15 #include "../misc/ipc_openvas.h"
16 #include "../misc/kb_cache.h"
17 #include "../misc/network.h"
18 #include "../misc/nvt_categories.h"
19 #include "../misc/pcap_openvas.h"
20 #include "../misc/plugutils.h"
21 #include "../misc/table_driven_lsc.h"
22 #include "../misc/user_agent.h"
23 #include "../nasl/nasl_debug.h"
33 #include <arpa/inet.h>
34 #include <bsd/unistd.h>
38 #include <gvm/base/hosts.h>
39 #include <gvm/base/networking.h>
40 #include <gvm/base/prefs.h>
41 #include <gvm/boreas/alivedetection.h>
42 #include <gvm/boreas/boreas_io.h>
43 #include <gvm/util/mqtt.h>
44 #include <gvm/util/nvticache.h>
51 #define ERR_HOST_DEAD -1
53 #define MAX_FORK_RETRIES 10
57 #define KB_RETRY_DELAY 3
61 #define INVALID_TARGET_LIST "-1"
67 #define G_LOG_DOMAIN "sd main"
97 int i = atoi (prefs_get (
"ov_maindbid"));
99 *
main_kb = kb_direct_conn (prefs_get (
"db_address"), i);
105 g_warning (
"Not possible to get the main kb connection.");
148 snprintf (buffer,
sizeof (buffer),
"internal/%s",
scan_id);
173 const gchar *host_dead_status_code =
"0/-1";
174 const gchar *topic =
"internal/status";
178 if (strlen (ip_str) > 1998)
180 status = g_strjoin (
"/", ip_str, host_dead_status_code, NULL);
206 char status_buf[2048];
211 if (strlen (ip_str) > (
sizeof (status_buf) - 50))
214 snprintf (status_buf,
sizeof (status_buf),
"%s/%d/%d", ip_str, curr,
max);
223 const char *port,
const char *
type)
227 buf = g_strdup_printf (
"%s|||%s|||%s|||%s||| |||%s",
type,
228 ip_str ? ip_str :
"", ip_str ? ip_str :
"",
229 port ? port :
" ", msg ? msg :
"No error.");
239 errcode = abs (errcode);
240 msg = g_strdup_printf (
"WARNING: Cannot connect to KB at '%s': %s'",
241 prefs_get (
"db_address"), strerror (errcode));
242 g_warning (
"%s", msg);
251 now = then = time (NULL);
252 while (now - then < n)
254 waitpid (-1, NULL, WNOHANG);
295 GSList *vhosts = NULL;
301 gvm_vhost_t *tmp = vhosts->data;
303 if (!strcmp (tmp->value, vhost))
305 g_info (
"%s: vhost '%s' exists already", __func__, vhost);
308 vhosts = vhosts->next;
311 host_vhosts, gvm_vhost_new (g_strdup (vhost), g_strdup (source)));
312 g_info (
"%s: add vhost '%s' from '%s'", __func__, vhost, source);
339 gchar *status = NULL;
345 err = mqtt_subscribe (
"scanner/status");
348 g_warning (
"%s: Error starting lsc. Unable to subscribe", __func__);
353 os_release = kb_item_get_str (kb,
"ssh/login/release_notus");
355 package_list = kb_item_get_str (kb,
"ssh/login/package_list_notus");
356 if (!os_release || !package_list)
360 os_release, package_list);
361 g_free (package_list);
365 if (json_str == NULL)
368 g_message (
"Running Notus for %s", ip_str);
369 err = mqtt_publish (
"scanner/package/cmd/notus", json_str);
372 g_warning (
"%s: Error publishing message for Notus.", __func__);
382 err = mqtt_retrieve_message (&topic, &topic_len, &
payload, &payload_len,
384 if (err == -1 || err == 1)
386 g_warning (
"%s: Unable to retrieve status message from notus. %s",
387 __func__, err == 1 ?
"Timeout after 60 s." :
"");
400 if (!g_strcmp0 (status,
"running"))
402 g_debug (
"%s: table driven LSC with scan id %s successfully started "
409 err = mqtt_retrieve_message (&topic, &topic_len, &
payload,
410 &payload_len, 60000);
413 g_warning (
"%s: Unable to retrieve status message from notus.",
419 g_warning (
"%s: Unablet to retrieve message. Timeout after 60s.",
432 g_warning (
"%s: Unable to start lsc. Got status: %s", __func__, status);
437 if (g_strcmp0 (status,
"finished"))
440 "%s: table driven lsc with scan id %s did not finish successfully "
441 "for host %s. Last status was %s",
442 __func__,
scan_id, ip_str, status);
446 g_debug (
"%s: table driven lsc with scan id %s successfully finished "
463 g_warning (
"%s: Unknown data type.", __func__);
467 g_warning (
"%s: ihost data is NULL ignoring new vhost", __func__);
474 g_warning (
"%s: iuser_agent data is NULL, ignoring new user agent",
478 gchar *old_ua = NULL;
480 g_debug (
"%s: The User-Agent %s has been overwritten with %s",
499 for (
int j = 0; results[j] !=
'\0'; j++)
500 if (results[j] ==
'}')
502 gchar *message = NULL;
504 message = g_malloc0 (
sizeof (gchar) * (
len + 1));
505 memcpy (message, &results[pos],
len);
526 struct in6_addr *ip, GSList *vhosts,
529 int optimize = prefs_get_bool (
"optimize_test");
530 int launch_error,
pid, ret = 0;
531 char *
oid, *
name, *error = NULL, ip_str[INET6_ADDRSTRLEN];
535 addr6_to_str (ip, ip_str);
537 nvti = nvticache_get_nvt (
oid);
542 g_message (
"Plugin '%s' missing from nvticache.",
oid);
544 goto finish_launch_plugin;
549 goto finish_launch_plugin;
552 if (prefs_get_bool (
"safe_checks")
555 if (prefs_get_bool (
"log_whole_attack"))
557 name = nvticache_get_filename (
oid);
558 g_message (
"Not launching %s (%s) against %s because safe checks are"
559 " enabled (this is not an error)",
564 goto finish_launch_plugin;
570 error =
"because a mandatory key is missing";
575 if (prefs_get_bool (
"log_whole_attack"))
577 name = nvticache_get_filename (
oid);
579 "Not launching %s (%s) against %s %s (this is not an error)",
name,
583 goto finish_launch_plugin;
587 if (kb_item_get_int (args->
host_kb,
"Host/dead") > 0)
589 g_message (
"The remote host %s is dead", ip_str);
593 goto finish_launch_plugin;
611 goto finish_launch_plugin;
614 if (prefs_get_bool (
"log_whole_attack"))
616 name = nvticache_get_filename (
oid);
617 g_message (
"Launching %s (%s) against %s [%d]",
name,
oid, ip_str,
pid);
621 finish_launch_plugin:
634 int num_plugs, forks_retry = 0, all_plugs_launched = 0;
635 char ip_str[INET6_ADDRSTRLEN];
639 addr6_to_str (ip, ip_str);
645 setproctitle (
"openvas: testing %s", ip_str);
668 killpg (parent, SIGUSR1);
678 static int last_status = 0, cur_plug = 0;
692 buffer,
sizeof (buffer),
693 "LOG|||%s||| |||general/Host_Details||| |||<host><detail>"
694 "<name>Host dead</name><value>1</value><source>"
695 "<description/><type/><name/></source></detail></host>",
708 g_warning (
"Launch failed for %s. No free slot available "
709 "in the internal process table for starting a "
722 "fork() failed for %s - sleeping %d seconds (%s)",
723 plugin->
oid, forks_retry, strerror (errno));
729 g_warning (
"fork() failed too many times - aborting");
735 if ((cur_plug * 100) / num_plugs >= last_status
738 last_status = (cur_plug * 100) / num_plugs + 2;
745 else if (plugin == NULL)
754 && prefs_get_bool (
"mqtt_enabled"))
760 buffer,
sizeof (buffer),
761 "ERRMSG|||%s||| ||| ||| ||| Unable to launch table driven lsc",
764 "internal/results", buffer);
765 g_warning (
"%s: Unable to launch table driven LSC", __func__);
775 all_plugs_launched = 1;
780 g_message (
"Vulnerability scan %s for host %s: not all plugins "
802 string = g_string_new (((gvm_vhost_t *)
list->data)->value);
803 if (g_slist_length (
list) == 1)
804 return g_string_free (
string, FALSE);
808 g_string_append (
string,
", ");
809 g_string_append (
string, ((gvm_vhost_t *)
list->data)->value);
812 return g_string_free (
string, FALSE);
821 const gchar *source_iface = prefs_get (
"source_iface");
822 const gchar *ifaces_allow = prefs_get (
"ifaces_allow");
823 const gchar *ifaces_deny = prefs_get (
"ifaces_deny");
824 const gchar *sys_ifaces_allow = prefs_get (
"sys_ifaces_allow");
825 const gchar *sys_ifaces_deny = prefs_get (
"sys_ifaces_deny");
827 if (source_iface || ifaces_allow || ifaces_deny || sys_ifaces_allow
833 msg = g_strdup_printf (
834 "The following provided settings are deprecated since the 22.4 "
835 "release and will be ignored: %s%s%s%s%s",
836 source_iface ?
"source_iface (task setting) " :
"",
837 ifaces_allow ?
"ifaces_allow (user setting) " :
"",
838 ifaces_deny ?
"ifaces_deny (user setting) " :
"",
839 sys_ifaces_allow ?
"sys_ifaces_allow (scanner only setting) " :
"",
840 sys_ifaces_deny ?
"sys_ifaces_deny (scanner only setting)" :
"");
841 g_warning (
"%s: %s", __func__, msg);
850 #ifndef FEATURE_HOSTS_ALLOWED_ONLY
864 const gvm_hosts_t *hosts_allow,
const gvm_hosts_t *hosts_deny)
870 if (hosts_deny && gvm_host_in_hosts (
host, addr, hosts_deny))
872 if (hosts_allow && !gvm_host_in_hosts (
host, addr, hosts_allow))
890 gvm_hosts_t *hosts_allow, *hosts_deny;
891 gvm_hosts_t *sys_hosts_allow, *sys_hosts_deny;
894 hosts_allow = gvm_hosts_new (prefs_get (
"hosts_allow"));
895 hosts_deny = gvm_hosts_new (prefs_get (
"hosts_deny"));
899 sys_hosts_allow = gvm_hosts_new (prefs_get (
"sys_hosts_allow"));
900 sys_hosts_deny = gvm_hosts_new (prefs_get (
"sys_hosts_deny"));
904 gvm_hosts_free (hosts_allow);
905 gvm_hosts_free (hosts_deny);
906 gvm_hosts_free (sys_hosts_allow);
907 gvm_hosts_free (sys_hosts_deny);
920 char ip_str[INET6_ADDRSTRLEN], *hostnames;
921 struct in6_addr hostip;
931 gettimeofday (&then, NULL);
939 if (prefs_get_bool (
"expand_vhosts"))
940 gvm_host_add_reverse_lookup (args->
host);
941 if ((ret = gvm_vhosts_exclude (args->
host, prefs_get (
"exclude_hosts"))) > 0)
942 g_message (
"exclude_hosts: Skipped %d vhost(s).", ret);
943 gvm_host_get_addr6 (args->
host, &hostip);
944 addr6_to_str (&hostip, ip_str);
946 #ifndef FEATURE_HOSTS_ALLOWED_ONLY
948 if (ret_host_auth < 0)
950 if (ret_host_auth == -1)
954 ip_str, NULL,
"ERRMSG");
957 g_warning (
"Host %s access denied.", ip_str);
962 if (prefs_get_bool (
"test_empty_vhost"))
965 gvm_vhost_new (g_strdup (ip_str), g_strdup (
"IP-address"));
966 args->
host->vhosts = g_slist_prepend (args->
host->vhosts, vhost);
970 g_message (
"Vulnerability scan %s started for host: %s (Vhosts: %s)",
971 globals->
scan_id, ip_str, hostnames);
973 g_message (
"Vulnerability scan %s started for host: %s", globals->
scan_id,
983 gettimeofday (&now, NULL);
984 if (now.tv_usec < then.tv_usec)
987 now.tv_usec += 1000000;
990 "Vulnerability scan %s finished for host %s in %ld.%.2ld seconds",
991 globals->
scan_id, ip_str, (
long) (now.tv_sec - then.tv_sec),
992 (
long) ((now.tv_usec - then.tv_usec) / 10000));
999 const char *exclude_hosts = prefs_get (
"exclude_hosts");
1005 int ret = gvm_hosts_exclude (
hosts, exclude_hosts);
1008 g_message (
"exclude_hosts: Skipped %d host(s).", ret);
1010 g_message (
"exclude_hosts: Error.");
1014 #ifdef FEATURE_HOSTS_ALLOWED_ONLY
1016 print_host_access_denied (gpointer data, gpointer systemwide)
1019 int *sw = systemwide;
1026 "Host access denied (system-wide restriction).",
1027 (gchar *) data, NULL,
"ERRMSG");
1031 g_warning (
"Host %s access denied.", (gchar *) data);
1035 apply_hosts_allow_deny (gvm_hosts_t *
hosts)
1037 GSList *removed = NULL;
1038 const char *allow_hosts = prefs_get (
"hosts_allow");
1039 const char *deny_hosts = prefs_get (
"hosts_deny");
1041 if (allow_hosts || deny_hosts)
1044 removed = gvm_hosts_allowed_only (
hosts, deny_hosts, allow_hosts);
1045 g_slist_foreach (removed, print_host_access_denied,
1046 (gpointer) &systemwide);
1047 g_slist_free_full (removed, g_free);
1050 const char *sys_allow_hosts = prefs_get (
"sys_hosts_allow");
1051 const char *sys_deny_hosts = prefs_get (
"sys_hosts_deny");
1052 if (sys_allow_hosts || sys_deny_hosts)
1055 removed = gvm_hosts_allowed_only (
hosts, sys_deny_hosts, sys_allow_hosts);
1056 g_slist_foreach (removed, print_host_access_denied,
1057 (gpointer) &systemwide);
1058 g_slist_free_full (removed, g_free);
1066 const char *ordering = prefs_get (
"hosts_ordering");
1071 if (!strcmp (ordering,
"random"))
1073 gvm_hosts_shuffle (
hosts);
1074 g_debug (
"hosts_ordering: Random.");
1076 else if (!strcmp (ordering,
"reverse"))
1078 gvm_hosts_reverse (
hosts);
1079 g_debug (
"hosts_ordering: Reverse.");
1083 g_debug (
"hosts_ordering: Sequential.");
1089 #ifdef FEATURE_REVERSE_LOOKUP_EXCLUDED
1090 const char *exclude_hosts = prefs_get (
"exclude_hosts");
1091 int hosts_excluded = 0;
1093 if (prefs_get_bool (
"reverse_lookup_unify"))
1095 gvm_hosts_t *excluded;
1097 excluded = gvm_hosts_reverse_lookup_unify_excluded (
hosts);
1098 g_debug (
"reverse_lookup_unify: Skipped %zu host(s).", excluded->count);
1104 hosts_excluded += gvm_hosts_exclude (excluded, exclude_hosts);
1106 gvm_hosts_free (excluded);
1109 if (prefs_get_bool (
"reverse_lookup_only"))
1111 gvm_hosts_t *excluded;
1113 excluded = gvm_hosts_reverse_lookup_only_excluded (
hosts);
1114 g_debug (
"reverse_lookup_unify: Skipped %zu host(s).", excluded->count);
1119 hosts_excluded += gvm_hosts_exclude (excluded, exclude_hosts);
1120 gvm_hosts_free (excluded);
1122 return exclude_hosts ? hosts_excluded : 0;
1125 if (prefs_get_bool (
"reverse_lookup_unify"))
1126 g_debug (
"reverse_lookup_unify: Skipped %d host(s).",
1127 gvm_hosts_reverse_lookup_unify (
hosts));
1130 if (prefs_get_bool (
"reverse_lookup_only"))
1131 g_debug (
"reverse_lookup_only: Skipped %d host(s).",
1132 gvm_hosts_reverse_lookup_only (
hosts));
1144 rc = kb_new (&kb, prefs_get (
"db_address"));
1181 static gboolean alive_detection_thread_already_joined = FALSE;
1183 alive_detection_thread_already_joined = TRUE;
1184 return alive_detection_thread_already_joined;
1198 static int already_called = 0;
1200 if (already_called == 1)
1204 pid = kb_item_get_str (
main_kb, (
"internal/ovas_pid"));
1209 if (
pid && (atoi (
pid) == getpid ()))
1215 if (prefs_get_bool (
"test_alive_hosts_only"))
1221 "Alive detection thread was already joined by other "
1222 "thread. Cancel operation not permitted or not needed.");
1230 "%s: pthread_cancel() returned ESRCH; No thread with the "
1231 "supplied ID could be found.",
1249 int max_hosts = 0, max_checks;
1250 const char *hostlist;
1253 int fork_retries = 0;
1257 const gchar *port_range;
1258 int allow_simultaneous_ips;
1265 gboolean test_alive_hosts_only = prefs_get_bool (
"test_alive_hosts_only");
1266 gvm_hosts_t *alive_hosts_list = NULL;
1267 kb_t alive_hosts_kb = NULL;
1268 if (test_alive_hosts_only)
1271 gettimeofday (&then, NULL);
1277 hostlist = prefs_get (
"TARGET");
1278 if (hostlist == NULL)
1284 port_range = prefs_get (
"port_range");
1285 if (validate_port_range (port_range))
1289 main_kb,
"Invalid port list. Ports must be in the range [1-65535]",
1290 NULL, NULL,
"ERRMSG");
1292 g_warning (
"Invalid port list. Ports must be in the range [1-65535]. "
1293 "Scan terminated.");
1300 int plugins_init_error = 0;
1302 prefs_get_bool (
"auto_enable_dependencies"),
1303 &plugins_init_error);
1306 g_message (
"Couldn't initialize the plugin scheduler");
1310 if (plugins_init_error > 0)
1313 "%d errors were found during the plugin scheduling. "
1314 "Some plugins have not been launched.",
1315 plugins_init_error);
1325 hosts = gvm_hosts_new (hostlist);
1329 buffer = g_strdup_printf (
"Invalid target list: %s.", hostlist);
1338 g_warning (
"Invalid target list. Scan terminated.");
1342 unresolved = gvm_hosts_resolve (
hosts);
1345 g_warning (
"Couldn't resolve hostname '%s'", (
char *) unresolved->data);
1346 unresolved = unresolved->next;
1348 g_slist_free_full (unresolved, g_free);
1353 int already_excluded = 0;
1356 #ifdef FEATURE_HOSTS_ALLOWED_ONLY
1360 apply_hosts_allow_deny (
hosts);
1365 sprintf (buf,
"%d", gvm_hosts_count (
hosts) + already_excluded);
1378 g_message (
"Vulnerability scan %s started: Target has %d hosts: "
1379 "%s, with max_hosts = %d and max_checks = %d",
1380 globals->
scan_id, gvm_hosts_count (
hosts), hostlist, max_hosts,
1383 if (test_alive_hosts_only)
1386 gboolean ad_finished = FALSE;
1389 struct in6_addr tmpaddr;
1393 err = pthread_create (&tid, NULL, start_alive_detection, (
void *)
hosts);
1396 "%s: pthread_create() returned EAGAIN: Insufficient resources "
1397 "to create thread.",
1400 g_debug (
"%s: started alive detection.", __func__);
1402 for (
host = get_host_from_queue (alive_hosts_kb, &ad_finished);
1404 host = get_host_from_queue (alive_hosts_kb, &ad_finished))
1409 if (gvm_host_get_addr6 (
host, &tmpaddr) == 0)
1414 "%s: Get first host to test from Queue. This host is used for "
1415 "initialising the alive_hosts_list.",
1418 alive_hosts_list = gvm_hosts_new (gvm_host_value_str (
host));
1424 allow_simultaneous_ips = prefs_get_bool (
"allow_simultaneous_ips");
1432 if (!test_alive_hosts_only
1437 gvm_hosts_move_current_host_to_end (
hosts);
1444 rc = kb_new (&arg_host_kb, prefs_get (
"db_address"));
1445 if (rc < 0 && rc != -2)
1459 host_str = gvm_host_value_str (
host);
1463 kb_delete (arg_host_kb);
1470 kb_delete (arg_host_kb);
1489 g_warning (
"fork() failed - %s. %s won't be tested",
1490 strerror (errno), host_str);
1495 g_debug (
"fork() failed - "
1496 "sleeping %d seconds and trying again...",
1503 if (test_alive_hosts_only)
1505 struct in6_addr tmpaddr;
1506 gvm_host_t *alive_buf;
1511 gboolean ad_finished = FALSE;
1512 for (
host = get_host_from_queue (alive_hosts_kb, &ad_finished);
1514 host = get_host_from_queue (alive_hosts_kb, &ad_finished))
1519 if (
host && !allow_simultaneous_ips
1522 struct in6_addr hostip;
1523 char ip_str[INET6_ADDRSTRLEN];
1526 gvm_host_get_addr6 (
host, &hostip);
1527 addr6_to_str (&hostip, ip_str);
1531 flag_set = finish_signal_on_queue (alive_hosts_kb);
1533 put_host_on_queue (alive_hosts_kb, ip_str);
1534 g_debug (
"Reallocating the host %s at the end of the queue",
1537 gvm_host_free (
host);
1542 g_debug (
"Reallocating finish signal in the host queue");
1543 realloc_finish_signal_on_queue (alive_hosts_kb);
1550 if (
host && gvm_host_get_addr6 (
host, &tmpaddr) == 0)
1554 gvm_host_free (alive_buf);
1559 gvm_hosts_add (alive_hosts_list, gvm_duplicate_host (
host));
1561 g_debug (
"%s: got NULL host, stop/finish scan", __func__);
1574 killpg (getpid (), SIGUSR1);
1576 g_debug (
"Test complete");
1582 g_hash_table_destroy (files);
1586 if (test_alive_hosts_only)
1591 kb_lnk_reset (alive_hosts_kb);
1592 g_debug (
"%s: free alive detection data ", __func__);
1595 g_debug (
"%s: waiting for alive detection thread to be finished...",
1600 g_debug (
"%s: pthread_join() returned EDEADLK.", __func__);
1602 g_debug (
"%s: pthread_join() returned EINVAL.", __func__);
1604 g_debug (
"%s: pthread_join() returned ESRCH.", __func__);
1605 if (retval == PTHREAD_CANCELED)
1606 g_debug (
"%s: pthread_join() returned PTHREAD_CANCELED.", __func__);
1610 g_debug (
"%s: Finished waiting for alive detection thread.", __func__);
1615 gettimeofday (&now, NULL);
1616 if (test_alive_hosts_only)
1617 g_message (
"Vulnerability scan %s finished in %ld seconds: "
1618 "%d alive hosts of %d",
1619 globals->
scan_id, now.tv_sec - then.tv_sec,
1620 gvm_hosts_count (alive_hosts_list), gvm_hosts_count (
hosts));
1622 g_message (
"Vulnerability scan %s finished in %ld seconds: %d hosts",
1623 globals->
scan_id, now.tv_sec - then.tv_sec,
1624 gvm_hosts_count (
hosts));
1626 gvm_hosts_free (
hosts);
1627 if (alive_hosts_list)
1628 gvm_hosts_free (alive_hosts_list);