SOCKS 4A
A simple extension to SOCKS 4 Protocol that allows a client that cannot resolve the destination host's domain name to specify it. The client should set the first three bytes of DSTIP to NULL and the last byte to a non-zero value (This corresponds to IP address 0.0.0.x, with x nonzero, an inadmissible destination address and thus should never occur if the client can resolve the domain name). Following the NULL byte terminating USERID, the client must send the destination domain name and termiante it with another NULL byte. This is used for both CONNECT and BIND requests.
+----+----+----+----+----+----+----+----+----+----+....+----+----+----+....+----+
| VN | CD | DSTPORT | DSTIP 0.0.0.x | USERID |NULL| HOSTNAME |NULL|
+----+----+----+----+----+----+----+----+----+----+....+----+----+----+....+----+
# of bytes: 1 1 2 4 variable 1 variable 1
A server using protocol 4A must check the DSTIP in the request packet. If it represents address 0.0.0.x with nonzero x, the server must read in the domain name that the client sends in the packet. The server should resolve the domain name and make connection to the destination host if it can. It was possible to kill remote SOCKS4A servers by sending a requests with a too long hostname. A cracker may exploit this vulnerability to make the SOCKS server crash continually or even execute arbitrary code on the system.
External links SOCKS 4A: A Simple Extension to SOCKS 4 Protocol by Ying-Da Lee Vulnerability - Too long hostname kills the SOCKS4A server by Michel Arboi
|
