OpenVAS Scanner  7.0.1~git
attack.c
Go to the documentation of this file.
1 /* Portions Copyright (C) 2009-2019 Greenbone Networks GmbH
2  * Portions Copyright (C) 2006 Software in the Public Interest, Inc.
3  * Based on work Copyright (C) 1998 - 2006 Tenable Network Security, Inc.
4  *
5  * SPDX-License-Identifier: GPL-2.0-only
6  *
7  * This program is free software; you can redistribute it and/or
8  * modify it under the terms of the GNU General Public License
9  * version 2 as published by the Free Software Foundation.
10  *
11  * This program is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14  * GNU General Public License for more details.
15  *
16  * You should have received a copy of the GNU General Public License
17  * along with this program; if not, write to the Free Software
18  * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
19  */
20 
26 #include "attack.h"
27 
28 #include "../misc/network.h" /* for auth_printf */
29 #include "../misc/nvt_categories.h" /* for ACT_INIT */
30 #include "../misc/pcap_openvas.h" /* for v6_is_local_ip */
31 #include "../nasl/nasl_debug.h" /* for nasl_*_filename */
32 #include "hosts.h"
33 #include "pluginlaunch.h"
34 #include "pluginload.h"
35 #include "pluginscheduler.h"
36 #include "plugs_req.h"
37 #include "processes.h"
38 #include "sighand.h"
39 #include "utils.h"
40 
41 #include <arpa/inet.h> /* for inet_ntoa() */
42 #include <errno.h> /* for errno() */
43 #include <fcntl.h>
44 #include <glib.h>
45 #include <gvm/base/hosts.h>
46 #include <gvm/base/networking.h>
47 #include <gvm/base/prefs.h> /* for prefs_get() */
48 #include <gvm/base/proctitle.h>
49 #include <gvm/util/nvticache.h> /* for nvticache_t */
50 #include <stdlib.h> /* for exit() */
51 #include <string.h> /* for strlen() */
52 #include <sys/wait.h> /* for waitpid() */
53 #include <unistd.h> /* for close() */
54 
55 #define ERR_HOST_DEAD -1
56 #define ERR_CANT_FORK -2
57 
58 #define MAX_FORK_RETRIES 10
59 
62 #define KB_RETRY_DELAY 3 /*In sec*/
63 
70 #define PROGRESS_BAR_STYLE 1
71 
72 #undef G_LOG_DOMAIN
73 
76 #define G_LOG_DOMAIN "sd main"
77 
83 {
86  kb_t *net_kb;
87  kb_t host_kb;
88  gvm_host_t *host;
89 };
90 
92 {
93  NSS_NONE = 0,
96 };
97 
98 /*******************************************************
99 
100  PRIVATE FUNCTIONS
101 
102 ********************************************************/
103 
108 static int
109 set_kb_readable (int host_kb_index)
110 {
111  int i = atoi (prefs_get ("ov_maindbid"));
112  kb_t main_kb = NULL;
113 
114  main_kb = kb_direct_conn (prefs_get ("db_address"), i);
115  if (main_kb)
116  {
117  kb_item_add_int_unique (main_kb, "internal/dbindex", host_kb_index);
118  return 0;
119  }
120  g_warning ("Not possible to add the kb index %d to the list of "
121  "ready to read kb",
122  host_kb_index);
123  return -1;
124 }
125 
132 static void
133 set_scan_status (char *status)
134 {
135  int i = atoi (prefs_get ("ov_maindbid"));
136  kb_t main_kb = NULL;
137 
138  main_kb = kb_direct_conn (prefs_get ("db_address"), i);
139  if (main_kb)
140  {
141  char buffer[96];
142  char *scan_id = kb_item_get_str (main_kb, ("internal/scanid"));
143 
144  snprintf (buffer, sizeof (buffer), "internal/%s", scan_id);
145  kb_item_set_str (main_kb, buffer, status, 0);
146 
147  return;
148  }
149  g_warning ("Not possible to set the scan as finished");
150 }
151 
155 static int
156 comm_send_status (kb_t kb, char *hostname, int curr, int max)
157 {
158  char buffer[2048];
159 
160  if (!hostname || !kb)
161  return -1;
162 
163  if (strlen (hostname) > (sizeof (buffer) - 50))
164  return -1;
165 
166  snprintf (buffer, sizeof (buffer), "%d/%d", curr, max);
167  kb_item_push_str (kb, "internal/status", buffer);
168 
169  return 0;
170 }
171 
172 static void
173 error_message_to_client2 (kb_t kb, const char *msg, const char *port)
174 {
175  char buf[2048];
176 
177  sprintf (buf, "ERRMSG||| |||%s||| |||%s", port ?: " ", msg ?: "No error.");
178  kb_item_push_str (kb, "internal/results", buf);
179 }
180 
181 static void
182 report_kb_failure (int errcode)
183 {
184  gchar *msg;
185 
186  errcode = abs (errcode);
187  msg = g_strdup_printf ("WARNING: Cannot connect to KB at '%s': %s'",
188  prefs_get ("db_address"), strerror (errcode));
189  g_warning ("%s", msg);
190  g_free (msg);
191 }
192 
193 static void
194 fork_sleep (int n)
195 {
196  time_t then, now;
197 
198  now = then = time (NULL);
199  while (now - then < n)
200  {
201  waitpid (-1, NULL, WNOHANG);
202  usleep (10000);
203  now = time (NULL);
204  }
205 }
206 
207 static enum net_scan_status
209 {
210  gchar *nss;
211 
212  nss = globals->network_scan_status;
213  if (nss == NULL)
214  return NSS_NONE;
215 
216  if (g_ascii_strcasecmp (nss, "busy") == 0)
217  return NSS_BUSY;
218  else if (g_ascii_strcasecmp (nss, "done") == 0)
219  return NSS_DONE;
220  else
221  return NSS_NONE;
222 }
223 
225 
226 static int
228 {
229  return global_scan_stop;
230 }
231 
239 static int
240 nvti_category_is_safe (int category)
241 {
242  /* XXX: Duplicated from openvas/nasl. */
243  if (category == ACT_DESTRUCTIVE_ATTACK || category == ACT_KILL_HOST
244  || category == ACT_FLOOD || category == ACT_DENIAL)
245  return 0;
246  return 1;
247 }
248 
249 static kb_t host_kb = NULL;
250 static GSList *host_vhosts = NULL;
251 static int check_new_vhosts_flag = 0;
252 
258 static int
260 {
261  return check_new_vhosts_flag;
262 }
263 
268 static void
270 {
272 }
273 
278 static void
280 {
282 }
283 
292 static void
294 {
295  char *value;
296 
297  if (get_check_new_vhosts_flag () == 0)
298  return;
299 
300  while ((value = kb_item_pop_str (host_kb, "internal/vhosts")))
301  {
302  /* Get the source. */
303  char buffer[4096], *source;
304  gvm_vhost_t *vhost;
305 
306  g_snprintf (buffer, sizeof (buffer), "internal/source/%s", value);
307  source = kb_item_pop_str (host_kb, buffer);
308  assert (source);
309  vhost = gvm_vhost_new (value, source);
310  host_vhosts = g_slist_append (host_vhosts, vhost);
311  }
313 }
314 
324 static int
325 launch_plugin (struct scan_globals *globals, struct scheduler_plugin *plugin,
326  struct in6_addr *ip, GSList *vhosts, kb_t kb)
327 {
328  int optimize = prefs_get_bool ("optimize_test"), pid, ret = 0;
329  char *oid, *name, *error = NULL, ip_str[INET6_ADDRSTRLEN];
330  gboolean network_scan = FALSE;
331  nvti_t *nvti;
332 
333  addr6_to_str (ip, ip_str);
334  oid = plugin->oid;
335  nvti = nvticache_get_nvt (oid);
336 
337  /* eg. When NVT was moved/removed by a feed update during the scan. */
338  if (!nvti)
339  {
340  g_message ("Plugin '%s' missing from nvticache.", oid);
342  goto finish_launch_plugin;
343  }
344  if (scan_is_stopped ())
345  {
346  if (nvti_category (nvti) != ACT_END)
347  {
349  goto finish_launch_plugin;
350  }
351  else
352  {
353  name = nvticache_get_filename (oid);
354  g_message ("Stopped scan wrap-up: Launching %s (%s)", name, oid);
355  g_free (name);
356  }
357  }
358 
359  if (network_scan_status (globals) == NSS_BUSY)
360  network_scan = TRUE;
361 
362  if (prefs_get_bool ("safe_checks")
363  && !nvti_category_is_safe (nvti_category (nvti)))
364  {
365  if (prefs_get_bool ("log_whole_attack"))
366  {
367  name = nvticache_get_filename (oid);
368  g_message ("Not launching %s (%s) against %s because safe checks are"
369  " enabled (this is not an error)",
370  name, oid, ip_str);
371  g_free (name);
372  }
374  goto finish_launch_plugin;
375  }
376 
377  if (network_scan)
378  {
379  char asc_id[100];
380 
381  assert (oid);
382  snprintf (asc_id, sizeof (asc_id), "Launched/%s", oid);
383 
384  if (kb_item_get_int (kb, asc_id) > 0)
385  {
386  if (prefs_get_bool ("log_whole_attack"))
387  g_message ("Not launching %s against %s because it has already "
388  "been lanched in the past (this is not an error)",
389  oid, ip_str);
391  goto finish_launch_plugin;
392  }
393  else
394  kb_item_set_int (kb, asc_id, 1);
395  }
396 
397  /* Do not launch NVT if mandatory key is missing (e.g. an important tool
398  * was not found). This is ignored during network wide scanning phases. */
399  if (!network_scan && !mandatory_requirements_met (kb, nvti))
400  error = "because a mandatory key is missing";
401  if (error || (optimize && (error = requirements_plugin (kb, nvti))))
402  {
404  if (prefs_get_bool ("log_whole_attack"))
405  {
406  name = nvticache_get_filename (oid);
407  g_message (
408  "Not launching %s (%s) against %s %s (this is not an error)", name,
409  oid, ip_str, error);
410  g_free (name);
411  }
412  goto finish_launch_plugin;
413  }
414 
415  /* Stop the test if the host is 'dead' */
416  if (kb_item_get_int (kb, "Host/dead") > 0)
417  {
418  g_message ("The remote host %s is dead", ip_str);
421  ret = ERR_HOST_DEAD;
422  goto finish_launch_plugin;
423  }
424 
425  /* Update vhosts list and start the plugin */
426  check_new_vhosts ();
427  pid = plugin_launch (globals, plugin, ip, vhosts, kb, nvti);
428  if (pid < 0)
429  {
431  ret = ERR_CANT_FORK;
432  goto finish_launch_plugin;
433  }
434 
435  if (prefs_get_bool ("log_whole_attack"))
436  {
437  name = nvticache_get_filename (oid);
438  g_message ("Launching %s (%s) against %s [%d]", name, oid, ip_str, pid);
439  g_free (name);
440  }
441 
442 finish_launch_plugin:
443  nvti_free (nvti);
444  return ret;
445 }
446 
447 static int
448 kb_duplicate (kb_t dst, kb_t src, const gchar *filter)
449 {
450  struct kb_item *items, *p_itm;
451 
452  items = kb_item_get_pattern (src, filter ? filter : "*");
453  for (p_itm = items; p_itm != NULL; p_itm = p_itm->next)
454  {
455  gchar *newname;
456 
457  newname = strstr (p_itm->name, "/");
458  if (newname == NULL)
459  newname = p_itm->name;
460  else
461  newname += 1; /* Skip the '/' */
462 
463  kb_item_add_str (dst, newname, p_itm->v_str, 0);
464  }
465  return 0;
466 }
467 
479 static kb_t
480 init_host_kb (struct scan_globals *globals, char *ip_str, kb_t *network_kb)
481 {
482  kb_t kb;
483  gchar *hostname_pattern;
484  enum net_scan_status nss;
485  const gchar *kb_path = prefs_get ("db_address");
486  int rc;
487 
488  nss = network_scan_status (globals);
489  switch (nss)
490  {
491  case NSS_DONE:
492  rc = kb_new (&kb, kb_path);
493  if (rc)
494  {
495  report_kb_failure (rc);
496  return NULL;
497  }
498 
499  hostname_pattern = g_strdup_printf ("%s/*", ip_str);
500  kb_duplicate (kb, *network_kb, hostname_pattern);
501  g_free (hostname_pattern);
502  break;
503 
504  case NSS_BUSY:
505  assert (network_kb != NULL);
506  assert (*network_kb != NULL);
507  kb = *network_kb;
508  break;
509 
510  default:
511  rc = kb_new (&kb, kb_path);
512  if (rc)
513  {
514  report_kb_failure (rc);
515  return NULL;
516  }
517  }
518 
519  return kb;
520 }
521 
525 static void
526 attack_host (struct scan_globals *globals, struct in6_addr *ip, GSList *vhosts,
527  plugins_scheduler_t sched, kb_t kb, kb_t *net_kb)
528 {
529  /* Used for the status */
530  int num_plugs, forks_retry = 0;
531  char ip_str[INET6_ADDRSTRLEN];
532 
533  addr6_to_str (ip, ip_str);
535  host_kb = kb;
536  host_vhosts = vhosts;
537  kb_item_set_str (kb, "internal/ip", ip_str, 0);
538  kb_item_set_int (kb, "internal/hostpid", getpid ());
539  proctitle_set ("openvas: testing %s", ip_str);
540  if (net_kb && *net_kb)
541  {
542  kb_delete (kb);
543  kb = init_host_kb (globals, ip_str, net_kb);
544  if (kb == NULL)
545  return;
546  }
547  kb_lnk_reset (kb);
548 
549  /* launch the plugins */
550  pluginlaunch_init (ip_str);
551  num_plugs = plugins_scheduler_count_active (sched);
552  for (;;)
553  {
554  struct scheduler_plugin *plugin;
555  pid_t parent;
556 
557  /* Check that our father is still alive */
558  parent = getppid ();
559  if (parent <= 1 || process_alive (parent) == 0)
560  {
562  return;
563  }
564 
565  if (scan_is_stopped ())
566  plugins_scheduler_stop (sched);
567  plugin = plugins_scheduler_next (sched);
568  if (plugin != NULL && plugin != PLUG_RUNNING)
569  {
570  int e;
571  static int last_status = 0, cur_plug = 0;
572 
573  again:
574  e = launch_plugin (globals, plugin, ip, host_vhosts, kb);
575  if (e < 0)
576  {
577  /*
578  * Remote host died
579  */
580  if (e == ERR_HOST_DEAD)
581  {
582  char buffer[2048];
583  snprintf (
584  buffer, sizeof (buffer),
585  "LOG||| |||general/Host_Details||| |||<host><detail>"
586  "<name>Host dead</name><value>1</value><source>"
587  "<description/><type/><name/></source></detail></host>");
588 #if (PROGRESS_BAR_STYLE == 1)
589  /* In case of a dead host, it sends max_ports = -1 to the
590  manager. The host will not be taken into account to
591  calculate the scan progress. */
592  comm_send_status (kb, ip_str, 0, -1);
593 #endif
594  kb_item_push_str (kb, "internal/results", buffer);
595  goto host_died;
596  }
597  else if (e == ERR_CANT_FORK)
598  {
599  if (forks_retry < MAX_FORK_RETRIES)
600  {
601  forks_retry++;
602  g_debug ("fork() failed - sleeping %d seconds (%s)",
603  forks_retry, strerror (errno));
604  fork_sleep (forks_retry);
605  goto again;
606  }
607  else
608  {
609  g_debug ("fork() failed too many times - aborting");
610  goto host_died;
611  }
612  }
613  }
614 
615  if ((cur_plug * 100) / num_plugs >= last_status
616  && !scan_is_stopped ())
617  {
618  last_status = (cur_plug * 100) / num_plugs + 2;
619  if (comm_send_status (kb, ip_str, cur_plug, num_plugs) < 0)
620  {
622  goto host_died;
623  }
624  }
625  cur_plug++;
626  }
627  else if (plugin == NULL)
628  break;
630  }
631 
632  pluginlaunch_wait (kb);
633  if (!scan_is_stopped ())
634  comm_send_status (kb, ip_str, num_plugs, num_plugs);
635 
636 host_died:
638  plugins_scheduler_free (sched);
639 }
640 
641 /*
642  * Checks if a host is authorized to be scanned.
643  *
644  * @param[in] host Host to check access to.
645  * @param[in] addr Pointer to address so a hostname isn't resolved multiple
646  * times.
647  * @param[in] hosts_allow Hosts whitelist.
648  * @param[in] hosts_deny Hosts blacklist.
649  *
650  * @return 1 if host authorized, 0 otherwise.
651  */
652 static int
653 host_authorized (const gvm_host_t *host, const struct in6_addr *addr,
654  const gvm_hosts_t *hosts_allow, const gvm_hosts_t *hosts_deny)
655 {
656  /* Check Hosts Access. */
657  if (host == NULL)
658  return 0;
659 
660  if (hosts_deny && gvm_host_in_hosts (host, addr, hosts_deny))
661  return 0;
662  if (hosts_allow && !gvm_host_in_hosts (host, addr, hosts_allow))
663  return 0;
664 
665  return 1;
666 }
667 
668 /*
669  * Converts the vhosts list to a comma-separated char string.
670  *
671  * @param[in] list Linked-list to convert.
672  *
673  * @return NULL if empty list, char string otherwise.
674  */
675 static char *
677 {
678  GString *string;
679 
680  if (!list)
681  return NULL;
682  string = g_string_new (((gvm_vhost_t *) list->data)->value);
683  if (g_slist_length (list) == 1)
684  return g_string_free (string, FALSE);
685  list = list->next;
686  while (list)
687  {
688  g_string_append (string, ", ");
689  g_string_append (string, ((gvm_vhost_t *) list->data)->value);
690  list = list->next;
691  }
692  return g_string_free (string, FALSE);
693 }
694 
695 /*
696  * Check if a scan is authorized on a host.
697  *
698  * @param[in] host Host to check access to.
699  * @param[in] addr Pointer to address so a hostname isn't resolved multiple
700  * times.
701  * @param[in] kb Host scan KB.
702  *
703  * @return 0 if authorized, -1 otherwise.
704  */
705 static int
706 check_host_authorization (gvm_host_t *host, const struct in6_addr *addr,
707  kb_t kb)
708 {
709  gvm_hosts_t *hosts_allow, *hosts_deny;
710  gvm_hosts_t *sys_hosts_allow, *sys_hosts_deny;
711 
712  /* Do we have the right to test this host ? */
713  hosts_allow = gvm_hosts_new (prefs_get ("hosts_allow"));
714  hosts_deny = gvm_hosts_new (prefs_get ("hosts_deny"));
715  if (!host_authorized (host, addr, hosts_allow, hosts_deny))
716  {
717  error_message_to_client2 (kb, "Host access denied.", NULL);
718  return -1;
719  }
720  sys_hosts_allow = gvm_hosts_new (prefs_get ("sys_hosts_allow"));
721  sys_hosts_deny = gvm_hosts_new (prefs_get ("sys_hosts_deny"));
722  if (!host_authorized (host, addr, sys_hosts_allow, sys_hosts_deny))
723  {
725  kb, "Host access denied (system-wide restriction.)", NULL);
726  return -1;
727  }
728 
729  gvm_hosts_free (hosts_allow);
730  gvm_hosts_free (hosts_deny);
731  gvm_hosts_free (sys_hosts_allow);
732  gvm_hosts_free (sys_hosts_deny);
733  return 0;
734 }
735 
739 static void
741 {
742  struct scan_globals *globals = args->globals;
743  char ip_str[INET6_ADDRSTRLEN], *hostnames;
744  struct in6_addr hostip;
745  struct timeval then;
746  kb_t *net_kb = args->net_kb, kb = args->host_kb;
747  int ret;
748 
749  nvticache_reset ();
750  kb_lnk_reset (kb);
751  gettimeofday (&then, NULL);
752 
753  kb_item_set_str (kb, "internal/scan_id", globals->scan_id, 0);
754  set_kb_readable (kb_get_kb_index (kb));
755 
756  /* The reverse lookup is delayed to this step in order to not slow down the
757  * main scan process eg. case of target with big range of IP addresses. */
758  if (prefs_get_bool ("expand_vhosts"))
759  gvm_host_add_reverse_lookup (args->host);
760  if ((ret = gvm_vhosts_exclude (args->host, prefs_get ("exclude_hosts"))) > 0)
761  g_message ("exclude_hosts: Skipped %d vhost(s).", ret);
762  gvm_host_get_addr6 (args->host, &hostip);
763  addr6_to_str (&hostip, ip_str);
764  if (check_host_authorization (args->host, &hostip, kb))
765  {
766  g_warning ("Host %s access denied.", ip_str);
767  return;
768  }
769  if (prefs_get_bool ("test_empty_vhost"))
770  {
771  gvm_vhost_t *vhost =
772  gvm_vhost_new (g_strdup (ip_str), g_strdup ("IP-address"));
773  args->host->vhosts = g_slist_prepend (args->host->vhosts, vhost);
774  }
775  hostnames = vhosts_to_str (args->host->vhosts);
776  if (hostnames)
777  g_message ("Testing %s (Vhosts: %s) [%d]", ip_str, hostnames, getpid ());
778  else
779  g_message ("Testing %s [%d]", ip_str, getpid ());
780  g_free (hostnames);
781  attack_host (globals, &hostip, args->host->vhosts, args->sched, kb, net_kb);
782 
783  if (!scan_is_stopped ())
784  {
785  struct timeval now;
786 
787  gettimeofday (&now, NULL);
788  if (now.tv_usec < then.tv_usec)
789  {
790  then.tv_sec++;
791  now.tv_usec += 1000000;
792  }
793  g_message ("Finished testing %s. Time : %ld.%.2ld secs", ip_str,
794  (long) (now.tv_sec - then.tv_sec),
795  (long) ((now.tv_usec - then.tv_usec) / 10000));
796  }
797 }
798 
799 static void
801 {
802  const char *ordering = prefs_get ("hosts_ordering"),
803  *exclude_hosts = prefs_get ("exclude_hosts");
804 
805  if (hosts == NULL)
806  return;
807 
808  /* Hosts ordering strategy: sequential, random, reversed... */
809  if (ordering)
810  {
811  if (!strcmp (ordering, "random"))
812  {
813  gvm_hosts_shuffle (hosts);
814  g_debug ("hosts_ordering: Random.");
815  }
816  else if (!strcmp (ordering, "reverse"))
817  {
818  gvm_hosts_reverse (hosts);
819  g_debug ("hosts_ordering: Reverse.");
820  }
821  }
822  else
823  g_debug ("hosts_ordering: Sequential.");
824 
825  /* Exclude hosts ? */
826  if (exclude_hosts)
827  {
828  /* Exclude hosts, resolving hostnames. */
829  int ret = gvm_hosts_exclude (hosts, exclude_hosts);
830 
831  if (ret > 0)
832  g_message ("exclude_hosts: Skipped %d host(s).", ret);
833  if (ret < 0)
834  g_message ("exclude_hosts: Error.");
835  }
836 
837  /* Reverse-lookup unify ? */
838  if (prefs_get_bool ("reverse_lookup_unify"))
839  g_debug ("reverse_lookup_unify: Skipped %d host(s).",
840  gvm_hosts_reverse_lookup_unify (hosts));
841 
842  /* Hosts that reverse-lookup only ? */
843  if (prefs_get_bool ("reverse_lookup_only"))
844  g_debug ("reverse_lookup_only: Skipped %d host(s).",
845  gvm_hosts_reverse_lookup_only (hosts));
846 }
847 
848 static int
849 str_in_comma_list (const char *str, const char *comma_list)
850 {
851  gchar **element, **split;
852 
853  if (str == NULL || comma_list == NULL)
854  return 0;
855 
856  split = g_strsplit (comma_list, ",", 0);
857  element = split;
858  while (*element)
859  {
860  gchar *stripped = g_strstrip (*element);
861 
862  if (stripped && strcmp (stripped, str) == 0)
863  {
864  g_strfreev (split);
865  return 1;
866  }
867 
868  element++;
869  }
870 
871  g_strfreev (split);
872  return 0;
873 }
874 
875 /*
876  * Checks if a network interface is authorized to be used as source interface.
877  *
878  * @return 0 if iface is NULL, -1 if unauthorized by ifaces_deny/ifaces_allow,
879  * -2 if by sys_ifaces_deny/sys_ifaces_allow, 1 otherwise.
880  */
881 static int
882 iface_authorized (const char *iface)
883 {
884  const char *ifaces_list;
885 
886  if (iface == NULL)
887  return 0;
888 
889  ifaces_list = prefs_get ("ifaces_deny");
890  if (ifaces_list && str_in_comma_list (iface, ifaces_list))
891  return -1;
892  ifaces_list = prefs_get ("ifaces_allow");
893  if (ifaces_list && !str_in_comma_list (iface, ifaces_list))
894  return -1;
895  /* sys_* preferences are similar, but can't be overridden by the client. */
896  ifaces_list = prefs_get ("sys_ifaces_deny");
897  if (ifaces_list && str_in_comma_list (iface, ifaces_list))
898  return -2;
899  ifaces_list = prefs_get ("sys_ifaces_allow");
900  if (ifaces_list && !str_in_comma_list (iface, ifaces_list))
901  return -2;
902 
903  return 1;
904 }
905 
906 /*
907  * Applies the source_iface scanner preference, if allowed by ifaces_allow and
908  * ifaces_deny preferences.
909  *
910  * @return 0 if source_iface preference applied or not found, -1 if
911  * unauthorized value, -2 if iface can't be used.
912  */
913 static int
915 {
916  const char *source_iface = prefs_get ("source_iface");
917  int ret;
918 
919  if (source_iface == NULL)
920  return 0;
921 
922  ret = iface_authorized (source_iface);
923  if (ret == -1)
924  {
925  gchar *msg =
926  g_strdup_printf ("Unauthorized source interface: %s", source_iface);
927  g_warning ("source_iface: Unauthorized source interface %s.",
928  source_iface);
929 
930  g_free (msg);
931  return -1;
932  }
933  else if (ret == -2)
934  {
935  gchar *msg = g_strdup_printf ("Unauthorized source interface: %s"
936  " (system-wide restriction.)",
937  source_iface);
938  g_warning ("source_iface: Unauthorized source interface %s."
939  " (sys_* preference restriction.)",
940  source_iface);
941 
942  g_free (msg);
943  return -1;
944  }
945 
946  if (gvm_source_iface_init (source_iface))
947  {
948  gchar *msg =
949  g_strdup_printf ("Erroneous source interface: %s", source_iface);
950  g_debug ("source_iface: Error with %s interface.", source_iface);
951 
952  g_free (msg);
953  return -2;
954  }
955  else
956  {
957  char *ipstr, *ip6str;
958  ipstr = gvm_source_addr_str ();
959  ip6str = gvm_source_addr6_str ();
960  g_debug ("source_iface: Using %s (%s / %s).", source_iface, ipstr,
961  ip6str);
962 
963  g_free (ipstr);
964  g_free (ip6str);
965  return 0;
966  }
967 }
968 
969 static int
971 {
972  int rc;
973  kb_t kb;
974 
975  rc = kb_new (&kb, prefs_get ("db_address"));
976  if (rc)
977  report_kb_failure (rc);
978  else
979  kb_delete (kb);
980 
981  return rc;
982 }
983 
984 static void
986 {
987  int i = atoi (prefs_get ("ov_maindbid"));
988  kb_t main_kb = NULL;
989  char *pid;
990 
991  global_scan_stop = 1;
992  main_kb = kb_direct_conn (prefs_get ("db_address"), i);
993  pid = kb_item_get_str (main_kb, ("internal/ovas_pid"));
994  kb_lnk_reset (main_kb);
995 
996  if (atoi (pid) == getpid ())
997  hosts_stop_all ();
998  else
1000 
1001  g_free (pid);
1002 }
1003 
1007 void
1008 attack_network (struct scan_globals *globals, kb_t *network_kb)
1009 {
1010  int max_hosts = 0, max_checks;
1011  const char *hostlist;
1012  gvm_host_t *host;
1013  plugins_scheduler_t sched;
1014  int fork_retries = 0;
1015  GHashTable *files;
1016  struct timeval then, now;
1017  gvm_hosts_t *hosts;
1018  const gchar *network_targets, *port_range;
1019  gboolean network_phase = FALSE;
1020  gboolean do_network_scan = FALSE;
1021  kb_t host_kb;
1022  GSList *unresolved;
1023 
1024  gettimeofday (&then, NULL);
1025 
1026  if (prefs_get_bool ("network_scan"))
1027  do_network_scan = TRUE;
1028  else
1029  do_network_scan = FALSE;
1030 
1031  network_targets = prefs_get ("network_targets");
1032  if (network_targets != NULL)
1033  globals->network_targets = g_strdup (network_targets);
1034 
1035  if (do_network_scan)
1036  {
1037  enum net_scan_status nss;
1038 
1039  nss = network_scan_status (globals);
1040  switch (nss)
1041  {
1042  case NSS_DONE:
1043  network_phase = FALSE;
1044  break;
1045 
1046  case NSS_BUSY:
1047  network_phase = TRUE;
1048  break;
1049 
1050  default:
1051  globals->network_scan_status = g_strdup ("busy");
1052  network_phase = TRUE;
1053  break;
1054  }
1055  }
1056  else
1057  network_kb = NULL;
1058 
1059  if (check_kb_access ())
1060  return;
1061 
1062  /* Init and check Target List */
1063  hostlist = prefs_get ("TARGET");
1064  if (hostlist == NULL)
1065  {
1066  return;
1067  }
1068 
1069  /* Verify the port range is a valid one */
1070  port_range = prefs_get ("port_range");
1071  if (validate_port_range (port_range))
1072  {
1073  return;
1074  }
1075 
1076  /* Initialize the attack. */
1077  int plugins_init_error = 0;
1078  sched = plugins_scheduler_init (prefs_get ("plugin_set"),
1079  prefs_get_bool ("auto_enable_dependencies"),
1080  network_phase, &plugins_init_error);
1081  if (!sched)
1082  {
1083  g_message ("Couldn't initialize the plugin scheduler");
1084  return;
1085  }
1086 
1087  if (plugins_init_error > 0)
1088  {
1089  char buf[96];
1090  int i = atoi (prefs_get ("ov_maindbid"));
1091  kb_t main_kb = NULL;
1092 
1093  sprintf (buf,
1094  "%d errors were found during the plugin scheduling. "
1095  "Some plugins have not been launched.",
1096  plugins_init_error);
1097 
1098  main_kb = kb_direct_conn (prefs_get ("db_address"), i);
1099  error_message_to_client2 (main_kb, buf, NULL);
1100  kb_lnk_reset (main_kb);
1101  }
1102 
1103  max_hosts = get_max_hosts_number ();
1104  max_checks = get_max_checks_number ();
1105 
1106  if (network_phase)
1107  {
1108  if (network_targets == NULL)
1109  {
1110  g_warning (
1111  "WARNING: In network phase, but without targets! Stopping.");
1112  host = NULL;
1113  }
1114  else
1115  {
1116  int rc;
1117 
1118  g_message ("Start a new scan. Target(s) : %s, "
1119  "in network phase with target %s",
1120  hostlist, network_targets);
1121 
1122  rc = kb_new (network_kb, prefs_get ("db_address"));
1123  if (rc)
1124  {
1125  report_kb_failure (rc);
1126  host = NULL;
1127  }
1128  else
1129  kb_lnk_reset (*network_kb);
1130  }
1131  }
1132  else
1133  g_message ("Starts a new scan. Target(s) : %s, with max_hosts = %d and "
1134  "max_checks = %d",
1135  hostlist, max_hosts, max_checks);
1136 
1137  hosts = gvm_hosts_new (hostlist);
1138  unresolved = gvm_hosts_resolve (hosts);
1139  while (unresolved)
1140  {
1141  g_warning ("Couldn't resolve hostname '%s'", (char *) unresolved->data);
1142  unresolved = unresolved->next;
1143  }
1144  g_slist_free_full (unresolved, g_free);
1145  /* Apply Hosts preferences. */
1147 
1148  /* Don't start if the provided interface is unauthorized. */
1149  if (apply_source_iface_preference () != 0)
1150  {
1151  gvm_hosts_free (hosts);
1152  return;
1153  }
1154  host = gvm_hosts_next (hosts);
1155  if (host == NULL)
1156  goto stop;
1157  hosts_init (max_hosts);
1158  /*
1159  * Start the attack !
1160  */
1162  while (host && !scan_is_stopped ())
1163  {
1164  int pid, rc;
1165  struct attack_start_args args;
1166  char *host_str;
1167 
1168  do
1169  {
1170  rc = kb_new (&host_kb, prefs_get ("db_address"));
1171  if (rc < 0 && rc != -2)
1172  {
1173  report_kb_failure (rc);
1174  goto scan_stop;
1175  }
1176  else if (rc == -2)
1177  {
1178  sleep (KB_RETRY_DELAY);
1179  continue;
1180  }
1181  break;
1182  }
1183  while (1);
1184 
1185  host_str = gvm_host_value_str (host);
1186  if (hosts_new (host_str, host_kb) < 0)
1187  {
1188  g_free (host_str);
1189  goto scan_stop;
1190  }
1191 
1192  if (scan_is_stopped ())
1193  {
1194  g_free (host_str);
1195  continue;
1196  }
1197  args.host = host;
1198  args.globals = globals;
1199  args.sched = sched;
1200  args.net_kb = network_kb;
1201  args.host_kb = host_kb;
1202 
1203  forkagain:
1205  /* Close child process' socket. */
1206  if (pid < 0)
1207  {
1208  fork_retries++;
1209  if (fork_retries > MAX_FORK_RETRIES)
1210  {
1211  /* Forking failed - we go to the wait queue. */
1212  g_debug ("fork() failed - %s. %s won't be tested",
1213  strerror (errno), host_str);
1214  g_free (host_str);
1215  goto stop;
1216  }
1217 
1218  g_debug ("fork() failed - "
1219  "sleeping %d seconds and trying again...",
1220  fork_retries);
1221  fork_sleep (fork_retries);
1222  goto forkagain;
1223  }
1224  hosts_set_pid (host_str, pid);
1225  if (network_phase)
1226  g_message ("Testing %s (network level) [%d]", network_targets, pid);
1227 
1228  if (network_phase)
1229  {
1230  host = NULL;
1231  globals->network_scan_status = g_strdup ("done");
1232  }
1233  else
1234  host = gvm_hosts_next (hosts);
1235  g_free (host_str);
1236  }
1237 
1238  /* Every host is being tested... We have to wait for the processes
1239  * to terminate. */
1240  while (hosts_read () == 0)
1241  ;
1242  g_message ("Test complete");
1243 
1244 scan_stop:
1245  /* Free the memory used by the files uploaded by the user, if any. */
1246  files = globals->files_translation;
1247  if (files)
1248  g_hash_table_destroy (files);
1249 
1250 stop:
1251 
1252  gvm_hosts_free (hosts);
1253  g_free (globals->network_scan_status);
1254  g_free (globals->network_targets);
1255 
1257 
1258  gettimeofday (&now, NULL);
1259  g_message ("Total time to scan all hosts : %ld seconds",
1260  now.tv_sec - then.tv_sec);
1261 
1262  if (do_network_scan && network_phase && !scan_is_stopped ())
1263  attack_network (globals, network_kb);
1264  else
1265  set_scan_status ("finished");
1266 }
int process_alive(pid_t pid)
Definition: utils.c:204
static int host_authorized(const gvm_host_t *host, const struct in6_addr *addr, const gvm_hosts_t *hosts_allow, const gvm_hosts_t *hosts_deny)
Definition: attack.c:653
#define ERR_HOST_DEAD
Definition: attack.c:55
static void apply_hosts_preferences(gvm_hosts_t *hosts)
Definition: attack.c:800
void(*)(int) openvas_signal(int signum, void(*handler)(int))
Definition: sighand.c:87
void hosts_stop_all(void)
Definition: hosts.c:211
static void attack_start(struct attack_start_args *args)
Set up some data and jump into attack_host()
Definition: attack.c:740
plugins_scheduler_t plugins_scheduler_init(const char *plugins_list, int autoload, int only_network, int *error)
static int scan_is_stopped()
Definition: attack.c:227
struct scheduler_plugin * plugins_scheduler_next(plugins_scheduler_t h)
int hosts_new(char *name, kb_t kb)
Definition: hosts.c:160
static void check_new_vhosts()
Check if a plugin process pushed a new vhost value.
Definition: attack.c:293
static enum net_scan_status network_scan_status(struct scan_globals *globals)
Definition: attack.c:208
GHashTable * files_translation
Definition: scanneraux.h:36
static int check_host_authorization(gvm_host_t *host, const struct in6_addr *addr, kb_t kb)
Definition: attack.c:706
#define KB_RETRY_DELAY
Definition: attack.c:62
#define MAX_FORK_RETRIES
Definition: attack.c:58
processes.c header.
headerfile for sighand.c.
#define max
Definition: nasl_wmi.c:48
static void handle_scan_stop_signal()
Definition: attack.c:985
gvm_host_t * host
Definition: attack.c:88
int mandatory_requirements_met(kb_t kb, nvti_t *nvti)
Check whether mandatory requirements for plugin are met.
Definition: plugs_req.c:247
const char * oid
static struct host * hosts
Definition: hosts.c:59
char * network_scan_status
Definition: scanneraux.h:35
static int check_new_vhosts_flag
Definition: attack.c:251
void plugins_scheduler_stop(plugins_scheduler_t sched)
static int check_kb_access()
Definition: attack.c:970
static kb_t init_host_kb(struct scan_globals *globals, char *ip_str, kb_t *network_kb)
Inits or loads the knowledge base for a single host.
Definition: attack.c:480
void plugins_scheduler_free(plugins_scheduler_t sched)
static pid_t pid
static void error_message_to_client2(kb_t kb, const char *msg, const char *port)
Definition: attack.c:173
static int apply_source_iface_preference()
Definition: attack.c:914
static int iface_authorized(const char *iface)
Definition: attack.c:882
int global_scan_stop
Definition: attack.c:224
int plugins_scheduler_count_active(plugins_scheduler_t sched)
static GSList * host_vhosts
Definition: attack.c:250
utils.c headerfile.
static int set_kb_readable(int host_kb_index)
Add the Host KB index to the list of readable KBs used by ospd-openvas.
Definition: attack.c:109
static int get_check_new_vhosts_flag()
Return check_new_vhosts_flag. After reading must be clean with unset_check_new_vhosts_flag(), to avoid fetching unnecessarily.
Definition: attack.c:259
static kb_t host_kb
Definition: attack.c:249
void pluginlaunch_wait_for_free_process(kb_t kb)
Waits and &#39;pushes&#39; processes until the number of running processes has changed.
Definition: pluginlaunch.c:403
char * scan_id
Definition: scanneraux.h:38
int hosts_read(void)
Returns -1 if client asked to stop all tests or connection was lost or error. 0 otherwise.
Definition: hosts.c:271
Host information, implemented as doubly linked list.
Definition: hosts.c:47
struct scan_globals * globals
Definition: attack.c:84
void pluginlaunch_wait(kb_t kb)
Waits and &#39;pushes&#39; processes until num_running_processes is 0.
Definition: pluginlaunch.c:370
void pluginlaunch_stop()
Definition: pluginlaunch.c:302
attack.c header.
plugins_scheduler_t sched
Definition: attack.c:85
int get_max_hosts_number(void)
Definition: utils.c:143
char * network_targets
Definition: scanneraux.h:34
const char * name
Definition: nasl_init.c:377
static int nvti_category_is_safe(int category)
Checks that an NVT category is safe.
Definition: attack.c:240
pluginlaunch.c header.
static int str_in_comma_list(const char *str, const char *comma_list)
Definition: attack.c:849
void(* process_func_t)(void *)
Definition: processes.h:31
struct timeval timeval(unsigned long val)
static void fork_sleep(int n)
Definition: attack.c:194
int hosts_init(int max_hosts)
Definition: hosts.c:153
enum plugin_status running_state
static void attack_host(struct scan_globals *globals, struct in6_addr *ip, GSList *vhosts, plugins_scheduler_t sched, kb_t kb, kb_t *net_kb)
Attack one host.
Definition: attack.c:526
int hosts_set_pid(char *name, pid_t pid)
Definition: hosts.c:185
static void set_check_new_vhosts_flag()
Set global check_new_vhosts_flag to indicate that new vhosts must be fetched.
Definition: attack.c:269
static int kb_duplicate(kb_t dst, kb_t src, const gchar *filter)
Definition: attack.c:448
plugs_req.c header.
void attack_network(struct scan_globals *globals, kb_t *network_kb)
Attack a whole network.
Definition: attack.c:1008
kb_t * net_kb
Definition: attack.c:86
#define PLUG_RUNNING
static int comm_send_status(kb_t kb, char *hostname, int curr, int max)
Sends the status of a host&#39;s scan.
Definition: attack.c:156
const char * hostname
Definition: pluginlaunch.c:76
static void report_kb_failure(int errcode)
Definition: attack.c:182
pluginload.c header.
char * requirements_plugin(kb_t kb, nvti_t *nvti)
Determine if the plugin requirements are met.
Definition: plugs_req.c:264
tree_cell * network_targets(lex_ctxt *lexic)
header for pluginscheduler.c
static void unset_check_new_vhosts_flag()
Unset global check_new_vhosts_flag. Must be called once the vhosts have been fetched.
Definition: attack.c:279
pid_t create_process(process_func_t function, void *argument)
Create a new process (fork).
Definition: processes.c:97
struct list * next
static char * vhosts_to_str(GSList *list)
Definition: attack.c:676
static int launch_plugin(struct scan_globals *globals, struct scheduler_plugin *plugin, struct in6_addr *ip, GSList *vhosts, kb_t kb)
Launches a nvt. Respects safe check preference (i.e. does not try.
Definition: attack.c:325
hosts.c header.
#define ERR_CANT_FORK
Definition: attack.c:56
int get_max_checks_number(void)
Definition: utils.c:174
net_scan_status
Definition: attack.c:91
void pluginlaunch_init(const char *host)
Definition: pluginlaunch.c:265
static void set_scan_status(char *status)
Set scan status. This helps ospd-openvas to identify if a scan crashed or finished cleanly...
Definition: attack.c:133
int plugin_launch(struct scan_globals *globals, struct scheduler_plugin *plugin, struct in6_addr *ip, GSList *vhosts, kb_t kb, nvti_t *nvti)
Definition: pluginlaunch.c:343