Bug 1573148

Summary: Regression: ncat from nmap-ncat no longer supports SOCKS4
Product: Red Hat Enterprise Linux 7 Reporter: Paul Clifford <paul.clifford+redhat>
Component: nmapAssignee: Pavel Zhukov <pzhukov>
Status: CLOSED WONTFIX QA Contact: qe-baseos-daemons
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.5Keywords: Rebase, Reproducer
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1770135 (view as bug list) Environment:
Last Closed: 2019-11-08 09:35:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1770135    

Description Paul Clifford 2018-04-30 11:05:28 UTC 
Description of problem:
The ncat binary in the nmap-ncat package has a --proxy-type argument that accepts "socks4" as an argument. Prior to the nmap-ncat-6.40-13.el7.x86_64 package in RHEL 7.5 this implemented the SOCKS4 protocol. From that version onwards it implements SOCKS4a instead, which isn't supported by all SOCKS servers.


Version-Release number of selected component (if applicable):
Last working version: nmap-ncat-6.40-7.el7.x86_64, where "ncat --version" produces "Ncat: Version 6.40 ( http://nmap.org/ncat )"

First broken version: nmap-ncat-6.40-13.el7.x86_64, where "ncat --version" produces "Ncat: Version 7.50 ( https://nmap.org/ncat )"


How reproducible:
Always.


Steps to Reproduce:
1. In one terminal run: ncat -l 1085 >/dev/null
2. In another terminal run: strace ncat --proxy-type socks4 --proxy 127.0.0.1:1085 github.com 22 </dev/null 2>&1 | grep 'sendto.*\\4'
3. Wait for the "sendto(3, ..." line from the strace command and use CTRL-C to terminate


Actual results:
With the newer ncat binary the strace output shows:
sendto(3, "\4\1\0\26\0\0\0\1\0github.com\0", 20, 0, NULL, 0) = 20

This is a SOCKS4a connection attempt (https://www.openssh.com/txt/socks4a.protocol), asking the server to connect to 0.0.0.1 and relying on it understanding that the actual target (github.com) follows afterwards.


Expected results:
With the older ncat binary the strace output shows:
sendto(3, "\4\1\0\26\300\36\375q\0", 9, 0, NULL, 0) = 9

This is an actual SOCKS4 connection attempt, asking the server to connect to 192.30.253.113, which is what the ncat command resolved github.com to at the time and location it was run from.


Additional info:
This complicates the transition from RHEL 7.4 to 7.5. The ncat binary previously didn't support SOCKS5, so we had scripts using SOCKS4 to connect out via a SOCKS gateway. Running those same scripts on RHEL 7.5 fails because the gateway doesn't support SOCKS4a, and switching the scripts to use SOCKS5 fails on RHEL 7.4 because ncat there only supports SOCKS4.
Comment 2 Pavel Zhukov 2018-05-07 12:53:02 UTC 
(In reply to Paul Clifford from comment #0)
> Description of problem:
> The ncat binary in the nmap-ncat package has a --proxy-type argument that
> accepts "socks4" as an argument. Prior to the nmap-ncat-6.40-13.el7.x86_64
> package in RHEL 7.5 this implemented the SOCKS4 protocol. From that version
> onwards it implements SOCKS4a instead, which isn't supported by all SOCKS
> servers.
> 
Hello Paul,
Ncat sends IP address instead of FQDN if ip address was specified as destination. 
for example:
# ncat github.com  --proxy localhost:4444 --proxy-type socks4 # uses socks4a extention
# ncat `dig +short github.com   | awk '{ print ; exit }'` --proxy localhost:4444 --proxy-type socks4     ## doesn't use socks4a extention
Comment 3 Paul Clifford 2018-05-17 12:22:23 UTC 
Ah, interesting! The problem we had was that something like the following used to use socks4, prior to the update to nmap-ncat in RHEL 7.5, but changed to using socks4a which isn't recognised by our corporate socks proxy:
ncat github.com  --proxy localhost:4444 --proxy-type socks4

We've since completed the update to 7.5 and changed the proxy type to socks5 instead, so for what it's worth this no longer directly affects us.
Comment 4 Pavel Zhukov 2018-05-17 13:04:00 UTC 
(In reply to Paul Clifford from comment #3)
> Ah, interesting! The problem we had was that something like the following
> used to use socks4, prior to the update to nmap-ncat in RHEL 7.5, but
> changed to using socks4a which isn't recognised by our corporate socks proxy:
> ncat github.com  --proxy localhost:4444 --proxy-type socks4
You're right. Ncat was rebased in latest RHEL and brought socks4a support but it doesn't follow specification very well. I've sent patch upstream:
https://github.com/nmap/nmap/pull/1214

> 
> We've since completed the update to 7.5 and changed the proxy type to socks5
> instead, so for what it's worth this no longer directly affects us.
Yeah. Update to newest version is good idea. 

Thank you for the report!
Comment 7 Pavel Zhukov 2019-10-15 08:06:14 UTC 
Thank you for taking the time to report this issue to us. We appreciate the feedback and use reports such as this one to guide our efforts at improving our products. 

If this issue is critical or in any way time sensitive, please raise a ticket through the regular Red Hat support channels to ensure it receives the proper attention and prioritization to assure a timely resolution. 

For information on how to contact the Red Hat production support team, please visit:
    https://www.redhat.com/support/process/production/#howto
Comment 8 Pavel Zhukov 2019-11-08 09:35:00 UTC 
This vulnerability was evaluated by the sub-system, taking into account the kind of the component, and its use cases. It was not considered as a priority for the next release, so it's being closed now as WONTFIX. Feel free to re-open the bug if there is a business reason to deliver a fix for this issue, and contact Red Hat Customer Support to request a re-evaluation of the issue, citing a clear business justification. Red Hat Customer Support can be contacted via the Red Hat Customer Portal at the following URL:

https://access.redhat.com