Bug 1573148 - Regression: ncat from nmap-ncat no longer supports SOCKS4
Summary: Regression: ncat from nmap-ncat no longer supports SOCKS4
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: nmap
Version: 7.5
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Pavel Zhukov
QA Contact: qe-baseos-daemons
URL:
Whiteboard:
Depends On:
Blocks: 1770135
TreeView+ depends on / blocked
 
Reported: 2018-04-30 11:05 UTC by Paul Clifford
Modified: 2019-11-08 09:35 UTC (History)
0 users

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1770135 (view as bug list)
Environment:
Last Closed: 2019-11-08 09:35:00 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1591959 0 medium CLOSED Please include https://github.com/nmap/nmap/commit/ec38cb0096648e916660958ac48c121e303debf1 2021-02-22 00:41:40 UTC

Internal Links: 1591959

Description Paul Clifford 2018-04-30 11:05:28 UTC
Description of problem:
The ncat binary in the nmap-ncat package has a --proxy-type argument that accepts "socks4" as an argument. Prior to the nmap-ncat-6.40-13.el7.x86_64 package in RHEL 7.5 this implemented the SOCKS4 protocol. From that version onwards it implements SOCKS4a instead, which isn't supported by all SOCKS servers.


Version-Release number of selected component (if applicable):
Last working version: nmap-ncat-6.40-7.el7.x86_64, where "ncat --version" produces "Ncat: Version 6.40 ( http://nmap.org/ncat )"

First broken version: nmap-ncat-6.40-13.el7.x86_64, where "ncat --version" produces "Ncat: Version 7.50 ( https://nmap.org/ncat )"


How reproducible:
Always.


Steps to Reproduce:
1. In one terminal run: ncat -l 1085 >/dev/null
2. In another terminal run: strace ncat --proxy-type socks4 --proxy 127.0.0.1:1085 github.com 22 </dev/null 2>&1 | grep 'sendto.*\\4'
3. Wait for the "sendto(3, ..." line from the strace command and use CTRL-C to terminate


Actual results:
With the newer ncat binary the strace output shows:
sendto(3, "\4\1\0\26\0\0\0\1\0github.com\0", 20, 0, NULL, 0) = 20

This is a SOCKS4a connection attempt (https://www.openssh.com/txt/socks4a.protocol), asking the server to connect to 0.0.0.1 and relying on it understanding that the actual target (github.com) follows afterwards.


Expected results:
With the older ncat binary the strace output shows:
sendto(3, "\4\1\0\26\300\36\375q\0", 9, 0, NULL, 0) = 9

This is an actual SOCKS4 connection attempt, asking the server to connect to 192.30.253.113, which is what the ncat command resolved github.com to at the time and location it was run from.


Additional info:
This complicates the transition from RHEL 7.4 to 7.5. The ncat binary previously didn't support SOCKS5, so we had scripts using SOCKS4 to connect out via a SOCKS gateway. Running those same scripts on RHEL 7.5 fails because the gateway doesn't support SOCKS4a, and switching the scripts to use SOCKS5 fails on RHEL 7.4 because ncat there only supports SOCKS4.

Comment 2 Pavel Zhukov 2018-05-07 12:53:02 UTC
(In reply to Paul Clifford from comment #0)
> Description of problem:
> The ncat binary in the nmap-ncat package has a --proxy-type argument that
> accepts "socks4" as an argument. Prior to the nmap-ncat-6.40-13.el7.x86_64
> package in RHEL 7.5 this implemented the SOCKS4 protocol. From that version
> onwards it implements SOCKS4a instead, which isn't supported by all SOCKS
> servers.
> 
Hello Paul,
Ncat sends IP address instead of FQDN if ip address was specified as destination. 
for example:
# ncat github.com  --proxy localhost:4444 --proxy-type socks4 # uses socks4a extention
# ncat `dig +short github.com   | awk '{ print ; exit }'` --proxy localhost:4444 --proxy-type socks4     ## doesn't use socks4a extention

Comment 3 Paul Clifford 2018-05-17 12:22:23 UTC
Ah, interesting! The problem we had was that something like the following used to use socks4, prior to the update to nmap-ncat in RHEL 7.5, but changed to using socks4a which isn't recognised by our corporate socks proxy:
ncat github.com  --proxy localhost:4444 --proxy-type socks4

We've since completed the update to 7.5 and changed the proxy type to socks5 instead, so for what it's worth this no longer directly affects us.

Comment 4 Pavel Zhukov 2018-05-17 13:04:00 UTC
(In reply to Paul Clifford from comment #3)
> Ah, interesting! The problem we had was that something like the following
> used to use socks4, prior to the update to nmap-ncat in RHEL 7.5, but
> changed to using socks4a which isn't recognised by our corporate socks proxy:
> ncat github.com  --proxy localhost:4444 --proxy-type socks4
You're right. Ncat was rebased in latest RHEL and brought socks4a support but it doesn't follow specification very well. I've sent patch upstream:
https://github.com/nmap/nmap/pull/1214

> 
> We've since completed the update to 7.5 and changed the proxy type to socks5
> instead, so for what it's worth this no longer directly affects us.
Yeah. Update to newest version is good idea. 

Thank you for the report!

Comment 7 Pavel Zhukov 2019-10-15 08:06:14 UTC
Thank you for taking the time to report this issue to us. We appreciate the feedback and use reports such as this one to guide our efforts at improving our products. 

If this issue is critical or in any way time sensitive, please raise a ticket through the regular Red Hat support channels to ensure it receives the proper attention and prioritization to assure a timely resolution. 

For information on how to contact the Red Hat production support team, please visit:
    https://www.redhat.com/support/process/production/#howto

Comment 8 Pavel Zhukov 2019-11-08 09:35:00 UTC
This vulnerability was evaluated by the sub-system, taking into account the kind of the component, and its use cases. It was not considered as a priority for the next release, so it's being closed now as WONTFIX. Feel free to re-open the bug if there is a business reason to deliver a fix for this issue, and contact Red Hat Customer Support to request a re-evaluation of the issue, citing a clear business justification. Red Hat Customer Support can be contacted via the Red Hat Customer Portal at the following URL:

https://access.redhat.com


Note You need to log in before you can comment on or make changes to this bug.