Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sensitive information (proxy-auth) is disclosed in system process list #2060

Closed
gfrenoy opened this issue Jun 9, 2020 · 4 comments
Closed

Sensitive information (proxy-auth) is disclosed in system process list #2060

gfrenoy opened this issue Jun 9, 2020 · 4 comments
Assignees
Labels

Comments

@gfrenoy
Copy link

@gfrenoy gfrenoy commented Jun 9, 2020

Describe the bug

When accessing a SOCK5 proxy that requires a password authentication ; one has to provide the password on the command line. What is typically consider as a bad practice [1] since it exposes the password in the system process list.

To Reproduce

ncat --proxy 192.168.1.1:1080 --proxy-type socks5 --proxy-auth user:pass 10.1.2.3 8080

run ps aux and recognize the password is displayed in clear text.

Expected behavior

Support the follow syntax:

export NCAT_PROXY_AUTH="user:pass"
ncat --proxy 192.168.1.1:1080 --proxy-type socks5 10.1.2.3 8080

Additional context

[1] https://www.netmeister.org/blog/passing-passwords.html

Alternative solutions

@fyodor
Copy link
Member

@fyodor fyodor commented Jun 17, 2020

I like your suggestion and I'm leaving this issue open for (hopefully) future implementation. But in some ways the underlying "vulnerability" is in the system giving sensitive information (the processes and command-line arguments run by other users or admins or system accounts) in the first place. Even ignoring particularly sensitive data like passwords, there are many reasons you might want to keep this information private. You can turn this disclosure off on Linux with the hidepid option and I wish more Linux distributions would do that by default. More details: https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/

@gfrenoy
Copy link
Author

@gfrenoy gfrenoy commented Jun 18, 2020

Thanks for your comment and the link ; it's indeed a good thing to have the proper hidepid option enabled.

That being said, even for my own processes, I'm not comfortable seeing the password when I type ps aux. It could happen that someone else, looking at my screen is accidentally seeing it ; or that I do not pay enough attention when I copy/paste something ; I've also seen monitoring tools listing the running processes and disclose sensitive information accidentally.

All in all, as many other software has done it, it would be a great addition to ncat to do something about it and minimize the risks.

Thanks for anybody who would like to collaborate on this.

Manipulating argv is maybe easier ; if one can point me to the right right direction (ie: let me know in which file it should be changed), I would be happy to give it a try (ie: propose a PR)

@nnposter
Copy link

@nnposter nnposter commented Jun 21, 2020

Please give this patch a spin:

* Implements alternative method for passing proxy credentials by environment
  variable NCAT_PROXY_AUTH.
--- a/ncat/docs/ncat.xml
+++ b/ncat/docs/ncat.xml
@@ -481,6 +481,11 @@
           <option>--proxy-type socks5</option>, the form should be
           username:password.  For
           <option>--proxy-type socks4</option>, it should be a username only.</para>
+          <para>These credentials can be alternatively passed onto Ncat by
+          setting environment variable
+          <envar>NCAT_PROXY_AUTH</envar><indexterm><primary><envar>NCAT_PROXY_AUTH</envar> environment variable</primary></indexterm>,
+          which reduces the risk of the credentials being captured in process
+          logs.  (Option <option>--proxy-auth</option>takes precedence.)</para>
         </listitem>
       </varlistentry>
 
--- a/ncat/ncat_main.c
+++ b/ncat/ncat_main.c
@@ -823,6 +823,9 @@
         }
     }
 
+    if (!o.proxy_auth)
+        o.proxy_auth = getenv("NCAT_PROXY_AUTH");
+
     if (o.zerobyte) {
       if (o.listen)
         bye("Services designed for LISTENING can't be used with -z");
@nnposter
Copy link

@nnposter nnposter commented Jul 12, 2020

The patch above has been committed as r37956.

@nnposter nnposter self-assigned this Jul 12, 2020
@nmap-bot nmap-bot closed this in 535e638 Jul 12, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants
You can’t perform that action at this time.