user/6207: netcat doesn't read socks v5 response correctly

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

user/6207: netcat doesn't read socks v5 response correctly

John Wright-6
>Number:         6207
>Category:       user
>Synopsis:       netcat doesn't read socks v5 response correctly
>Confidential:   yes
>Severity:       serious
>Priority:       medium
>Responsible:    bugs
>State:          open
>Quarter:        
>Keywords:      
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   unknown
>Arrival-Date:   Fri Aug 07 16:10:01 GMT 2009
>Closed-Date:
>Last-Modified:
>Originator:    
>Release:        
>Organization:
>Environment:
        System      : OpenBSD 4.5
        Details     : OpenBSD 4.5 (GENERIC.MP) #0: Thu Apr 30 13:09:44 BST 2009
                         [hidden email]:/data/4.5/src/sys/arch/i386/compile/GENERIC.MP

        Architecture: OpenBSD.i386
        Machine     : i386
>Description:
When netcat receives the response from the SOCKS server it is currently
always reading only 10 bytes.  If the SOCKS server connected to an IPv6
address it will return 22 bytes instead.  This means that some of the
response will be passed through as something that was said over the proxied
connection.
>How-To-Repeat:
Unfortunately, I haven't been able to find a SOCKS server implementation
which doesn't need patches to get IPv6 connections working.

I've copied ports/nylon and applied patches to it here:

    http://github.com/dryfish/socks-ipv6/

If you choose this route then:

    git clone git://github.com/dryfish/socks-ipv6.git
    cd socks-ipv6/nylon
    ./configure --prefix=/usr/local
    make
    ./src/nylon
    nc -x localhost ipv6.google.com 80 | xxd
HEAD / HTTP/1.0

0000000: 0000 0000 0000 0000 0000 1848 4854 5450  ...........HHTTP
0000010: 2f31 2e30 2032 3030 204f 4b0d 0a44 6174  /1.0 200 OK..Dat
0000020: 653a 2046 7269 2c20 3037 2041 7567 2032  e: Fri, 07 Aug 2
0000030: 3030 3920 3135 3a30 373a 3436 2047 4d54  009 15:07:46 GMT
0000040: 0d0a 4578 7069 7265 733a 202d 310d 0a43  ..Expires: -1..C
0000050: 6163 6865 2d43 6f6e 7472 6f6c 3a20 7072  ache-Control: pr
0000060: 6976 6174 652c 206d 6178 2d61 6765 3d30  ivate, max-age=0
0000070: 0d0a 436f 6e74 656e 742d 5479 7065 3a20  ..Content-Type:
0000080: 7465 7874 2f68 746d 6c3b 2063 6861 7273  text/html; chars
0000090: 6574 3d49 534f 2d38 3835 392d 310d 0a53  et=ISO-8859-1..S
00000a0: 6574 2d43 6f6f 6b69 653a 2050 5245 463d  et-Cookie: PREF=
00000b0: 4944 3d65 6662 6436 6335 3534 3235 3439  ID=efbd6c5542549
00000c0: 6263 663a 544d 3d31 3234 3936 3537 3636  bcf:TM=124965766
00000d0: 363a 4c4d 3d31 3234 3936 3537 3636 363a  6:LM=1249657666:
00000e0: 533d 6350 4939 7a42 3646 4278 566f 6634  S=cPI9zB6FBxVof4
00000f0: 4955 3b20 6578 7069 7265 733d 5375 6e2c  IU; expires=Sun,
0000100: 2030 372d 4175 672d 3230 3131 2031 353a   07-Aug-2011 15:
0000110: 3037 3a34 3620 474d 543b 2070 6174 683d  07:46 GMT; path=
0000120: 2f3b 2064 6f6d 6169 6e3d 2e67 6f6f 676c  /; domain=.googl
0000130: 652e 636f 6d0d 0a53 6572 7665 723a 2067  e.com..Server: g
0000140: 7773 0d0a 0d0a                           ws....

After applying the following patch to netcat:

    ./obj/nc -x localhost ipv6.google.com 80 | xxd
HEAD / HTTP/1.0

0000000: 4854 5450 2f31 2e30 2032 3030 204f 4b0d  HTTP/1.0 200 OK.
0000010: 0a44 6174 653a 2046 7269 2c20 3037 2041  .Date: Fri, 07 A
0000020: 7567 2032 3030 3920 3135 3a30 393a 3230  ug 2009 15:09:20
0000030: 2047 4d54 0d0a 4578 7069 7265 733a 202d   GMT..Expires: -
0000040: 310d 0a43 6163 6865 2d43 6f6e 7472 6f6c  1..Cache-Control
0000050: 3a20 7072 6976 6174 652c 206d 6178 2d61  : private, max-a
0000060: 6765 3d30 0d0a 436f 6e74 656e 742d 5479  ge=0..Content-Ty
0000070: 7065 3a20 7465 7874 2f68 746d 6c3b 2063  pe: text/html; c
0000080: 6861 7273 6574 3d49 534f 2d38 3835 392d  harset=ISO-8859-
0000090: 310d 0a53 6574 2d43 6f6f 6b69 653a 2050  1..Set-Cookie: P
00000a0: 5245 463d 4944 3d38 3034 3039 3039 3130  REF=ID=804090910
00000b0: 6562 3730 3439 343a 544d 3d31 3234 3936  eb70494:TM=12496
00000c0: 3537 3736 303a 4c4d 3d31 3234 3936 3537  57760:LM=1249657
00000d0: 3736 303a 533d 7774 346f 5239 3957 4845  760:S=wt4oR99WHE
00000e0: 522d 542d 6554 3b20 6578 7069 7265 733d  R-T-eT; expires=
00000f0: 5375 6e2c 2030 372d 4175 672d 3230 3131  Sun, 07-Aug-2011
0000100: 2031 353a 3039 3a32 3020 474d 543b 2070   15:09:20 GMT; p
0000110: 6174 683d 2f3b 2064 6f6d 6169 6e3d 2e67  ath=/; domain=.g
0000120: 6f6f 676c 652e 636f 6d0d 0a53 6572 7665  oogle.com..Serve
0000130: 723a 2067 7773 0d0a 0d0a                 r: gws....
>Fix:
I have a patch: (also available at the github repository)

diff --git a/nc/socks.c b/nc/socks.c
index da7bd0c..88cd143 100644
--- a/nc/socks.c
+++ b/nc/socks.c
@@ -222,11 +222,24 @@ socks_connect(const char *host, const char *port,
  if (cnt != wlen)
  err(1, "write failed (%d/%d)", cnt, wlen);
 
- cnt = atomicio(read, proxyfd, buf, 10);
- if (cnt != 10)
- err(1, "read failed (%d/10)", cnt);
+ cnt = atomicio(read, proxyfd, buf, 4);
+ if (cnt != 4)
+ err(1, "read failed (%d/4)", cnt);
  if (buf[1] != 0)
  errx(1, "connection failed, SOCKS error %d", buf[1]);
+ switch (buf[3])
+ {
+ case SOCKS_IPV4:
+ cnt = atomicio(read, proxyfd, buf + 4, 6);
+ if (cnt != 6)
+ err(1, "read failed (%d/6)", cnt);
+ break;
+ case SOCKS_IPV6:
+ cnt = atomicio(read, proxyfd, buf + 4, 18);
+ if (cnt != 18)
+ err(1, "read failed (%d/18)", cnt);
+ break;
+ }
  } else if (socksv == 4) {
  /* This will exit on lookup failure */
  decode_addrport(host, port, (struct sockaddr *)&addr,



OpenBSD 4.5 (GENERIC.MP) #0: Thu Apr 30 13:09:44 BST 2009
    [hidden email]:/data/4.5/src/sys/arch/i386/compile/GENERIC.MP
cpu0: Intel(R) Pentium(R) 4 CPU 3.20GHz ("GenuineIntel" 686-class) 3.20 GHz
cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,EST,CNXT-ID,CX16,xTPR
real mem  = 1064808448 (1015MB)
avail mem = 1021300736 (973MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 08/25/05, BIOS32 rev. 0 @ 0xeb520, SMBIOS rev. 2.3 @ 0xeeae0 (59 entries)
bios0: vendor Hewlett-Packard version "786C2 v01.07" date 08/25/2005
bios0: Hewlett-Packard HP Compaq dc5100 MT(AG152AW)
acpi0 at bios0: rev 0
acpi0: tables DSDT FACP SSDT APIC ASF! MCFG
acpi0: wakeup devices PCI0(S4) PEG1(S4) PCX1(S4) PCX2(S4) PCX4(S4) HUB_(S4) COM1(S4) COM2(S4) USB1(S3) USB2(S3) USB3(S3) USB4(S3) EUSB(S3) PBTN(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 199MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Pentium(R) 4 CPU 3.20GHz ("GenuineIntel" 686-class) 3.20 GHz
cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,EST,CNXT-ID,CX16,xTPR
ioapic0 at mainbus0: apid 1 pa 0xfec00000, version 20, 24 pins
ioapic0: misconfigured as apic 0, remapped to apid 1
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus -1 (PEG1)
acpiprt2 at acpi0: bus 32 (PCX1)
acpiprt3 at acpi0: bus 64 (PCX2)
acpiprt4 at acpi0: bus -1 (PCX4)
acpiprt5 at acpi0: bus 5 (HUB_)
acpicpu0 at acpi0
acpicpu1 at acpi0
acpibtn0 at acpi0: PBTN
bios0: ROM list: 0xc0000/0xa800! 0xca800/0x1000 0xcb800/0x2000 0xe9c00/0x6400!
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 "Intel 82915G Host" rev 0x04
vga1 at pci0 dev 2 function 0 "Intel 82915G Video" rev 0x04
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
intagp0 at vga1
agp0 at intagp0: aperture at 0xe0000000, size 0x10000000
inteldrm0 at vga1: apic 1 int 16 (irq 10)
drm0 at inteldrm0
ppb0 at pci0 dev 28 function 0 "Intel 82801FB PCIE" rev 0x03
pci1 at ppb0 bus 32
ppb1 at pci0 dev 28 function 1 "Intel 82801FB PCIE" rev 0x03: apic 1 int 17 (irq 5)
pci2 at ppb1 bus 64
bge0 at pci2 dev 0 function 0 "Broadcom BCM5751" rev 0x01, BCM5750 A1 (0x4001): apic 1 int 17 (irq 5), address 00:0f:fe:2c:a1:d7
brgphy0 at bge0 phy 1: BCM5750 10/100/1000baseT PHY, rev. 0
uhci0 at pci0 dev 29 function 0 "Intel 82801FB USB" rev 0x03: apic 1 int 20 (irq 11)
uhci1 at pci0 dev 29 function 1 "Intel 82801FB USB" rev 0x03: apic 1 int 18 (irq 5)
uhci2 at pci0 dev 29 function 2 "Intel 82801FB USB" rev 0x03: apic 1 int 21 (irq 10)
uhci3 at pci0 dev 29 function 3 "Intel 82801FB USB" rev 0x03: apic 1 int 22 (irq 11)
ehci0 at pci0 dev 29 function 7 "Intel 82801FB USB" rev 0x03: apic 1 int 20 (irq 11)
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
ppb2 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0xd3
pci3 at ppb2 bus 5
auich0 at pci0 dev 30 function 2 "Intel 82801FB AC97" rev 0x03: apic 1 int 21 (irq 10), ICH6 AC97
ac97: codec id 0x41445374 (Analog Devices AD1981B)
ac97: codec features headphone, 20 bit DAC, No 3D Stereo
audio0 at auich0
ichpcib0 at pci0 dev 31 function 0 "Intel 82801FB LPC" rev 0x03: PM disabled
pciide0 at pci0 dev 31 function 1 "Intel 82801FB IDE" rev 0x03: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility
atapiscsi0 at pciide0 channel 0 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: <HL-DT-ST, DVD-ROM GDR8164B, 0B07> ATAPI 5/cdrom removable
cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 3
pciide0: channel 1 disabled (no drives)
pciide1 at pci0 dev 31 function 2 "Intel 82801FB SATA" rev 0x03: DMA, channel 0 configured to native-PCI, channel 1 configured to native-PCI
pciide1: using apic 1 int 19 (irq 5) for native-PCI interrupt
wd0 at pciide1 channel 0 drive 0: <ST3160828AS>
wd0: 16-sector PIO, LBA48, 152627MB, 312581808 sectors
wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 5
usb1 at uhci0: USB revision 1.0
uhub1 at usb1 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb2 at uhci1: USB revision 1.0
uhub2 at usb2 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb3 at uhci2: USB revision 1.0
uhub3 at usb3 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb4 at uhci3: USB revision 1.0
uhub4 at usb4 "Intel UHCI root hub" rev 1.00/1.00 addr 1
isa0 at ichpcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: <PC speaker>
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
mtrr: Pentium Pro MTRR support
uhub5 at uhub0 port 5 "Hewlett Packard product 0x1324" rev 2.00/0.0b addr 2
uhub6 at uhub5 port 1 "Mitsumi Electric Hub in Apple Extended USB Keyboard" rev 1.10/4.20 addr 3
uhidev0 at uhub6 port 3 configuration 1 interface 0 "Mitsumi Electric Apple Extended USB Keyboard" rev 1.10/4.20 addr 4
uhidev0: iclass 3/1
ukbd0 at uhidev0: 8 modifier keys, 6 key codes, country code 13
wskbd1 at ukbd0 mux 1
wskbd1: connecting to wsdisplay0
uhidev1 at uhub6 port 3 configuration 1 interface 1 "Mitsumi Electric Apple Extended USB Keyboard" rev 1.10/4.20 addr 4
uhidev1: iclass 3/0, 3 report ids
uhid0 at uhidev1 reportid 2: input=1, output=0, feature=0
uhid1 at uhidev1 reportid 3: input=3, output=0, feature=0
softraid0 at root
root on wd0a swap on wd0b dump on wd0b


>Release-Note:
>Audit-Trail:
>Unformatted: