1. Overview nmap <= 5.21 is vulnerable to Windows DLL Hijacking Vulnerability. 2. Vulnerability Description nmap passes insufficiently qualified path for the dll "airpcap.dll" while opening a file using nmap Timeline 27-08-2010 - Discovered Vulnerability 31-08-2010 - Disclosed at nmap-dev mailing list 04-09-2010 - Response and fix from developers 05-09-2010 - Disclosure 3. Exploitability A file extension needs to be registered with nmap to exploit the vulnerability and a crafted file needs to be opened from a network share. Currently nmap is not registered with any filename so users are not at risk by default. 4. Versions Affected nmap 5.21 and lower. 5. POC/Exploit Done with Webdav hijack module of Metasploit. 6. Impact Remote Code Execution in context of nmap process. 7. References http://seclists.org/nmap-dev/2010/q3/632 8. Solution Fixed in latest development release.
