CVE-2022-30284 – Design weakness in the python-libnmap package (4th May 2022)

Preface: If you do a resources plan in large data center. Maybe you use nmap. E.g: Performs a list scan on the provided ranges and returns an NmapReport object including in your MIS report.

Background: libnmap is a python library to parse nmap xml data. It supports python 3.6+.
libnmap is a python library enabling python developers to manipulate nmap data. The libnmap targets are as follows:

  • manipulate nmap scans results to do reporting
  • compare and diff nmap scans to generate graphs
  • batch process scan reports

How to install? pip install python-libnmap

Vulnerability details: In the python-libnmap package through 0.7.2 for Python, remote command execution can occur (if used in a client application that does not validate arguments).

My imagination. Refer to attached diagram. If attacker have a way to do a re-engineering to the file (hostname-discovery.py) and replace the original file.See add on command syntax in red box in the diagram.
The file replaced by the attacker (hostname-discovery.py) will execute the command syntax to upload the file (rev.nse) over http.Therefore, it can execute an NSE reverse shell on the target system.

Preventive control and protective control: Please refer to the link for details – https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing

Expert findings and Proof of concept: Please refer to the link for details – https://www.swascan.com/security-advisory-libnmap-2/

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.