1

Suppose I want to set up a server as a test, and I want it exposed to the Internet, giving any IP access. It could be for any reason or no reason.

I don't want it to be at risk of a buffer overflow and the execution of arbitrary code on my machine.

nc -l is fine. the server needn't do anything. It might be done within cygwin.

How safe is that?

And if it's not safe, is there something safer?

barlop
  • 129
  • 4
  • People who downvote, explain? Because I thought "wtf" when someone asked about `cat`, but there were really great answers and in short, yes, that was exploitable. Why downvote asking asking the same about netcat? It could totally be used as internet-facing application (I have). There are close votes for 'unclear' and 'too broad' right now. Especially for the former, you really should leave a comment. It even says in the comment placeholder "Use comments to ask for more information or suggest improvements." You could ask for clarification or try to narrow the scope. – Luc Apr 30 '14 at 00:12

1 Answers1

7

Netcat does not appear to have much bugs such as buffer overflows. Apparently it had one such bug, but a very minor one: if you invoked it as a client with a port number beyond 999999 (which makes no sense, since valid port numbers are in the 0..65535 range), then you could get a buffer overflow leading to a crash; bug report is there.

However, there is apparently more than one nc command around. On my server, which runs a pretty standard Ubuntu (13.10 currently), the nc command is provided by the netcat-openbsd package. Apparently:

  • The OpenBSD people decided to put a nc command in their base system, and rewrote the complete utility for various reasons, the official one being "IPv6 support" (that's a valid reason, but I suspect a case of NIH syndrome as well).

  • The Debian people then extracted the OpenBSD code to package it as a Debian package (which also found its way to Ubuntu, since Ubuntu feeds on Debian packages), and then proceeded to overhaul the code for reasons which are somewhat explained in this file. In particular, they claim that "the code has been massively cleaned up, and important functionality has been added". They also removed calls to strlcpy(), a non-standard function that OpenBSD people are quite fond of, but which is not part of the GNU libc that Debian systems use.

So whether a specific version has a buffer overflow is a hit-and-miss game. This is a rather simple utility; if any software may be reasonably bug-free, then that must be netcat. I suspect that if a buffer overflow is ever found in the OpenBSD implementation of netcat, then some OpenBSD developers would commit honourable seppuku.


However, there may be other security issues than buffer overflows. The main potential issue I see here is that your nc -l will run in some sort of text console or terminal, and output the bytes as they are received. Therefore, some bad guy could send control sequences which will be interpreted by your terminal. This issue is explored at length in this question.

If you run nc -l with output redirected to a file, then that problem is avoided -- as long as you take care to read the file with some tool who filters out escape sequences, e.g. a text editor.

Thomas Pornin
  • 322,884
  • 58
  • 787
  • 955