Nmap Development mailing list archives

Re: ncat socks5 client is broken

From: Sami Pönkänen <sami.ponkanen () gmail com>
Date: Thu, 18 Feb 2021 10:08:32 +0200

Hi again,

I noticed that also socks4 client leaves unprocessed data in socket_buffer.
Below is a fixed diff to nmap-7.50 that includes the socks4 fix as well.

Br,
Sami Pönkänen


--- ncat/ncat_connect.c.orig    2021-02-17 16:33:09.670093377 +0200



+++ ncat/ncat_connect.c 2021-02-18 10:04:58.704362194 +0200



@@ -543,6 +543,8 @@



     struct socks4_data socks4msg;



     char socksbuf[8];



     int sd,len = 9;



+    char *remainder;



+    size_t remainder_len;







     sd = do_connect(SOCK_STREAM);
     if (sd == -1) {
@@ -621,6 +623,9 @@
         return -1;
     }

+    remainder = socket_buffer_remainder(&stateful_buf, &remainder_len);
+    Write(STDOUT_FILENO, remainder, remainder_len);
+
     return sd;
 }

@@ -636,13 +641,15 @@
     uint32_t inetaddr;
     char inet6addr[16];
     unsigned short proxyport = htons(o.portno);
-    char socksbuf[8];
+    char socksbuf[18];
     int sd,len,lenfqdn;
     struct socks5_request socks5msg2;
     struct socks5_auth socks5auth;
     char *proxy_auth;
     char *username;
     char *password;
+    char *remainder;
+    size_t remainder_len;

     sd = do_connect(SOCK_STREAM);
     if (sd == -1) {
@@ -825,8 +832,8 @@
         return -1;
     }

-    /* TODO just two bytes for now, need to read more for bind */
-    if (socket_buffer_readcount(&stateful_buf, socksbuf, 2) < 0) {
+    /* Read SOCKS5 server status header (4 bytes) */
+    if (socket_buffer_readcount(&stateful_buf, socksbuf, 4) < 0) {
         loguser("Error: malformed second response from proxy.\n");
         close(sd);
         return -1;
@@ -875,6 +882,33 @@
             return -1;
     }

+    /* Skip bndaddr and bndport */
+    switch(socksbuf[3]) {
+        case SOCKS5_ATYP_IPv4:
+            if (socket_buffer_readcount(&stateful_buf, socksbuf, 6) < 0) {
+                loguser("Error: malformed second response from proxy.\n");
+                close(sd);
+                return -1;
+            }
+            break;
+
+        case SOCKS5_ATYP_IPv6:
+            if (socket_buffer_readcount(&stateful_buf, socksbuf, 18) < 0) {
+                loguser("Error: malformed second response from proxy.\n");
+                close(sd);
+                return -1;
+            }
+            break;
+
+        default:
+            loguser("Error: invalid bndaddress type in second reply.\n");
+            close(sd);
+            return -1;
+    }
+
+    remainder = socket_buffer_remainder(&stateful_buf, &remainder_len);
+    Write(STDOUT_FILENO, remainder, remainder_len);
+
     return(sd);
 }



On Wed, Feb 17, 2021 at 4:56 PM Sami Pönkänen <sami.ponkanen () gmail com>
wrote:

Hi all,

I have been using ncat to test a proxy server socks5 implementation. While
doing that I noticed what I think is a bug in ncat socks5 client side: It
does not correctly parse the socks5 server status response and it may
discard some data the server sent.

More specifically it only reads 2 bytes of socks5 server status response,
when it should read the 4 byte fixed header, bndaddress (4 or 16 bytes) and
bndport (2 bytes). Also some unprocessed server data may be left in the
socket_buffer (I copied that part of code from  do_proxy_http()).

Below is a diff I made to fix both issues in nmap-7.50.

Br,
Sami Pönkänen



--- ncat/ncat_connect.c.orig    2021-02-17 16:33:09.670093377 +0200
+++ ncat/ncat_connect.c 2021-02-17 16:35:06.604951645 +0200
@@ -636,13 +636,15 @@
     uint32_t inetaddr;
     char inet6addr[16];
     unsigned short proxyport = htons(o.portno);
-    char socksbuf[8];
+    char socksbuf[18];
     int sd,len,lenfqdn;
     struct socks5_request socks5msg2;
     struct socks5_auth socks5auth;
     char *proxy_auth;
     char *username;
     char *password;
+    char *remainder;
+    size_t remainder_len;

     sd = do_connect(SOCK_STREAM);
     if (sd == -1) {
@@ -825,8 +827,8 @@
         return -1;
     }

-    /* TODO just two bytes for now, need to read more for bind */
-    if (socket_buffer_readcount(&stateful_buf, socksbuf, 2) < 0) {
+    /* Read SOCKS5 server status header (4 bytes) */
+    if (socket_buffer_readcount(&stateful_buf, socksbuf, 4) < 0) {
         loguser("Error: malformed second response from proxy.\n");
         close(sd);
         return -1;
@@ -875,6 +877,33 @@
             return -1;
     }

+    /* Skip bndaddr and bndport */
+    switch(socksbuf[3]) {
+        case SOCKS5_ATYP_IPv4:
+            if (socket_buffer_readcount(&stateful_buf, socksbuf, 6) < 0) {
+                loguser("Error: malformed second response from proxy.\n");
+                close(sd);
+                return -1;
+            }
+            break;
+
+        case SOCKS5_ATYP_IPv6:
+            if (socket_buffer_readcount(&stateful_buf, socksbuf, 18) < 0)
{
+                loguser("Error: malformed second response from proxy.\n");
+                close(sd);
+                return -1;
+            }
+            break;
+
+        default:
+            loguser("Error: invalid bndaddress type in second reply.\n");
+            close(sd);
+            return -1;
+    }
+
+    remainder = socket_buffer_remainder(&stateful_buf, &remainder_len);
+    Write(STDOUT_FILENO, remainder, remainder_len);
+
     return(sd);
 }

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

Current thread:

ncat socks5 client is broken Sami Pönkänen (Feb 17)
- Re: ncat socks5 client is broken Sami Pönkänen (Feb 18)
  - Re: ncat socks5 client is broken nnposter (Mar 15)