[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

(FWD) [rieger@dest-unreach.org: Re: SOCKS4A broken in 1.4.0?]

It seems that socat (http://6sxoyfb3h2nvok2d.onion/tor/SocatHelp)
isn't providing the anonymity that we think it is. Fyi. :)

----- Forwarded message from Thomas Themel <themel@iwoars.net> -----

From: Thomas Themel <themel@iwoars.net>
Date: Mon, 5 Jul 2004 02:09:42 +0200
To: arma@mit.edu
Subject: [rieger@dest-unreach.org: Re: SOCKS4A broken in 1.4.0?]


Since you're recommending socat for use with tor and you specifically
mentioned the anonymity problems inherent in doing DNS lookups on the
anon client in your Codecon talk, I thought you might find this
interesting - I verified it's true with socat-  socat-
with my patch works as expected.

----- Forwarded message from Gerhard Rieger <rieger@dest-unreach.org> -----

Date: Sun, 04 Jul 2004 21:24:48 +0200
From: Gerhard Rieger <rieger@dest-unreach.org>
To: Thomas Themel <themel@iwoars.net>
CC: socat@dest-unreach.org
Subject: Re: SOCKS4A broken in 1.4.0?

Hi Thomas,

you uncovered a dark chapter of socat.
First problem: just as you found out, socat constructed bad 
socks4a headers. This should be corrected with your patch, thank you!
Second, bad news for both of us: previous versions of socat used socks4a 
only when the hostname could not be resolved. The above socks4a bug has 
certainly always existed in socat; that means that your work a month ago 
used socks4, not socks4a protocol, because it would have failed 
otherwise. I hope that this truth does not destroy your world, 
reputation or project...

Thanks for finding this bug and providing a patch!

Gerhard Rieger

Thomas Themel wrote:

>Hi there,
>I'm having problems connecting through a SOCKS4A proxy, which worked
>fine a month ago. I assume that this was caused by the switchover to 1.4
>in the Debian package. 
>The command line used for the connection was: 
>socat TCP4-LISTEN:5223,reuseaddr 
>Ethereal decoded the request that socat sent as:
>| Frame 11 (91 bytes on wire, 91 bytes captured)
>| Ethernet II, Src: 00:00:00:00:00:00, Dst: 00:00:00:00:00:00
>| Internet Protocol, Src Addr: (, Dst Addr: 
>| Transmission Control Protocol, Src Port: 36612 (36612), Dst Port: 9050 
>(9050), Seq: 1, Ack: 1, Len: 25
>| Socks Protocol
>|     Version: 4
>|     Command: 1 (Connect)
>|     Remote Port: 5223
>|     Remote Address: (
>|     User Name: abber.at
>Comparing this to the SOCKS4A spec at 
><http://archive.socks.permeo.com/protocol/socks4a.protocol>, it seems
>like socat puts the host name one byte _before_ the user name instead of
>after the trailing 0 byte of the user name.
>The following patch fixes it for me:
>themel@sophokles:~/socat-1.4$ diff -u xio-socks.c ../xio-socks.c 
>--- xio-socks.c 2004-06-20 23:30:02.000000000 +0200
>+++ ../xio-socks.c      2004-07-04 15:04:37.000000000 +0200
>@@ -269,9 +269,12 @@
>   }
>#endif /* WITH_SOCKS4A */
>-   /* this has not really been tested */
>   if (host == NULL) {
>-      strncpy((char *)&sockhead->dest+3, hostname, 256+8-*headlen);
>+      /* SOCKS4A requires us to append the host name to resolve
>+         after the user name's trailing 0 byte.  */
>+      char* insert_position = (char*) sockhead + *headlen;
>+      strncpy(insert_position, hostname, 256+8-*headlen);
>      *headlen += strlen(hostname) + 1;
>   }
>#endif /* WITH_SOCKS4A */
>I've tested SOCKS4A with tor - <http://www.freehaven.net/tor/>, might
>be useful for future changes.

----- End forwarded message -----

[*Thomas  Themel*] Deposing a harmless tyrant: $87,000,000,000 
[extended contact] Generating 2 Islamic republics plus an ethnic republic 
[info provided in] that destabilizes Turkey: priceless
[*message header*]  - "Major Variola" on cypherpunks

----- End forwarded message -----