Nessus command-line segmentation fault

Mercer, Jeff Jeff.Mercer at itcdeltacom.com
Tue Jan 11 10:24:03 EST 2005 

I'm having an issue with Nessus v2.2.2a crashing when it's invoked in a
command-line fashion to perform a network scan. My platform is a G4
dual-processor with 640MB of memory running YellowDog Linux 3.0.

Nessus works great when I use a client such as the NessusWX windows client.
No problems at all.

However, when I tried using Nessus with the Inprotect web-based interface, I
would never get scan results. After reviewing the Inprotect source I picked
ou the specific command-line being executed and ran it manually. Lo and
behold, I get a segmentation fault, :(
This has happened both with Nessus 2.2.2a and Nessus 2.2.0.

Here's the command line Inprotect was attempting to use:

  nessus -qx host 1241 inprotect password /tmp/target_s13641 \
  /tmp/nessus_s13641.out -V -T nbe -c /tmp/nessus_s13641.cfg

My first thought was there was something wrong with the config file that
Inprotect generated. But I found even invoking a simplified nessus command
would result in a crash:

  nessus -qx host 1241 inprotect password target.txt nessus.out -T nbe

I'm not very experienced with using gdb to analyze core-dumps, but I was
able to pull this much out of the coredump:

GNU gdb Yellow Dog Linux (5.2.1-4b)
Core was generated by `/usr/local/bin/nessus -qx host 1241
/t'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /usr/local/lib/libnessus.so.2...done.
Loaded symbols for /usr/local/lib/libnessus.so.2
Reading symbols from /usr/local/lib/libhosts_gatherer.so.2...done.
Loaded symbols for /usr/local/lib/libhosts_gatherer.so.2
Reading symbols from /usr/local/lib/libpcap-nessus.so.2...done.
Loaded symbols for /usr/local/lib/libpcap-nessus.so.2
Reading symbols from /lib/libutil.so.1...done.
Loaded symbols for /lib/libutil.so.1
Reading symbols from /lib/libnsl.so.1...done.
Loaded symbols for /lib/libnsl.so.1
Reading symbols from /lib/libresolv.so.2...done.
Loaded symbols for /lib/libresolv.so.2
Reading symbols from /lib/libssl.so.4...done.
Loaded symbols for /lib/libssl.so.4
Reading symbols from /lib/libcrypto.so.4...done.
Loaded symbols for /lib/libcrypto.so.4
Reading symbols from /lib/libdl.so.2...done.
Loaded symbols for /lib/libdl.so.2
Reading symbols from /usr/lib/libgtk-x11-2.0.so.0...done.
Loaded symbols for /usr/lib/libgtk-x11-2.0.so.0
Reading symbols from /usr/lib/libgdk-x11-2.0.so.0...done.
Loaded symbols for /usr/lib/libgdk-x11-2.0.so.0
Reading symbols from /usr/lib/libatk-1.0.so.0...done.
Loaded symbols for /usr/lib/libatk-1.0.so.0
Reading symbols from /usr/lib/libgdk_pixbuf-2.0.so.0...done.
Loaded symbols for /usr/lib/libgdk_pixbuf-2.0.so.0
Reading symbols from /lib/libm.so.6...done.
Loaded symbols for /lib/libm.so.6
Reading symbols from /usr/lib/libpangoxft-1.0.so.0...done.
Loaded symbols for /usr/lib/libpangoxft-1.0.so.0
Reading symbols from /usr/lib/libpangox-1.0.so.0...done.
Loaded symbols for /usr/lib/libpangox-1.0.so.0
Reading symbols from /usr/lib/libpango-1.0.so.0...done.
Loaded symbols for /usr/lib/libpango-1.0.so.0
Reading symbols from /usr/lib/libgobject-2.0.so.0...done.
Loaded symbols for /usr/lib/libgobject-2.0.so.0
Reading symbols from /usr/lib/libgmodule-2.0.so.0...done.
Loaded symbols for /usr/lib/libgmodule-2.0.so.0
Reading symbols from /usr/lib/libglib-2.0.so.0...done.
Loaded symbols for /usr/lib/libglib-2.0.so.0
Reading symbols from /lib/libc.so.6...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /usr/kerberos/lib/libgssapi_krb5.so.2...done.
Loaded symbols for /usr/kerberos/lib/libgssapi_krb5.so.2
Reading symbols from /usr/kerberos/lib/libkrb5.so.3...done.
Loaded symbols for /usr/kerberos/lib/libkrb5.so.3
Reading symbols from /usr/kerberos/lib/libk5crypto.so.3...done.
Loaded symbols for /usr/kerberos/lib/libk5crypto.so.3
Reading symbols from /usr/kerberos/lib/libcom_err.so.3...done.
Loaded symbols for /usr/kerberos/lib/libcom_err.so.3
Reading symbols from /usr/lib/libz.so.1...done.
Loaded symbols for /usr/lib/libz.so.1
Reading symbols from /lib/ld.so.1...done.
Loaded symbols for /lib/ld.so.1
Reading symbols from /usr/X11R6/lib/libXrandr.so.2...done.
Loaded symbols for /usr/X11R6/lib/libXrandr.so.2
Reading symbols from /usr/X11R6/lib/libXi.so.6...done.
Loaded symbols for /usr/X11R6/lib/libXi.so.6
Reading symbols from /usr/X11R6/lib/libXext.so.6...done.
Loaded symbols for /usr/X11R6/lib/libXext.so.6
Reading symbols from /usr/X11R6/lib/libXft.so.2...done.
Loaded symbols for /usr/X11R6/lib/libXft.so.2
Reading symbols from /usr/X11R6/lib/libXrender.so.1...done.
Loaded symbols for /usr/X11R6/lib/libXrender.so.1
Reading symbols from /usr/lib/libfontconfig.so.1...done.
Loaded symbols for /usr/lib/libfontconfig.so.1
Reading symbols from /usr/X11R6/lib/libX11.so.6...done.
Loaded symbols for /usr/X11R6/lib/libX11.so.6
Reading symbols from /usr/lib/libfreetype.so.6...done.
Loaded symbols for /usr/lib/libfreetype.so.6
Reading symbols from /usr/lib/libexpat.so.0...done.
Loaded symbols for /usr/lib/libexpat.so.0
Reading symbols from /lib/libnss_files.so.2...done.
Loaded symbols for /lib/libnss_files.so.2
#0  0x0f5cf410 in strlen () at mtrace.c:200
200     mtrace.c: No such file or directory.
        in mtrace.c
(gdb) bt
#0  0x0f5cf410 in strlen () at mtrace.c:200
#1  0x0f59ba20 in _IO_vfprintf (s=0x7ffff608, 
    format=0x3 <Address 0x3 out of bounds>, ap=0x7ffff790) at
vfprintf.c:1528
#2  0x0f5bd730 in _IO_vsnprintf (string=0x7ffff050 "\177ÿö", maxlen=0, 
    format=0xed1 <Address 0xed1 out of bounds>, args=0x7ffff608)
    at vsnprintf.c:130
#3  0x10009878 in network_printf (data=0x0) at auth.c:100
#4  0x1000ad44 in cli_send_prefs_arglist (pref=0x10e83930,
upload=0x7ffff808)
    at comm.c:593
#5  0x1000ae68 in cli_comm_send_preferences (preferences=0x101d54d8)
    at comm.c:619
#6  0x1000b404 in comm_send_preferences (preferences=0xed1) at comm.c:751
#7  0x10011a74 in attack_host (hostname=0x10f110d0 "10.1.21.209", 
    preferences=0x101d38d8) at attack.c:162
#8  0x1000cfd0 in cli_test_network (cli=0x101d3918) at cli.c:446
#9  0x10048180 in main (argc=0, argv=0x7ffff080) at nessus.c:1273
#10 0x0f56904c in __libc_start_main (argc=13, ubp_av=0x7ffff964, ubp_ev=0x8,

    auxvec=0x7ffffa20, rtld_fini=Cannot access memory at address 0xed1
) at ../sysdeps/powerpc/elf/libc-start.c:178
(gdb) list
195     in mtrace.c

--------

The error that it couldn't find mtrace.c is quite interesting. I did a
filesystem search and indeed, there is no mtrace.c anywhere. I'm not sure if
that's supposed to be part of the Nessus source, one of the many libraries
being called or some part of the OS.

Any pointers here? Maybe I need to reconfigure and rebuild Nessus, or
perhaps there's something about a library that needs to be changed. I'd
REALLY like to get Inprotect working, and this is my only problem right now.

Thanks in advance!


 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Jeff Mercer - ITS Security & BTINet Systems Administration

"This electronic message transmission contains information from the office
of Jeff Mercer, ITC^DeltaCom, Inc., which may be confidential or privileged.
The information is intended to be for the use of the individual or entity
named above.  If you are not the intended recipient, be aware that any
disclosure, copying, distribution or use of the contents of this information
is prohibited. If you have received this electronic transmission in error,
please notify us by telephone 919-863-7257 or by electronic mail
jeff.mercer at itcdeltacom.com immediately."

More information about the Nessus mailing list