While writing a socks5 client, testing the results & comparing it to other implementations
I did this
socat -x tcp-listen:2903,reuseaddr system:"echo -n '$CODE' | xxd -r -p"
with three different $CODEs being:
05 00 05 04 00 01 ac 10 fe 01 1f 90
05 00 05 04 00 03 09 68 6f 73 74 6c 6f 63 61 6c 1f 90
05 00 05 04 00 04 20 01 0d b8 ac 10 fe 00 00 00 00 00 00 00 00 00 1f 90
(aka: pretending to be a socks5 server with no auth and failing the request with IPv4, hostname & IPv6)
and each time: curl --proxy socks5h://localhost:2903 http://example.org
I expected the following
For the first (ipv4) code the result is correct:
curl: (7) Can't complete SOCKS5 connection to 172.16.254.1:8080. (4)
The hostname one should have been hostlocal:8080, but is:
curl: (7) Can't complete SOCKS5 connection to localhost:29804. (4)
The IPv6 should be [2001:0DB8:AC10:FE00:0000:0000:0000:0000]:8080, but is:
curl: (7) Can't complete SOCKS5 connection to 2001:0db8:ac10:686f:7374:1f90:0000:8000:44048. (4)
Looking at the source I think this len = 10; is the start of the issue at least for the IPv6 as that is "just" the right value for IPv4. The wrong port is the result of a copy&paste from IPv4 I presume and the wrong hostname is caused by displaying the hostname the request was made for completely discarding what the server reports as hostname it has connected to (which is likely the same – at least if your starting point was a hostname and not an ip –, but still). In case you wonder: Depending on the length of the request the code is using uninitialized memory for IPv6 (aka the later octets of the address), but I fail to imagine a way to exploit that…
The non-error case does deal with all three types correctly btw – that isn't very hard through as it is just discarding the data. I would have kinda expected a debug message here but nope.
So in summary: Worst bugs ever… if I would know how to set a minor severity on github issues I would do it.
[dropping the rest of the bug template as presumably not relevant]
While writing a socks5 client, testing the results & comparing it to other implementations
I did this
socat -x tcp-listen:2903,reuseaddr system:"echo -n '$CODE' | xxd -r -p"with three different $CODEs being:
(aka: pretending to be a socks5 server with no auth and failing the request with IPv4, hostname & IPv6)
and each time:
curl --proxy socks5h://localhost:2903 http://example.orgI expected the following
For the first (ipv4) code the result is correct:
curl: (7) Can't complete SOCKS5 connection to 172.16.254.1:8080. (4)
The hostname one should have been hostlocal:8080, but is:
curl: (7) Can't complete SOCKS5 connection to localhost:29804. (4)
The IPv6 should be [2001:0DB8:AC10:FE00:0000:0000:0000:0000]:8080, but is:
curl: (7) Can't complete SOCKS5 connection to 2001:0db8:ac10:686f:7374:1f90:0000:8000:44048. (4)
Looking at the source I think this
len = 10;is the start of the issue at least for the IPv6 as that is "just" the right value for IPv4. The wrong port is the result of a copy&paste from IPv4 I presume and the wrong hostname is caused by displaying the hostname the request was made for completely discarding what the server reports as hostname it has connected to (which is likely the same – at least if your starting point was a hostname and not an ip –, but still). In case you wonder: Depending on the length of the request the code is using uninitialized memory for IPv6 (aka the later octets of the address), but I fail to imagine a way to exploit that…The non-error case does deal with all three types correctly btw – that isn't very hard through as it is just discarding the data. I would have kinda expected a debug message here but nope.
So in summary: Worst bugs ever… if I would know how to set a minor severity on github issues I would do it.
[dropping the rest of the bug template as presumably not relevant]