ncat - buffer overflow when -u and --ssl options are specified

[jabedude]

$ ncat -v
Ncat: Version 7.60 ( https://nmap.org/ncat )
Ncat: You must specify a host to connect to. QUITTING.
$ ncat -u --ssl 127.0.0.1 8080
libnsock nsock_make_socket(): Socket trouble: Protocol not supported
*** buffer overflow detected ***: ncat terminated
Aborted (core dumped)

[dmiller-nmap]

Thanks for this report. I can't tell from the information here whether your version of OpenSSL supports DLTS (SSL over UDP) or what exactly the problem might be. Can you provide a bit more information? Specifically:

• The version of OpenSSL that Ncat is using. If you have Nmap from the same build, output of nmap --version is helpful.
• Output of the crashing command with -vvvv added for extra debugging.
• If possible, output of strace -e socket ncat -u --ssl -vvvv 127.0.0.1 8080

Thanks again!

[jabedude]

Certainly:

 $ nmap --version

Nmap version 7.60 ( https://nmap.org )
Platform: x86_64-pc-linux-gnu
Compiled with: liblua-5.3.3 openssl-1.1.0g nmap-libssh2-1.8.0 libz-1.2.8 libpcre-8.39 libpcap-1.8.1 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll select

Verbose output:

$ ncat -u --ssl 127.0.0.1 8080 -vvvv
Ncat: Version 7.60 ( https://nmap.org/ncat )
libnsock nsock_set_loglevel(): Set log level to DEBUG
NCAT DEBUG: Using system default trusted CA certificates and those in /etc/ssl/certs/ca-certificates.crt.
NCAT DEBUG: Not doing certificate verification.
libnsock nsock_iod_new2(): nsock_iod_new (IOD #1)
libnsock event_new(): event_new (IOD #1) (EID #9)
libnsock nsock_connect_ssl(): DTLS connection requested to 127.0.0.1:8080/udp (IOD #1) EID 9
libnsock nsock_pool_add_event(): NSE #9: Adding event (timeout in 10000ms)
libnsock nsock_loop(): nsock_loop() started (no timeout). 1 events pending
libnsock handle_connect_result(): EID 9 reconnecting with SSL_OP_NO_SSLv2
libnsock nsock_make_socket(): Socket trouble: Protocol not supported
*** buffer overflow detected ***: ncat terminated
Aborted (core dumped)

strace output:

strace -e socket ncat -u --ssl -vvvv 127.0.0.1 8080
Ncat: Version 7.60 ( https://nmap.org/ncat )
libnsock nsock_set_loglevel(): Set log level to DEBUG
NCAT DEBUG: Using system default trusted CA certificates and those in /etc/ssl/certs/ca-certificates.crt.
NCAT DEBUG: Not doing certificate verification.
libnsock nsock_iod_new2(): nsock_iod_new (IOD #1)
libnsock event_new(): event_new (IOD #1) (EID #9)
libnsock nsock_connect_ssl(): DTLS connection requested to 127.0.0.1:8080/udp (IOD #1) EID 9
socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP) = 3
libnsock nsock_pool_add_event(): NSE #9: Adding event (timeout in 10000ms)
libnsock nsock_loop(): nsock_loop() started (no timeout). 1 events pending
libnsock handle_connect_result(): EID 9 reconnecting with SSL_OP_NO_SSLv2
socket(AF_INET, SOCK_STREAM, IPPROTO_UDP) = -1 EPROTONOSUPPORT (Protocol not supported)
libnsock nsock_make_socket(): Socket trouble: Protocol not supported
*** buffer overflow detected ***: ncat terminated
--- SIGABRT {si_signo=SIGABRT, si_code=SI_TKILL, si_pid=31951, si_uid=1000} ---
+++ killed by SIGABRT (core dumped) +++
Aborted (core dumped)

[dmiller-nmap]

Great, thanks! The problem is that some of the code paths related to handling SSL connections are assuming that the connection is TCP, so there is a mismatch between the socket type (SOCK_STREAM) and the protocol (IPPROTO_UDP). We'll work on resolving this. Can you tell us whether there is a DTLS server on port 8080 UDP? In other words, where would you expect the error to be coming from: a closed port, a DTLS protocol error, or something else?

[jabedude]

Awesome! There was no service listening on 8080