Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ncat - buffer overflow when -u and --ssl options are specified #1543

Closed
jabedude opened this Issue Apr 7, 2019 · 4 comments

Comments

Projects
None yet
2 participants
@jabedude
Copy link

jabedude commented Apr 7, 2019

$ ncat -v
Ncat: Version 7.60 ( https://nmap.org/ncat )
Ncat: You must specify a host to connect to. QUITTING.
$ ncat -u --ssl 127.0.0.1 8080
libnsock nsock_make_socket(): Socket trouble: Protocol not supported
*** buffer overflow detected ***: ncat terminated
Aborted (core dumped)
@dmiller-nmap

This comment has been minimized.

Copy link

dmiller-nmap commented Apr 8, 2019

Thanks for this report. I can't tell from the information here whether your version of OpenSSL supports DLTS (SSL over UDP) or what exactly the problem might be. Can you provide a bit more information? Specifically:

  • The version of OpenSSL that Ncat is using. If you have Nmap from the same build, output of nmap --version is helpful.
  • Output of the crashing command with -vvvv added for extra debugging.
  • If possible, output of strace -e socket ncat -u --ssl -vvvv 127.0.0.1 8080

Thanks again!

@jabedude

This comment has been minimized.

Copy link
Author

jabedude commented Apr 8, 2019

Certainly:

 $ nmap --version

Nmap version 7.60 ( https://nmap.org )
Platform: x86_64-pc-linux-gnu
Compiled with: liblua-5.3.3 openssl-1.1.0g nmap-libssh2-1.8.0 libz-1.2.8 libpcre-8.39 libpcap-1.8.1 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll select

Verbose output:

$ ncat -u --ssl 127.0.0.1 8080 -vvvv
Ncat: Version 7.60 ( https://nmap.org/ncat )
libnsock nsock_set_loglevel(): Set log level to DEBUG
NCAT DEBUG: Using system default trusted CA certificates and those in /etc/ssl/certs/ca-certificates.crt.
NCAT DEBUG: Not doing certificate verification.
libnsock nsock_iod_new2(): nsock_iod_new (IOD #1)
libnsock event_new(): event_new (IOD #1) (EID #9)
libnsock nsock_connect_ssl(): DTLS connection requested to 127.0.0.1:8080/udp (IOD #1) EID 9
libnsock nsock_pool_add_event(): NSE #9: Adding event (timeout in 10000ms)
libnsock nsock_loop(): nsock_loop() started (no timeout). 1 events pending
libnsock handle_connect_result(): EID 9 reconnecting with SSL_OP_NO_SSLv2
libnsock nsock_make_socket(): Socket trouble: Protocol not supported
*** buffer overflow detected ***: ncat terminated
Aborted (core dumped)

strace output:

strace -e socket ncat -u --ssl -vvvv 127.0.0.1 8080
Ncat: Version 7.60 ( https://nmap.org/ncat )
libnsock nsock_set_loglevel(): Set log level to DEBUG
NCAT DEBUG: Using system default trusted CA certificates and those in /etc/ssl/certs/ca-certificates.crt.
NCAT DEBUG: Not doing certificate verification.
libnsock nsock_iod_new2(): nsock_iod_new (IOD #1)
libnsock event_new(): event_new (IOD #1) (EID #9)
libnsock nsock_connect_ssl(): DTLS connection requested to 127.0.0.1:8080/udp (IOD #1) EID 9
socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP) = 3
libnsock nsock_pool_add_event(): NSE #9: Adding event (timeout in 10000ms)
libnsock nsock_loop(): nsock_loop() started (no timeout). 1 events pending
libnsock handle_connect_result(): EID 9 reconnecting with SSL_OP_NO_SSLv2
socket(AF_INET, SOCK_STREAM, IPPROTO_UDP) = -1 EPROTONOSUPPORT (Protocol not supported)
libnsock nsock_make_socket(): Socket trouble: Protocol not supported
*** buffer overflow detected ***: ncat terminated
--- SIGABRT {si_signo=SIGABRT, si_code=SI_TKILL, si_pid=31951, si_uid=1000} ---
+++ killed by SIGABRT (core dumped) +++
Aborted (core dumped)
@dmiller-nmap

This comment has been minimized.

Copy link

dmiller-nmap commented Apr 8, 2019

Great, thanks! The problem is that some of the code paths related to handling SSL connections are assuming that the connection is TCP, so there is a mismatch between the socket type (SOCK_STREAM) and the protocol (IPPROTO_UDP). We'll work on resolving this. Can you tell us whether there is a DTLS server on port 8080 UDP? In other words, where would you expect the error to be coming from: a closed port, a DTLS protocol error, or something else?

@nmap-bot nmap-bot closed this in 7b523f0 Apr 8, 2019

@jabedude

This comment has been minimized.

Copy link
Author

jabedude commented Apr 8, 2019

Awesome! There was no service listening on 8080

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.