Nmap Development mailing list archives
Nmap proxy auth support, masking --proxies auth command-line data?
From: Jacek Wielemborek <d33tah () gmail com>
Date: Sun, 19 Jul 2015 13:41:32 +0200
(see message below) W dniu 19.07.2015 o 12:44, commit-mailer () nmap org pisze:
Author: andrew Date: Sun Jul 19 10:44:13 2015 New Revision: 34931 Log: Added basic support for sending out user id in socks4a initialization packets. Modified: nmap-exp/pasca1/nmap-ncat-socks4a/nsock/src/proxy_socks4.c Modified: nmap-exp/pasca1/nmap-ncat-socks4a/nsock/src/proxy_socks4.c ============================================================================== --- nmap-exp/pasca1/nmap-ncat-socks4a/nsock/src/proxy_socks4.c (original) +++ nmap-exp/pasca1/nmap-ncat-socks4a/nsock/src/proxy_socks4.c Sun Jul 19 10:44:13 2015 @@ -195,6 +195,7 @@ nsock_write(nsp, (nsock_iod)nse->iod, nsock_proxy_ev_dispatch, timeout, udata, outgoing, outgoing_len); + free(outgoing); } else { nsock_write(nsp, (nsock_iod)nse->iod, nsock_proxy_ev_dispatch, timeout, udata, (char *)&socks4, sizeof(struct socks4_data)); @@ -214,9 +215,9 @@ struct proxy_node *next; struct socks4_data socks4a; size_t outgoing_len = sizeof(struct socks4_data) + target_name_len + sizeof(uint8_t); - uint8_t *outgoing = safe_zalloc(outgoing_len); - char nullbyte = '\0'; + uint8_t *outgoing; int timeout; + int user_len = 0; px_ctx->px_state = PROXY_STATE_SOCKS4_TCP_CONNECTED; @@ -231,11 +232,19 @@ timeout = TIMEVAL_MSEC_SUBTRACT(nse->timeout, nsock_tod); + if (px_ctx->px_current->user) { + user_len = strlen(px_ctx->px_current->user); + outgoing_len = sizeof(socks4a) + target_name_len + user_len + 1; + } + outgoing = safe_zalloc(outgoing_len); + /* Copy contents of socks4a data packet into memory */ - memcpy(outgoing, &socks4a, sizeof(struct socks4_data)); - memcpy(outgoing + sizeof(struct socks4_data), target_name, target_name_len); - memcpy(outgoing + sizeof(struct socks4_data) + target_name_len, &nullbyte, - sizeof(uint8_t)); + memcpy(outgoing, &socks4a, sizeof(socks4a)); + /* If user id is supplied, overwrite the last null byte of socks4_data and + * include the last null byte in the user id string. */ + if (user_len) + memcpy(outgoing + sizeof(socks4a) - 1, px_ctx->px_current->user, user_len + 1); + memcpy(outgoing + sizeof(socks4a) + user_len, target_name, target_name_len + 1); nsock_write(nsp, (nsock_iod)nse->iod, nsock_proxy_ev_dispatch, timeout, udata, (char *)outgoing, outgoing_len); _______________________________________________ Sent through the svn mailing list http://nmap.org/mailman/listinfo/svn
Hello, I like the progress! Just to make sure though - how are you testing your implementation, could you document it somewhere? If you don't have a secwiki.org account, it's a good moment to create it as it might take some time to get your account approved. Also, how exactly does it behave? Do we assume that if username and password are specified, we'll jump right to authenticating without trying anonymous access first? This is the kind of behavior that I find worth documenting. There's one thing I am tad worried about - if you specify username and password in --proxies, it's visible to all other users of this system in the results of the "ps" command. While IMHO it's a bad security practice to allow regular users see command line options of processes that belong to other users and it's not default on CentOS systems and the like, Debian defaults are not as forgiving there. It might make sense to remove the logins and passwords from the argv (though I'd rather wait for somebody else to comment on this). Here's what I would propose: 1. In nsock_proxychain_new(), add a new bool argument that says whether we request to mask out the login and password, 2. Make sure calls to this function in ncat and nmap (there are just two single ones) operate on memory that points to argv or find the relevant string in argv. It's not trivial and might not be worth it - two other options is to not worry about it (though it's ABSOLUTELY NECESSARILY to mention this possible security problem in the documentation) and add a new command-line option that would read the --proxies value from a file (should be much simpler to implement). What do you think? Cheers, d33tah
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Nmap proxy auth support, masking --proxies auth command-line data? Jacek Wielemborek (Jul 19)
- Re: Nmap proxy auth support, masking --proxies auth command-line data? Andrew Jason Farabee (Jul 19)
- Re: Nmap proxy auth support, masking --proxies auth command-line data? Jacek Wielemborek (Jul 19)
- Re: Nmap proxy auth support, masking --proxies auth command-line data? Daniel Miller (Jul 19)
- Re: Nmap proxy auth support, masking --proxies auth command-line data? Jacek Wielemborek (Jul 19)
- Re: Nmap proxy auth support, masking --proxies auth command-line data? Andrew Jason Farabee (Jul 19)