OpenVAS Scanner  7.0.0~git
attack.c
Go to the documentation of this file.
1 /* Portions Copyright (C) 2009-2019 Greenbone Networks GmbH
2  * Portions Copyright (C) 2006 Software in the Public Interest, Inc.
3  * Based on work Copyright (C) 1998 - 2006 Tenable Network Security, Inc.
4  *
5  * SPDX-License-Identifier: GPL-2.0-only
6  *
7  * This program is free software; you can redistribute it and/or
8  * modify it under the terms of the GNU General Public License
9  * version 2 as published by the Free Software Foundation.
10  *
11  * This program is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14  * GNU General Public License for more details.
15  *
16  * You should have received a copy of the GNU General Public License
17  * along with this program; if not, write to the Free Software
18  * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
19  */
20 
26 #include "attack.h"
27 
28 #include "../misc/network.h" /* for auth_printf */
29 #include "../misc/nvt_categories.h" /* for ACT_INIT */
30 #include "../misc/pcap_openvas.h" /* for v6_is_local_ip */
31 #include "../nasl/nasl_debug.h" /* for nasl_*_filename */
32 #include "hosts.h"
33 #include "pluginlaunch.h"
34 #include "pluginload.h"
35 #include "pluginscheduler.h"
36 #include "plugs_req.h"
37 #include "processes.h"
38 #include "sighand.h"
39 #include "utils.h"
40 
41 #include <arpa/inet.h> /* for inet_ntoa() */
42 #include <errno.h> /* for errno() */
43 #include <fcntl.h>
44 #include <glib.h>
45 #include <gvm/base/hosts.h>
46 #include <gvm/base/networking.h>
47 #include <gvm/base/prefs.h> /* for prefs_get() */
48 #include <gvm/base/proctitle.h>
49 #include <gvm/util/nvticache.h> /* for nvticache_t */
50 #include <stdlib.h> /* for exit() */
51 #include <string.h> /* for strlen() */
52 #include <sys/wait.h> /* for waitpid() */
53 #include <unistd.h> /* for close() */
54 
55 #define ERR_HOST_DEAD -1
56 #define ERR_CANT_FORK -2
57 
58 #define MAX_FORK_RETRIES 10
59 
62 #define KB_RETRY_DELAY 3 /*In sec*/
63 
70 #define PROGRESS_BAR_STYLE 1
71 
72 #undef G_LOG_DOMAIN
73 
76 #define G_LOG_DOMAIN "sd main"
77 
83 {
86  kb_t *net_kb;
87  kb_t host_kb;
88  gvm_host_t *host;
89 };
90 
92 {
93  NSS_NONE = 0,
96 };
97 
98 /*******************************************************
99 
100  PRIVATE FUNCTIONS
101 
102 ********************************************************/
103 
108 static int
109 set_kb_readable (int host_kb_index)
110 {
111  int i = atoi (prefs_get ("ov_maindbid"));
112  kb_t main_kb = NULL;
113 
114  main_kb = kb_direct_conn (prefs_get ("db_address"), i);
115  if (main_kb)
116  {
117  kb_item_add_int_unique (main_kb, "internal/dbindex", host_kb_index);
118  return 0;
119  }
120  g_warning ("Not possible to add the kb index %d to the list of "
121  "ready to read kb",
122  host_kb_index);
123  return -1;
124 }
125 
132 static void
133 set_scan_status (char *status)
134 {
135  int i = atoi (prefs_get ("ov_maindbid"));
136  kb_t main_kb = NULL;
137 
138  main_kb = kb_direct_conn (prefs_get ("db_address"), i);
139  if (main_kb)
140  {
141  char buffer[96];
142  char *scan_id = kb_item_get_str (main_kb, ("internal/scanid"));
143 
144  snprintf (buffer, sizeof (buffer), "internal/%s", scan_id);
145  kb_item_set_str (main_kb, buffer, status, 0);
146 
147  return;
148  }
149  g_warning ("Not possible to set the scan as finished");
150 }
151 
155 static int
156 comm_send_status (kb_t kb, char *hostname, int curr, int max)
157 {
158  char buffer[2048];
159 
160  if (!hostname || !kb)
161  return -1;
162 
163  if (strlen (hostname) > (sizeof (buffer) - 50))
164  return -1;
165 
166  snprintf (buffer, sizeof (buffer), "%d/%d", curr, max);
167  kb_item_push_str (kb, "internal/status", buffer);
168 
169  return 0;
170 }
171 
172 static void
173 error_message_to_client2 (kb_t kb, const char *msg, const char *port)
174 {
175  char buf[2048];
176 
177  sprintf (buf, "ERRMSG||| |||%s||| |||%s", port ?: " ", msg ?: "No error.");
178  kb_item_push_str (kb, "internal/results", buf);
179 }
180 
181 static void
182 report_kb_failure (int errcode)
183 {
184  gchar *msg;
185 
186  errcode = abs (errcode);
187  msg = g_strdup_printf ("WARNING: Cannot connect to KB at '%s': %s'",
188  prefs_get ("db_address"), strerror (errcode));
189  g_warning ("%s", msg);
190  g_free (msg);
191 }
192 
193 static void
194 fork_sleep (int n)
195 {
196  time_t then, now;
197 
198  now = then = time (NULL);
199  while (now - then < n)
200  {
201  waitpid (-1, NULL, WNOHANG);
202  usleep (10000);
203  now = time (NULL);
204  }
205 }
206 
207 static enum net_scan_status
209 {
210  gchar *nss;
211 
212  nss = globals->network_scan_status;
213  if (nss == NULL)
214  return NSS_NONE;
215 
216  if (g_ascii_strcasecmp (nss, "busy") == 0)
217  return NSS_BUSY;
218  else if (g_ascii_strcasecmp (nss, "done") == 0)
219  return NSS_DONE;
220  else
221  return NSS_NONE;
222 }
223 
225 
226 static int
228 {
229  return global_scan_stop;
230 }
231 
233 
234 static int
236 {
237  return global_stop_all_scans;
238 }
239 
247 static int
248 nvti_category_is_safe (int category)
249 {
250  /* XXX: Duplicated from openvas/nasl. */
251  if (category == ACT_DESTRUCTIVE_ATTACK || category == ACT_KILL_HOST
252  || category == ACT_FLOOD || category == ACT_DENIAL)
253  return 0;
254  return 1;
255 }
256 
266 static int
267 launch_plugin (struct scan_globals *globals, struct scheduler_plugin *plugin,
268  struct in6_addr *ip, GSList *vhosts, kb_t kb)
269 {
270  int optimize = prefs_get_bool ("optimize_test"), pid, ret = 0;
271  char *oid, *name, *error = NULL, ip_str[INET6_ADDRSTRLEN];
272  gboolean network_scan = FALSE;
273  nvti_t *nvti;
274 
275  addr6_to_str (ip, ip_str);
276  oid = plugin->oid;
277  nvti = nvticache_get_nvt (oid);
278 
279  /* eg. When NVT was moved/removed by a feed update during the scan. */
280  if (!nvti)
281  {
282  g_message ("Plugin '%s' missing from nvticache.", oid);
284  goto finish_launch_plugin;
285  }
287  {
288  if (nvti_category (nvti) != ACT_END)
289  {
291  goto finish_launch_plugin;
292  }
293  else
294  {
295  name = nvticache_get_filename (oid);
296  g_message ("Stopped scan wrap-up: Launching %s (%s)", name, oid);
297  g_free (name);
298  }
299  }
300 
301  if (network_scan_status (globals) == NSS_BUSY)
302  network_scan = TRUE;
303 
304  if (prefs_get_bool ("safe_checks")
305  && !nvti_category_is_safe (nvti_category (nvti)))
306  {
307  if (prefs_get_bool ("log_whole_attack"))
308  {
309  name = nvticache_get_filename (oid);
310  g_message ("Not launching %s (%s) against %s because safe checks are"
311  " enabled (this is not an error)",
312  name, oid, ip_str);
313  g_free (name);
314  }
316  goto finish_launch_plugin;
317  }
318 
319  if (network_scan)
320  {
321  char asc_id[100];
322 
323  assert (oid);
324  snprintf (asc_id, sizeof (asc_id), "Launched/%s", oid);
325 
326  if (kb_item_get_int (kb, asc_id) > 0)
327  {
328  if (prefs_get_bool ("log_whole_attack"))
329  g_message ("Not launching %s against %s because it has already "
330  "been lanched in the past (this is not an error)",
331  oid, ip_str);
333  goto finish_launch_plugin;
334  }
335  else
336  kb_item_set_int (kb, asc_id, 1);
337  }
338 
339  /* Do not launch NVT if mandatory key is missing (e.g. an important tool
340  * was not found). This is ignored during network wide scanning phases. */
341  if (!network_scan && !mandatory_requirements_met (kb, nvti))
342  error = "because a mandatory key is missing";
343  if (error || (optimize && (error = requirements_plugin (kb, nvti))))
344  {
346  if (prefs_get_bool ("log_whole_attack"))
347  {
348  name = nvticache_get_filename (oid);
349  g_message (
350  "Not launching %s (%s) against %s %s (this is not an error)", name,
351  oid, ip_str, error);
352  g_free (name);
353  }
354  goto finish_launch_plugin;
355  }
356 
357  /* Stop the test if the host is 'dead' */
358  if (kb_item_get_int (kb, "Host/dead") > 0)
359  {
360  g_message ("The remote host %s is dead", ip_str);
363  ret = ERR_HOST_DEAD;
364  goto finish_launch_plugin;
365  }
366 
367  /* Start the plugin */
368  pid = plugin_launch (globals, plugin, ip, vhosts, kb, nvti);
369  if (pid < 0)
370  {
372  ret = ERR_CANT_FORK;
373  goto finish_launch_plugin;
374  }
375 
376  if (prefs_get_bool ("log_whole_attack"))
377  {
378  name = nvticache_get_filename (oid);
379  g_message ("Launching %s (%s) against %s [%d]", name, oid, ip_str, pid);
380  g_free (name);
381  }
382 
383 finish_launch_plugin:
384  nvti_free (nvti);
385  return ret;
386 }
387 
388 static int
389 kb_duplicate (kb_t dst, kb_t src, const gchar *filter)
390 {
391  struct kb_item *items, *p_itm;
392 
393  items = kb_item_get_pattern (src, filter ? filter : "*");
394  for (p_itm = items; p_itm != NULL; p_itm = p_itm->next)
395  {
396  gchar *newname;
397 
398  newname = strstr (p_itm->name, "/");
399  if (newname == NULL)
400  newname = p_itm->name;
401  else
402  newname += 1; /* Skip the '/' */
403 
404  kb_item_add_str (dst, newname, p_itm->v_str, 0);
405  }
406  return 0;
407 }
408 
420 static kb_t
421 init_host_kb (struct scan_globals *globals, char *ip_str, kb_t *network_kb)
422 {
423  kb_t kb;
424  gchar *hostname_pattern;
425  enum net_scan_status nss;
426  const gchar *kb_path = prefs_get ("db_address");
427  int rc;
428 
429  nss = network_scan_status (globals);
430  switch (nss)
431  {
432  case NSS_DONE:
433  rc = kb_new (&kb, kb_path);
434  if (rc)
435  {
436  report_kb_failure (rc);
437  return NULL;
438  }
439 
440  hostname_pattern = g_strdup_printf ("%s/*", ip_str);
441  kb_duplicate (kb, *network_kb, hostname_pattern);
442  g_free (hostname_pattern);
443  break;
444 
445  case NSS_BUSY:
446  assert (network_kb != NULL);
447  assert (*network_kb != NULL);
448  kb = *network_kb;
449  break;
450 
451  default:
452  rc = kb_new (&kb, kb_path);
453  if (rc)
454  {
455  report_kb_failure (rc);
456  return NULL;
457  }
458  }
459 
460  return kb;
461 }
462 
463 static kb_t host_kb = NULL;
464 static GSList *host_vhosts = NULL;
465 
474 static void
476 {
477  char *value;
478 
479  while ((value = kb_item_pop_str (host_kb, "internal/vhosts")))
480  {
481  /* Get the source. */
482  char buffer[4096], *source;
483  gvm_vhost_t *vhost;
484 
485  g_snprintf (buffer, sizeof (buffer), "internal/source/%s", value);
486  source = kb_item_pop_str (host_kb, buffer);
487  assert (source);
488  vhost = gvm_vhost_new (value, source);
489  host_vhosts = g_slist_append (host_vhosts, vhost);
490  }
491 }
492 
496 static void
497 attack_host (struct scan_globals *globals, struct in6_addr *ip, GSList *vhosts,
498  plugins_scheduler_t sched, kb_t kb, kb_t *net_kb)
499 {
500  /* Used for the status */
501  int num_plugs, forks_retry = 0;
502  char ip_str[INET6_ADDRSTRLEN];
503 
504  addr6_to_str (ip, ip_str);
505  openvas_signal (SIGUSR2, check_new_vhosts);
506  host_kb = kb;
507  host_vhosts = vhosts;
508  kb_item_set_str (kb, "internal/ip", ip_str, 0);
509  kb_item_set_int (kb, "internal/hostpid", getpid ());
510  proctitle_set ("openvas: testing %s", ip_str);
511  if (net_kb && *net_kb)
512  {
513  kb_delete (kb);
514  kb = init_host_kb (globals, ip_str, net_kb);
515  if (kb == NULL)
516  return;
517  }
518  kb_lnk_reset (kb);
519 
520  /* launch the plugins */
521  pluginlaunch_init (ip_str);
522  num_plugs = plugins_scheduler_count_active (sched);
523  for (;;)
524  {
525  struct scheduler_plugin *plugin;
526  pid_t parent;
527 
528  /* Check that our father is still alive */
529  parent = getppid ();
530  if (parent <= 1 || process_alive (parent) == 0)
531  {
533  return;
534  }
535 
536  if (scan_is_stopped ())
537  plugins_scheduler_stop (sched);
538  plugin = plugins_scheduler_next (sched);
539  if (plugin != NULL && plugin != PLUG_RUNNING)
540  {
541  int e;
542  static int last_status = 0, cur_plug = 0;
543 
544  again:
545  e = launch_plugin (globals, plugin, ip, host_vhosts, kb);
546  if (e < 0)
547  {
548  /*
549  * Remote host died
550  */
551  if (e == ERR_HOST_DEAD)
552  {
553  char buffer[2048];
554  snprintf (
555  buffer, sizeof (buffer),
556  "LOG||| |||general/Host_Details||| |||<host><detail>"
557  "<name>Host dead</name><value>1</value><source>"
558  "<description/><type/><name/></source></detail></host>");
559 #if (PROGRESS_BAR_STYLE == 1)
560  /* In case of a dead host, it sends max_ports = -1 to the
561  manager. The host will not be taken into account to
562  calculate the scan progress. */
563  comm_send_status (kb, ip_str, 0, -1);
564 #endif
565  kb_item_push_str (kb, "internal/results", buffer);
566  goto host_died;
567  }
568  else if (e == ERR_CANT_FORK)
569  {
570  if (forks_retry < MAX_FORK_RETRIES)
571  {
572  forks_retry++;
573  g_debug ("fork() failed - sleeping %d seconds (%s)",
574  forks_retry, strerror (errno));
575  fork_sleep (forks_retry);
576  goto again;
577  }
578  else
579  {
580  g_debug ("fork() failed too many times - aborting");
581  goto host_died;
582  }
583  }
584  }
585 
586  if ((cur_plug * 100) / num_plugs >= last_status && !scan_is_stopped ()
587  && !all_scans_are_stopped ())
588  {
589  last_status = (cur_plug * 100) / num_plugs + 2;
590  if (comm_send_status (kb, ip_str, cur_plug, num_plugs) < 0)
591  {
593  goto host_died;
594  }
595  }
596  cur_plug++;
597  }
598  else if (plugin == NULL)
599  break;
601  }
602 
603  pluginlaunch_wait (kb);
604  if (!scan_is_stopped () && !all_scans_are_stopped ())
605  comm_send_status (kb, ip_str, num_plugs, num_plugs);
606 
607 host_died:
609  plugins_scheduler_free (sched);
610 }
611 
612 /*
613  * Checks if a host is authorized to be scanned.
614  *
615  * @param[in] host Host to check access to.
616  * @param[in] addr Pointer to address so a hostname isn't resolved multiple
617  * times.
618  * @param[in] hosts_allow Hosts whitelist.
619  * @param[in] hosts_deny Hosts blacklist.
620  *
621  * @return 1 if host authorized, 0 otherwise.
622  */
623 static int
624 host_authorized (const gvm_host_t *host, const struct in6_addr *addr,
625  const gvm_hosts_t *hosts_allow, const gvm_hosts_t *hosts_deny)
626 {
627  /* Check Hosts Access. */
628  if (host == NULL)
629  return 0;
630 
631  if (hosts_deny && gvm_host_in_hosts (host, addr, hosts_deny))
632  return 0;
633  if (hosts_allow && !gvm_host_in_hosts (host, addr, hosts_allow))
634  return 0;
635 
636  return 1;
637 }
638 
639 /*
640  * Converts the vhosts list to a comma-separated char string.
641  *
642  * @param[in] list Linked-list to convert.
643  *
644  * @return NULL if empty list, char string otherwise.
645  */
646 static char *
648 {
649  GString *string;
650 
651  if (!list)
652  return NULL;
653  string = g_string_new (((gvm_vhost_t *) list->data)->value);
654  if (g_slist_length (list) == 1)
655  return g_string_free (string, FALSE);
656  list = list->next;
657  while (list)
658  {
659  g_string_append (string, ", ");
660  g_string_append (string, ((gvm_vhost_t *) list->data)->value);
661  list = list->next;
662  }
663  return g_string_free (string, FALSE);
664 }
665 
666 /*
667  * Check if a scan is authorized on a host.
668  *
669  * @param[in] host Host to check access to.
670  * @param[in] addr Pointer to address so a hostname isn't resolved multiple
671  * times.
672  * @param[in] kb Host scan KB.
673  *
674  * @return 0 if authorized, -1 otherwise.
675  */
676 static int
677 check_host_authorization (gvm_host_t *host, const struct in6_addr *addr,
678  kb_t kb)
679 {
680  gvm_hosts_t *hosts_allow, *hosts_deny;
681  gvm_hosts_t *sys_hosts_allow, *sys_hosts_deny;
682 
683  /* Do we have the right to test this host ? */
684  hosts_allow = gvm_hosts_new (prefs_get ("hosts_allow"));
685  hosts_deny = gvm_hosts_new (prefs_get ("hosts_deny"));
686  if (!host_authorized (host, addr, hosts_allow, hosts_deny))
687  {
688  error_message_to_client2 (kb, "Host access denied.", NULL);
689  return -1;
690  }
691  sys_hosts_allow = gvm_hosts_new (prefs_get ("sys_hosts_allow"));
692  sys_hosts_deny = gvm_hosts_new (prefs_get ("sys_hosts_deny"));
693  if (!host_authorized (host, addr, sys_hosts_allow, sys_hosts_deny))
694  {
696  kb, "Host access denied (system-wide restriction.)", NULL);
697  return -1;
698  }
699 
700  gvm_hosts_free (hosts_allow);
701  gvm_hosts_free (hosts_deny);
702  gvm_hosts_free (sys_hosts_allow);
703  gvm_hosts_free (sys_hosts_deny);
704  return 0;
705 }
706 
710 static void
712 {
713  struct scan_globals *globals = args->globals;
714  char ip_str[INET6_ADDRSTRLEN], *hostnames;
715  struct in6_addr hostip;
716  struct timeval then;
717  kb_t *net_kb = args->net_kb, kb = args->host_kb;
718  int ret;
719 
720  nvticache_reset ();
721  kb_lnk_reset (kb);
722  gettimeofday (&then, NULL);
723 
724  kb_item_set_str (kb, "internal/scan_id", globals->scan_id, 0);
725  set_kb_readable (kb_get_kb_index (kb));
726 
727  /* The reverse lookup is delayed to this step in order to not slow down the
728  * main scan process eg. case of target with big range of IP addresses. */
729  if (prefs_get_bool ("expand_vhosts"))
730  gvm_host_add_reverse_lookup (args->host);
731  if ((ret = gvm_vhosts_exclude (args->host, prefs_get ("exclude_hosts"))) > 0)
732  g_message ("exclude_hosts: Skipped %d vhost(s).", ret);
733  gvm_host_get_addr6 (args->host, &hostip);
734  addr6_to_str (&hostip, ip_str);
735  if (check_host_authorization (args->host, &hostip, kb))
736  {
737  g_warning ("Host %s access denied.", ip_str);
738  return;
739  }
740  if (prefs_get_bool ("test_empty_vhost"))
741  {
742  gvm_vhost_t *vhost =
743  gvm_vhost_new (g_strdup (ip_str), g_strdup ("IP-address"));
744  args->host->vhosts = g_slist_prepend (args->host->vhosts, vhost);
745  }
746  hostnames = vhosts_to_str (args->host->vhosts);
747  if (hostnames)
748  g_message ("Testing %s (Vhosts: %s) [%d]", ip_str, hostnames, getpid ());
749  else
750  g_message ("Testing %s [%d]", ip_str, getpid ());
751  g_free (hostnames);
752  attack_host (globals, &hostip, args->host->vhosts, args->sched, kb, net_kb);
753 
754  if (!scan_is_stopped () && !all_scans_are_stopped ())
755  {
756  char key[1024];
757  struct timeval now;
758 
759  snprintf (key, sizeof (key), "internal/%s", globals->scan_id);
760  kb_item_set_str (kb, key, "finished", 0);
761 
762  gettimeofday (&now, NULL);
763  if (now.tv_usec < then.tv_usec)
764  {
765  then.tv_sec++;
766  now.tv_usec += 1000000;
767  }
768  g_message ("Finished testing %s. Time : %ld.%.2ld secs", ip_str,
769  (long) (now.tv_sec - then.tv_sec),
770  (long) ((now.tv_usec - then.tv_usec) / 10000));
771  }
772 }
773 
774 static void
776 {
777  const char *ordering = prefs_get ("hosts_ordering"),
778  *exclude_hosts = prefs_get ("exclude_hosts");
779 
780  if (hosts == NULL)
781  return;
782 
783  /* Hosts ordering strategy: sequential, random, reversed... */
784  if (ordering)
785  {
786  if (!strcmp (ordering, "random"))
787  {
788  gvm_hosts_shuffle (hosts);
789  g_debug ("hosts_ordering: Random.");
790  }
791  else if (!strcmp (ordering, "reverse"))
792  {
793  gvm_hosts_reverse (hosts);
794  g_debug ("hosts_ordering: Reverse.");
795  }
796  }
797  else
798  g_debug ("hosts_ordering: Sequential.");
799 
800  /* Exclude hosts ? */
801  if (exclude_hosts)
802  {
803  /* Exclude hosts, resolving hostnames. */
804  int ret = gvm_hosts_exclude (hosts, exclude_hosts);
805 
806  if (ret > 0)
807  g_message ("exclude_hosts: Skipped %d host(s).", ret);
808  if (ret < 0)
809  g_message ("exclude_hosts: Error.");
810  }
811 
812  /* Reverse-lookup unify ? */
813  if (prefs_get_bool ("reverse_lookup_unify"))
814  g_debug ("reverse_lookup_unify: Skipped %d host(s).",
815  gvm_hosts_reverse_lookup_unify (hosts));
816 
817  /* Hosts that reverse-lookup only ? */
818  if (prefs_get_bool ("reverse_lookup_only"))
819  g_debug ("reverse_lookup_only: Skipped %d host(s).",
820  gvm_hosts_reverse_lookup_only (hosts));
821 }
822 
823 static int
824 str_in_comma_list (const char *str, const char *comma_list)
825 {
826  gchar **element, **split;
827 
828  if (str == NULL || comma_list == NULL)
829  return 0;
830 
831  split = g_strsplit (comma_list, ",", 0);
832  element = split;
833  while (*element)
834  {
835  gchar *stripped = g_strstrip (*element);
836 
837  if (stripped && strcmp (stripped, str) == 0)
838  {
839  g_strfreev (split);
840  return 1;
841  }
842 
843  element++;
844  }
845 
846  g_strfreev (split);
847  return 0;
848 }
849 
850 /*
851  * Checks if a network interface is authorized to be used as source interface.
852  *
853  * @return 0 if iface is NULL, -1 if unauthorized by ifaces_deny/ifaces_allow,
854  * -2 if by sys_ifaces_deny/sys_ifaces_allow, 1 otherwise.
855  */
856 static int
857 iface_authorized (const char *iface)
858 {
859  const char *ifaces_list;
860 
861  if (iface == NULL)
862  return 0;
863 
864  ifaces_list = prefs_get ("ifaces_deny");
865  if (ifaces_list && str_in_comma_list (iface, ifaces_list))
866  return -1;
867  ifaces_list = prefs_get ("ifaces_allow");
868  if (ifaces_list && !str_in_comma_list (iface, ifaces_list))
869  return -1;
870  /* sys_* preferences are similar, but can't be overridden by the client. */
871  ifaces_list = prefs_get ("sys_ifaces_deny");
872  if (ifaces_list && str_in_comma_list (iface, ifaces_list))
873  return -2;
874  ifaces_list = prefs_get ("sys_ifaces_allow");
875  if (ifaces_list && !str_in_comma_list (iface, ifaces_list))
876  return -2;
877 
878  return 1;
879 }
880 
881 /*
882  * Applies the source_iface scanner preference, if allowed by ifaces_allow and
883  * ifaces_deny preferences.
884  *
885  * @return 0 if source_iface preference applied or not found, -1 if
886  * unauthorized value, -2 if iface can't be used.
887  */
888 static int
890 {
891  const char *source_iface = prefs_get ("source_iface");
892  int ret;
893 
894  if (source_iface == NULL)
895  return 0;
896 
897  ret = iface_authorized (source_iface);
898  if (ret == -1)
899  {
900  gchar *msg =
901  g_strdup_printf ("Unauthorized source interface: %s", source_iface);
902  g_warning ("source_iface: Unauthorized source interface %s.",
903  source_iface);
904 
905  g_free (msg);
906  return -1;
907  }
908  else if (ret == -2)
909  {
910  gchar *msg = g_strdup_printf ("Unauthorized source interface: %s"
911  " (system-wide restriction.)",
912  source_iface);
913  g_warning ("source_iface: Unauthorized source interface %s."
914  " (sys_* preference restriction.)",
915  source_iface);
916 
917  g_free (msg);
918  return -1;
919  }
920 
921  if (gvm_source_iface_init (source_iface))
922  {
923  gchar *msg =
924  g_strdup_printf ("Erroneous source interface: %s", source_iface);
925  g_debug ("source_iface: Error with %s interface.", source_iface);
926 
927  g_free (msg);
928  return -2;
929  }
930  else
931  {
932  char *ipstr, *ip6str;
933  ipstr = gvm_source_addr_str ();
934  ip6str = gvm_source_addr6_str ();
935  g_debug ("source_iface: Using %s (%s / %s).", source_iface, ipstr,
936  ip6str);
937 
938  g_free (ipstr);
939  g_free (ip6str);
940  return 0;
941  }
942 }
943 
944 static int
946 {
947  int rc;
948  kb_t kb;
949 
950  rc = kb_new (&kb, prefs_get ("db_address"));
951  if (rc)
952  report_kb_failure (rc);
953  else
954  kb_delete (kb);
955 
956  return rc;
957 }
958 
959 static void
961 {
963  global_scan_stop = 1;
964 }
965 
966 static void
968 {
970  hosts_stop_all ();
971 }
972 
976 void
977 attack_network (struct scan_globals *globals, kb_t *network_kb)
978 {
979  int max_hosts = 0, max_checks;
980  const char *hostlist;
981  gvm_host_t *host;
982  plugins_scheduler_t sched;
983  int fork_retries = 0;
984  GHashTable *files;
985  struct timeval then, now;
986  gvm_hosts_t *hosts;
987  const gchar *network_targets, *port_range;
988  gboolean network_phase = FALSE;
989  gboolean do_network_scan = FALSE;
990  kb_t host_kb;
991  GSList *unresolved;
992 
993  gettimeofday (&then, NULL);
994 
995  if (prefs_get_bool ("network_scan"))
996  do_network_scan = TRUE;
997  else
998  do_network_scan = FALSE;
999 
1000  network_targets = prefs_get ("network_targets");
1001  if (network_targets != NULL)
1002  globals->network_targets = g_strdup (network_targets);
1003 
1004  if (do_network_scan)
1005  {
1006  enum net_scan_status nss;
1007 
1008  nss = network_scan_status (globals);
1009  switch (nss)
1010  {
1011  case NSS_DONE:
1012  network_phase = FALSE;
1013  break;
1014 
1015  case NSS_BUSY:
1016  network_phase = TRUE;
1017  break;
1018 
1019  default:
1020  globals->network_scan_status = g_strdup ("busy");
1021  network_phase = TRUE;
1022  break;
1023  }
1024  }
1025  else
1026  network_kb = NULL;
1027 
1028  if (check_kb_access ())
1029  return;
1030 
1031  /* Init and check Target List */
1032  hostlist = prefs_get ("TARGET");
1033  if (hostlist == NULL)
1034  {
1035  return;
1036  }
1037 
1038  /* Verify the port range is a valid one */
1039  port_range = prefs_get ("port_range");
1040  if (validate_port_range (port_range))
1041  {
1042  return;
1043  }
1044 
1045  /* Initialize the attack. */
1046  sched = plugins_scheduler_init (prefs_get ("plugin_set"),
1047  prefs_get_bool ("auto_enable_dependencies"),
1048  network_phase);
1049  if (!sched)
1050  {
1051  g_message ("Couldn't initialize the plugin scheduler");
1052  return;
1053  }
1054 
1055  max_hosts = get_max_hosts_number ();
1056  max_checks = get_max_checks_number ();
1057 
1058  if (network_phase)
1059  {
1060  if (network_targets == NULL)
1061  {
1062  g_warning (
1063  "WARNING: In network phase, but without targets! Stopping.");
1064  host = NULL;
1065  }
1066  else
1067  {
1068  int rc;
1069 
1070  g_message ("Start a new scan. Target(s) : %s, "
1071  "in network phase with target %s",
1072  hostlist, network_targets);
1073 
1074  rc = kb_new (network_kb, prefs_get ("db_address"));
1075  if (rc)
1076  {
1077  report_kb_failure (rc);
1078  host = NULL;
1079  }
1080  else
1081  kb_lnk_reset (*network_kb);
1082  }
1083  }
1084  else
1085  g_message ("Starts a new scan. Target(s) : %s, with max_hosts = %d and "
1086  "max_checks = %d",
1087  hostlist, max_hosts, max_checks);
1088 
1089  hosts = gvm_hosts_new (hostlist);
1090  unresolved = gvm_hosts_resolve (hosts);
1091  while (unresolved)
1092  {
1093  g_warning ("Couldn't resolve hostname '%s'", (char *) unresolved->data);
1094  unresolved = unresolved->next;
1095  }
1096  g_slist_free_full (unresolved, g_free);
1097  /* Apply Hosts preferences. */
1099 
1100  /* Don't start if the provided interface is unauthorized. */
1101  if (apply_source_iface_preference () != 0)
1102  {
1103  gvm_hosts_free (hosts);
1104  return;
1105  }
1106  host = gvm_hosts_next (hosts);
1107  if (host == NULL)
1108  goto stop;
1109  hosts_init (max_hosts);
1110  /*
1111  * Start the attack !
1112  */
1115  while (host && !scan_is_stopped () && !all_scans_are_stopped ())
1116  {
1117  int pid, rc;
1118  struct attack_start_args args;
1119  char *host_str;
1120 
1121  do
1122  {
1123  rc = kb_new (&host_kb, prefs_get ("db_address"));
1124  if (rc < 0 && rc != -2)
1125  {
1126  report_kb_failure (rc);
1127  goto scan_stop;
1128  }
1129  else if (rc == -2)
1130  {
1131  sleep (KB_RETRY_DELAY);
1132  continue;
1133  }
1134  break;
1135  }
1136  while (1);
1137 
1138  host_str = gvm_host_value_str (host);
1139  if (hosts_new (host_str, host_kb) < 0)
1140  {
1141  g_free (host_str);
1142  goto scan_stop;
1143  }
1144 
1146  {
1147  g_free (host_str);
1148  continue;
1149  }
1150  args.host = host;
1151  args.globals = globals;
1152  args.sched = sched;
1153  args.net_kb = network_kb;
1154  args.host_kb = host_kb;
1155 
1156  forkagain:
1158  /* Close child process' socket. */
1159  if (pid < 0)
1160  {
1161  fork_retries++;
1162  if (fork_retries > MAX_FORK_RETRIES)
1163  {
1164  /* Forking failed - we go to the wait queue. */
1165  g_debug ("fork() failed - %s. %s won't be tested",
1166  strerror (errno), host_str);
1167  g_free (host_str);
1168  goto stop;
1169  }
1170 
1171  g_debug ("fork() failed - "
1172  "sleeping %d seconds and trying again...",
1173  fork_retries);
1174  fork_sleep (fork_retries);
1175  goto forkagain;
1176  }
1177  hosts_set_pid (host_str, pid);
1178  if (network_phase)
1179  g_message ("Testing %s (network level) [%d]", network_targets, pid);
1180 
1181  if (network_phase)
1182  {
1183  host = NULL;
1184  globals->network_scan_status = g_strdup ("done");
1185  }
1186  else
1187  host = gvm_hosts_next (hosts);
1188  g_free (host_str);
1189  }
1190 
1191  /* Every host is being tested... We have to wait for the processes
1192  * to terminate. */
1193  while (hosts_read () == 0)
1194  ;
1195  g_message ("Test complete");
1196  set_scan_status ("finished");
1197 
1198 scan_stop:
1199  /* Free the memory used by the files uploaded by the user, if any. */
1200  files = globals->files_translation;
1201  if (files)
1202  g_hash_table_destroy (files);
1203 
1204 stop:
1205 
1206  if (all_scans_are_stopped ())
1207  {
1208  }
1209 
1210  gvm_hosts_free (hosts);
1211  g_free (globals->network_scan_status);
1212  g_free (globals->network_targets);
1213 
1215 
1216  gettimeofday (&now, NULL);
1217  g_message ("Total time to scan all hosts : %ld seconds",
1218  now.tv_sec - then.tv_sec);
1219 
1220  if (do_network_scan && network_phase && !scan_is_stopped ()
1221  && !all_scans_are_stopped ())
1222  attack_network (globals, network_kb);
1223 }
kb_duplicate
static int kb_duplicate(kb_t dst, kb_t src, const gchar *filter)
Definition: attack.c:389
processes.h
processes.c header.
host_authorized
static int host_authorized(const gvm_host_t *host, const struct in6_addr *addr, const gvm_hosts_t *hosts_allow, const gvm_hosts_t *hosts_deny)
Definition: attack.c:624
scan_globals::network_targets
char * network_targets
Definition: scanneraux.h:34
ACT_FLOOD
@ ACT_FLOOD
Definition: nvt_categories.h:47
ERR_HOST_DEAD
#define ERR_HOST_DEAD
Definition: attack.c:55
plugins_scheduler_stop
void plugins_scheduler_stop(plugins_scheduler_t sched)
Definition: pluginscheduler.c:501
hosts_read
int hosts_read(void)
Returns -1 if client asked to stop all tests or connection was lost or error. 0 otherwise.
Definition: hosts.c:250
plugins_scheduler
Definition: pluginscheduler.c:49
launch_plugin
static int launch_plugin(struct scan_globals *globals, struct scheduler_plugin *plugin, struct in6_addr *ip, GSList *vhosts, kb_t kb)
Launches a nvt. Respects safe check preference (i.e. does not try.
Definition: attack.c:267
attack_start_args::host
gvm_host_t * host
Definition: attack.c:88
scheduler_plugin
Definition: pluginscheduler.h:40
attack_network
void attack_network(struct scan_globals *globals, kb_t *network_kb)
Attack a whole network.
Definition: attack.c:977
attack_start_args
Definition: attack.c:82
attack_host
static void attack_host(struct scan_globals *globals, struct in6_addr *ip, GSList *vhosts, plugins_scheduler_t sched, kb_t kb, kb_t *net_kb)
Attack one host.
Definition: attack.c:497
apply_source_iface_preference
static int apply_source_iface_preference()
Definition: attack.c:889
report_kb_failure
static void report_kb_failure(int errcode)
Definition: attack.c:182
iface_authorized
static int iface_authorized(const char *iface)
Definition: attack.c:857
fork_sleep
static void fork_sleep(int n)
Definition: attack.c:194
sighand.h
headerfile for sighand.c.
timeval
struct timeval timeval(unsigned long val)
Definition: nasl_builtin_synscan.c:105
pid
static pid_t pid
Definition: nasl_builtin_nmap.c:499
ERR_CANT_FORK
#define ERR_CANT_FORK
Definition: attack.c:56
plugins_scheduler_free
void plugins_scheduler_free(plugins_scheduler_t sched)
Definition: pluginscheduler.c:536
comm_send_status
static int comm_send_status(kb_t kb, char *hostname, int curr, int max)
Sends the status of a host's scan.
Definition: attack.c:156
PLUGIN_STATUS_DONE
@ PLUGIN_STATUS_DONE
Definition: pluginscheduler.h:37
plugins_scheduler_init
plugins_scheduler_t plugins_scheduler_init(const char *plugins_list, int autoload, int only_network)
Definition: pluginscheduler.c:310
ACT_END
@ ACT_END
Definition: nvt_categories.h:48
name
const char * name
Definition: nasl_init.c:377
plugins_scheduler_count_active
int plugins_scheduler_count_active(plugins_scheduler_t sched)
Definition: pluginscheduler.c:343
openvas_signal
void(*)(int) openvas_signal(int signum, void(*handler)(int))
Definition: sighand.c:87
handle_stop_all_scans_signal
static void handle_stop_all_scans_signal()
Definition: attack.c:967
requirements_plugin
char * requirements_plugin(kb_t kb, nvti_t *nvti)
Determine if the plugin requirements are met.
Definition: plugs_req.c:264
host_vhosts
static GSList * host_vhosts
Definition: attack.c:464
NSS_NONE
@ NSS_NONE
Definition: attack.c:93
error_message_to_client2
static void error_message_to_client2(kb_t kb, const char *msg, const char *port)
Definition: attack.c:173
attack_start_args::globals
struct scan_globals * globals
Definition: attack.c:84
ACT_DENIAL
@ ACT_DENIAL
Definition: nvt_categories.h:45
pluginload.h
pluginload.c header.
scan_globals::files_translation
GHashTable * files_translation
Definition: scanneraux.h:36
hosts_init
int hosts_init(int max_hosts)
Definition: hosts.c:137
oid
const char * oid
Definition: nasl_builtin_find_service.c:57
max
#define max
Definition: nasl_wmi.c:48
scheduler_plugin::running_state
enum plugin_status running_state
Definition: pluginscheduler.h:44
attack.h
attack.c header.
network_scan_status
static enum net_scan_status network_scan_status(struct scan_globals *globals)
Definition: attack.c:208
str_in_comma_list
static int str_in_comma_list(const char *str, const char *comma_list)
Definition: attack.c:824
utils.h
utils.c headerfile.
hosts_new
int hosts_new(char *name, kb_t kb)
Definition: hosts.c:144
KB_RETRY_DELAY
#define KB_RETRY_DELAY
Definition: attack.c:62
pluginlaunch_init
void pluginlaunch_init(const char *host)
Definition: pluginlaunch.c:265
pluginlaunch_wait
void pluginlaunch_wait(kb_t kb)
Waits and 'pushes' processes until num_running_processes is 0.
Definition: pluginlaunch.c:370
check_kb_access
static int check_kb_access()
Definition: attack.c:945
check_host_authorization
static int check_host_authorization(gvm_host_t *host, const struct in6_addr *addr, kb_t kb)
Definition: attack.c:677
set_scan_status
static void set_scan_status(char *status)
Set scan status. This helps ospd-openvas to identify if a scan crashed or finished cleanly.
Definition: attack.c:133
vhosts_to_str
static char * vhosts_to_str(GSList *list)
Definition: attack.c:647
create_process
pid_t create_process(process_func_t function, void *argument)
Create a new process (fork).
Definition: processes.c:97
process_func_t
void(* process_func_t)(void *)
Definition: processes.h:31
net_scan_status
net_scan_status
Definition: attack.c:91
process_alive
int process_alive(pid_t pid)
Definition: utils.c:204
scan_globals
Definition: scanneraux.h:32
PLUG_RUNNING
#define PLUG_RUNNING
Definition: pluginscheduler.h:49
host_kb
static kb_t host_kb
Definition: attack.c:463
scheduler_plugin::oid
char * oid
Definition: pluginscheduler.h:42
attack_start_args::sched
plugins_scheduler_t sched
Definition: attack.c:85
PLUGIN_STATUS_UNRUN
@ PLUGIN_STATUS_UNRUN
Definition: pluginscheduler.h:35
plugin_launch
int plugin_launch(struct scan_globals *globals, struct scheduler_plugin *plugin, struct in6_addr *ip, GSList *vhosts, kb_t kb, nvti_t *nvti)
Definition: pluginlaunch.c:343
scan_is_stopped
static int scan_is_stopped()
Definition: attack.c:227
scan_globals::network_scan_status
char * network_scan_status
Definition: scanneraux.h:35
init_host_kb
static kb_t init_host_kb(struct scan_globals *globals, char *ip_str, kb_t *network_kb)
Inits or loads the knowledge base for a single host.
Definition: attack.c:421
host
Host information, implemented as doubly linked list.
Definition: hosts.c:46
attack_start
static void attack_start(struct attack_start_args *args)
Set up some data and jump into attack_host()
Definition: attack.c:711
get_max_checks_number
int get_max_checks_number(void)
Definition: utils.c:174
NSS_BUSY
@ NSS_BUSY
Definition: attack.c:94
hosts_stop_all
void hosts_stop_all(void)
Definition: hosts.c:196
handle_scan_stop_signal
static void handle_scan_stop_signal()
Definition: attack.c:960
MAX_FORK_RETRIES
#define MAX_FORK_RETRIES
Definition: attack.c:58
mandatory_requirements_met
int mandatory_requirements_met(kb_t kb, nvti_t *nvti)
Check whether mandatory requirements for plugin are met.
Definition: plugs_req.c:247
pluginlaunch_wait_for_free_process
void pluginlaunch_wait_for_free_process(kb_t kb)
Waits and 'pushes' processes until the number of running processes has changed.
Definition: pluginlaunch.c:403
pluginscheduler.h
header for pluginscheduler.c
hostname
const char * hostname
Definition: pluginlaunch.c:76
pluginlaunch.h
pluginlaunch.c header.
check_new_vhosts
static void check_new_vhosts()
Check if a plugin process pushed a new vhost value.
Definition: attack.c:475
NSS_DONE
@ NSS_DONE
Definition: attack.c:95
attack_start_args::net_kb
kb_t * net_kb
Definition: attack.c:86
get_max_hosts_number
int get_max_hosts_number(void)
Definition: utils.c:143
ACT_KILL_HOST
@ ACT_KILL_HOST
Definition: nvt_categories.h:46
all_scans_are_stopped
static int all_scans_are_stopped()
Definition: attack.c:235
pluginlaunch_stop
void pluginlaunch_stop()
Definition: pluginlaunch.c:302
nvti_category_is_safe
static int nvti_category_is_safe(int category)
Checks that an NVT category is safe.
Definition: attack.c:248
list::next
struct list * next
Definition: nasl_builtin_synscan.c:265
hosts_set_pid
int hosts_set_pid(char *name, pid_t pid)
Definition: hosts.c:169
hosts
static struct host * hosts
Definition: hosts.c:58
ACT_DESTRUCTIVE_ATTACK
@ ACT_DESTRUCTIVE_ATTACK
Definition: nvt_categories.h:44
scan_globals::scan_id
char * scan_id
Definition: scanneraux.h:38
set_kb_readable
static int set_kb_readable(int host_kb_index)
Add the Host KB index to the list of readable KBs used by ospd-openvas.
Definition: attack.c:109
attack_start_args::host_kb
kb_t host_kb
Definition: attack.c:87
global_stop_all_scans
int global_stop_all_scans
Definition: attack.c:232
plugins_scheduler_next
struct scheduler_plugin * plugins_scheduler_next(plugins_scheduler_t h)
Definition: pluginscheduler.c:444
plugs_req.h
plugs_req.c header.
network_targets
tree_cell * network_targets(lex_ctxt *lexic)
Definition: nasl_scanner_glue.c:635
global_scan_stop
int global_scan_stop
Definition: attack.c:224
list
Definition: nasl_builtin_synscan.c:259
apply_hosts_preferences
static void apply_hosts_preferences(gvm_hosts_t *hosts)
Definition: attack.c:775
hosts.h
hosts.c header.