Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

ncat socks5 client is broken

From: Sami Pönkänen <sami.ponkanen () gmail com>
Date: Wed, 17 Feb 2021 16:56:51 +0200
Hi all,

I have been using ncat to test a proxy server socks5 implementation. While
doing that I noticed what I think is a bug in ncat socks5 client side: It
does not correctly parse the socks5 server status response and it may
discard some data the server sent.

More specifically it only reads 2 bytes of socks5 server status response,
when it should read the 4 byte fixed header, bndaddress (4 or 16 bytes) and
bndport (2 bytes). Also some unprocessed server data may be left in the
socket_buffer (I copied that part of code from  do_proxy_http()).

Below is a diff I made to fix both issues in nmap-7.50.

Br,
Sami Pönkänen



--- ncat/ncat_connect.c.orig    2021-02-17 16:33:09.670093377 +0200
+++ ncat/ncat_connect.c 2021-02-17 16:35:06.604951645 +0200
@@ -636,13 +636,15 @@
     uint32_t inetaddr;
     char inet6addr[16];
     unsigned short proxyport = htons(o.portno);
-    char socksbuf[8];
+    char socksbuf[18];
     int sd,len,lenfqdn;
     struct socks5_request socks5msg2;
     struct socks5_auth socks5auth;
     char *proxy_auth;
     char *username;
     char *password;
+    char *remainder;
+    size_t remainder_len;

     sd = do_connect(SOCK_STREAM);
     if (sd == -1) {
@@ -825,8 +827,8 @@
         return -1;
     }

-    /* TODO just two bytes for now, need to read more for bind */
-    if (socket_buffer_readcount(&stateful_buf, socksbuf, 2) < 0) {
+    /* Read SOCKS5 server status header (4 bytes) */
+    if (socket_buffer_readcount(&stateful_buf, socksbuf, 4) < 0) {
         loguser("Error: malformed second response from proxy.\n");
         close(sd);
         return -1;
@@ -875,6 +877,33 @@
             return -1;
     }

+    /* Skip bndaddr and bndport */
+    switch(socksbuf[3]) {
+        case SOCKS5_ATYP_IPv4:
+            if (socket_buffer_readcount(&stateful_buf, socksbuf, 6) < 0) {
+                loguser("Error: malformed second response from proxy.\n");
+                close(sd);
+                return -1;
+            }
+            break;
+
+        case SOCKS5_ATYP_IPv6:
+            if (socket_buffer_readcount(&stateful_buf, socksbuf, 18) < 0) {
+                loguser("Error: malformed second response from proxy.\n");
+                close(sd);
+                return -1;
+            }
+            break;
+
+        default:
+            loguser("Error: invalid bndaddress type in second reply.\n");
+            close(sd);
+            return -1;
+    }
+
+    remainder = socket_buffer_remainder(&stateful_buf, &remainder_len);
+    Write(STDOUT_FILENO, remainder, remainder_len);
+
     return(sd);
 }

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: