: 0003615
2015-07-28 18:38 rhertzog Status assigned => feedback
2015-07-30 10:54 ferdinandg Note Added: 0003643
2015-07-30 10:54 ferdinandg Status feedback => assigned
2015-08-09 22:35 rhertzog Note Added: 0003671
2015-08-09 22:35 rhertzog Status assigned => resolved
2015-08-09 22:35 rhertzog Fixed in Version => 2.0
2015-08-09 22:35 rhertzog Resolution open => fixed