(FWD) [rieger at dest-unreach.org: Re: SOCKS4A broken in 1.4.0?]

Roger Dingledine arma at mit.edu
Mon Jul 5 07:53:20 UTC 2004


It seems that socat (http://6sxoyfb3h2nvok2d.onion/tor/SocatHelp)
isn't providing the anonymity that we think it is. Fyi. :)
--Roger

----- Forwarded message from Thomas Themel <themel at iwoars.net> -----

From: Thomas Themel <themel at iwoars.net>
Date: Mon, 5 Jul 2004 02:09:42 +0200
To: arma at mit.edu
Subject: [rieger at dest-unreach.org: Re: SOCKS4A broken in 1.4.0?]

Hi,

Since you're recommending socat for use with tor and you specifically
mentioned the anonymity problems inherent in doing DNS lookups on the
anon client in your Codecon talk, I thought you might find this
interesting - I verified it's true with socat-1.3.2.2.  socat-1.4.0.0
with my patch works as expected.

----- Forwarded message from Gerhard Rieger <rieger at dest-unreach.org> -----

Date: Sun, 04 Jul 2004 21:24:48 +0200
From: Gerhard Rieger <rieger at dest-unreach.org>
To: Thomas Themel <themel at iwoars.net>
CC: socat at dest-unreach.org
Subject: Re: SOCKS4A broken in 1.4.0?

Hi Thomas,

you uncovered a dark chapter of socat.
First problem: just as you found out, socat 1.4.0.0 constructed bad 
socks4a headers. This should be corrected with your patch, thank you!
Second, bad news for both of us: previous versions of socat used socks4a 
only when the hostname could not be resolved. The above socks4a bug has 
certainly always existed in socat; that means that your work a month ago 
used socks4, not socks4a protocol, because it would have failed 
otherwise. I hope that this truth does not destroy your world, 
reputation or project...

Thanks for finding this bug and providing a patch!

Regards
Gerhard Rieger

Thomas Themel wrote:

>Hi there,
>
>I'm having problems connecting through a SOCKS4A proxy, which worked
>fine a month ago. I assume that this was caused by the switchover to 1.4
>in the Debian package. 
>
>The command line used for the connection was: 
>
>socat TCP4-LISTEN:5223,reuseaddr 
>SOCKS4A:localhost:jabber.at:5223,socksport=9050
>
>Ethereal decoded the request that socat sent as:
>
>| Frame 11 (91 bytes on wire, 91 bytes captured)
>| Ethernet II, Src: 00:00:00:00:00:00, Dst: 00:00:00:00:00:00
>| Internet Protocol, Src Addr: 127.0.0.1 (127.0.0.1), Dst Addr: 127.0.0.1 
>(127.0.0.1)
>| Transmission Control Protocol, Src Port: 36612 (36612), Dst Port: 9050 
>(9050), Seq: 1, Ack: 1, Len: 25
>| Socks Protocol
>|     Version: 4
>|     Command: 1 (Connect)
>|     Remote Port: 5223
>|     Remote Address: 0.0.0.106 (0.0.0.106)
>|     User Name: abber.at
>
>Comparing this to the SOCKS4A spec at 
><http://archive.socks.permeo.com/protocol/socks4a.protocol>, it seems
>like socat puts the host name one byte _before_ the user name instead of
>after the trailing 0 byte of the user name.
>
>The following patch fixes it for me:
>
>themel at sophokles:~/socat-1.4$ diff -u xio-socks.c ../xio-socks.c 
>--- xio-socks.c 2004-06-20 23:30:02.000000000 +0200
>+++ ../xio-socks.c      2004-07-04 15:04:37.000000000 +0200
>@@ -269,9 +269,12 @@
>   }
>#endif /* WITH_SOCKS4A */
>#if WITH_SOCKS4A
>-   /* this has not really been tested */
>   if (host == NULL) {
>-      strncpy((char *)&sockhead->dest+3, hostname, 256+8-*headlen);
>+      /* SOCKS4A requires us to append the host name to resolve
>+         after the user name's trailing 0 byte.  */
>+      char* insert_position = (char*) sockhead + *headlen;
>+
>+      strncpy(insert_position, hostname, 256+8-*headlen);
>      *headlen += strlen(hostname) + 1;
>   }
>#endif /* WITH_SOCKS4A */
>
>I've tested SOCKS4A with tor - <http://www.freehaven.net/tor/>, might
>be useful for future changes.
>
>ciao,
> 
>


----- End forwarded message -----

ciao,
-- 
[*Thomas  Themel*] Deposing a harmless tyrant: $87,000,000,000 
[extended contact] Generating 2 Islamic republics plus an ethnic republic 
[info provided in] that destabilizes Turkey: priceless
[*message header*]  - "Major Variola" on cypherpunks



----- End forwarded message -----



More information about the tor-dev mailing list