socks5 port exposed to network on Chrome OS

[Cnly]

Describe the bug
The commit f799649 hard-coded the app to bind 0.0.0.0 on Chrome OS and it stated it was safe at that time. However, this doesn't seem true anymore because the port exposed is now accessible from other machines in the network.

Chrome OS version used for testing: Version 76.0.3809.20 (Official Build) dev (64-bit)

To Reproduce
Enable the proxy with any profile and confirm the SOCKS5 proxy port set in settings page is accessible from another machine in the same network.

Expected behavior
I'd expect a switch that allows the user to decide whether to share their connection. I found there seems to be the option Key.shareOverLan, but I didn't find a way to modify its value.

Screenshots
Not applicable

Smartphone (please complete the following information):

• Chrome OS Version 76.0.3809.20 (Official Build) dev (64-bit)
• Version: 4.8.0 (from Play Store)
• Last version that did not exhibit the issue: Presumably the version before f799649.

Configuration
Put an x inside the [ ] that applies.

• IPv4 server address
• IPv6 server address
• Client IPv4 availability
• Client IPv6 availability
• Encrypt method:
• Route
  • All
  • Bypass LAN
  • Bypass China
  • Bypass LAN & China
  • GFW List
  • China List
  • Custom rules
• IPv6 route
• Apps VPN mode
  • Bypass mode
• Remote DNS: 8.8.8.8
• DNS over UDP
• Plugin configuration (if applicable):
• Auto Connect
• TCP Fast Open

[Mygod]

I cannot reproduce this. What is your Platform as in chrome://version? Mine is 11895.118.0 (Official Build) stable-channel kevin (74 stable channel). Was it working properly before?

I have enabled ADB over network and ran nmap <LAN IP> -p 22,1080,5555 -Pn and got the results:

PORT     STATE    SERVICE
22/tcp   open     ssh
1080/tcp filtered socks
5555/tcp filtered freeciv

Nmap done: 1 IP address (1 host up) scanned in 1.23 seconds

[Cnly]

Thanks for the quick reply. My platform is 12239.8.0 (Official Build) dev-channel rammus with developer mode disabled, and I didn't test for this when I was on stable. :(

I noticed there's a Enable ARC VPN integration option in chrome://flags, but the port is still open whether it's enabled or disabled.

I've set the port number in settings to 54321 instead of 1080 so it's distinguished from other possible apps, and with nmap <LAN IP> -p 54321,1080 I got:

PORT      STATE  SERVICE
1080/tcp  closed socks
54321/tcp open   unknown

when Shadowsocks is enabled.

[Mygod]

Okay I think I managed to reproduce this with proxy only mode. Can you try if the following command in crosh fixes this?

sudo iptables -t nat -I try_arc -j RETURN

P.S. To revert the effect, reboot or execute sudo iptables -t nat -D try_arc -j RETURN.

[Cnly]

I think I won't be able to get sudo (or even a normal shell) without putting the device into developer mode... which I try not to. But if it's definitely needed then I may be able to do it when I have more time. Sorry about that, but is there any other ways to help confirm the problem?

Also I tested again and I can reproduce this in both VPN and proxy only mode.