[Subject Prev][Subject Next][Thread Prev][Thread Next][Subject Index][Thread Index]
(fwd) Remote vulnerability in Gopherd 2.x

To: linux-delhi@xxxxxxxxxxxxxxxxxxxxx, linux-india-help@xxxxxxxxxxxxxxxxxxxxx
Subject: (fwd) Remote vulnerability in Gopherd 2.x
From: Raju Mathur <raju@xxxxxxxxxxxxxxx>
Date: Sat, 12 Aug 2000 08:17:03 +0530 (IST)
Reply-to: raju@xxxxxxxxxxxxxxx
[If you run a Gopher server, either disable it until your distribution
comes up with a fixed gopherd, or get the source from the included URL
and compile a new gopherd -- Raju]

This is an RFC 1153 digest.
(1 message)
----------------------------------------------------------------------

Approved-By: aleph1@xxxxxxxxxxxxxxxxx
Delivered-To: bugtraq@xxxxxxxxxxxxxxxxxxxxxxx
Received: from securityfocus.com (mail.securityfocus.com [207.126.127.78]) by
          lists.securityfocus.com (Postfix) with SMTP id 8D9EF20D76 for
          <bugtraq@xxxxxxxxxxxxxxxxxxxxxxx>; Thu, 10 Aug 2000 12:04:41 -0700
          (PDT)
Received: (qmail 8939 invoked by alias); 10 Aug 2000 19:05:29 -0000
Delivered-To: BUGTRAQ@xxxxxxxxxxxxxxxxx
Received: (qmail 8935 invoked from network); 10 Aug 2000 19:05:28 -0000
Received: from unknown (HELO usbosfw01.guardent.com) (64.28.84.14) by
          mail.securityfocus.com with SMTP; 10 Aug 2000 19:05:28 -0000
Received: from mail.guardent.com by usbosfw01.guardent.com via smtpd (for
          mail.securityfocus.com [207.126.127.78]) with SMTP; 10 Aug 2000
          22:03:04 UT
Received: from shank (www.guardent.com [64.28.84.18]) by usbosmx01.guardent.com
          with SMTP (Microsoft Exchange Internet Mail Service Version
          5.5.2650.21) id PSGJ4BQY; Thu, 10 Aug 2000 15:06:07 -0400
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.3018.1300
Message-ID:  <NEBBIMCMELMGHFGLLFEIOEAOCCAA.michael.schiffman@xxxxxxxxxxxx>
Reply-To: michael.schiffman@xxxxxxxxxxxx
From: Mike Schiffman <michael.schiffman@xxxxxxxxxxxx>
Sender: Bugtraq List <BUGTRAQ@xxxxxxxxxxxxxxxxx>
To: BUGTRAQ@xxxxxxxxxxxxxxxxx
Subject:      Remote vulnerability in Gopherd 2.x
Date:         Thu, 10 Aug 2000 12:06:51 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

G   U   A   R   D   E   N   T                        GUARDENT SECURITY ADVISORY
secure digital infrastructure                                       A0208102000
- ------------------------------------------------------------------------------
-
Remote Vulnerability in Gopherd v2.x (University of Minnesota)

August 10, 2000

http://www.guardent.com/advisories/A0208102000.html
- ------------------------------------------------------------------------------
-


- -----------------
EXECUTIVE SUMMARY
- -----------------

There is a vulnerability in the way the standard Unix gopherd 2.x (a.k.a. UMN
gopherd) creates a gopher DES key for authentication.  If properly exploited,
this vulnerability allows a remote user to gain unauthorized root access to
affected systems.


- ----------------
AFFECTED SYSTEMS
- ----------------

Guardent discovered and successfully exploited this vulnerability
under RedHat Linux (although the vulnerability is not platform specific)
using Gopherd 2.3.  Guardent's research and development team immediately
notified the University of Minnesota and provided them with a patch.


- -------------------
DETAILED DISCUSSION
- -------------------

A buffer overflow exists in UMN's gopherd 2.x, which is vulnerable to an
exploit
during the generation of a gopher DES key (called GDESkey).  After the program
returns from the key generation function, it is possible to get arbitrary code
executed by gopherd.  The key generation code is called when the gopher
server attempts to decode a ticket that is received from a client in the form
of: "* <username> <ticket>".  This ticket is where the shellcode may be
stashed.

By default, ALL UMN gopherd 2.x versions are vulnerable unless compiled with
the NO_AUTHENTICATION CPP flag. Compiling with NO_AUTHENTICATION, however,
completely disables user authentication and is probably not done.
Successful exploit of this bug will yield superuser access to the remote
attacker unless gopherd is started with the "-u user_id" switch and "user_id"
is something other than root.


- ------
REMEDY
- ------

Guardent notified the University of Minnesota of this issue immediately after
discovering and verifying the problem.  As a result, U of M was able to apply
our patch to fix the vulnerability.  The latest gopherd has been fixed and is
available for download at:

    ftp://boombox.micro.umn.edu/pub/gopher/Unix/gopher2_3.1.tar.gz

You may opt to install Guardent's official patch manually by using the `patch`
program:

"patch < umn_gopher.patch"

diff -ru gopher2_3.old/gopherd/authenticate.c
gopher2_3/gopherd/authenticate.c
- --- gopher2_3.old/gopherd/authenticate.c    Sat Jun 10 04:03:43 2000
+++ gopher2_3/gopherd/authenticate.c    Thu Aug  3 07:00:56 2000
@@ -494,11 +494,12 @@
      char          keystr[256];
      char         *cp;
      Desnum        c;
- -     int i;
+     int i, keysize;

- -     strcpy(keystr, user);
- -     strcat(keystr, ip);
- -     strcat(keystr, key);
+     i = keysize = sizeof(keystr)-1;
+     strncpy(keystr, user, i), i -= strlen(keystr);
+     strncat(keystr, ip, i), i -= strlen(keystr);
+     strncat(keystr, key, i), keystr[keysize] = '\0';

      Debug("Encoding key %s\n", keystr);


- ----------------------
ADDITIONAL INFORMATION
- ----------------------

To contact the Guardent R&D team, please send email to:

    <guardentresearch@xxxxxxxxxxxx>

ALL CONTENTS OF THIS ADVISORY ARE COPYRIGHT 2000 GUARDENT, INC.


- --------------------
ABOUT GUARDENT, INC.
- --------------------

Guardent is a next-generation digital security services firm offering strategic
solutions for technology-enabled enterprises. As a trusted security advisor,
Guardent partners with clients to meet their requirements for the continuous
innovation and development of their IT infrastructures, while mitigating the
risks inherent in today's complex networked environments.

Headquartered in the heart of Boston's technology corridor, Guardent has
operations in Washington, D.C., Minneapolis, San Francisco, Seattle, Toronto,
and London.

Obtain more information on Guardent by calling 888.413.4344 or by visiting
us on the web at http://www.guardent.com.

Press contact:      Dan McCall
                    Executive Vice President, Guardent, Inc.
                    dan.mccall@xxxxxxxxxxxx
                    617.513.6623

Technical contact:  Mike Schiffman
                    Director, Research and Development, Guardent, Inc.
                    mike.schiffman@xxxxxxxxxxxx
                    888.413.4344

EOF

- --
Mike D. Schiffman
Director of Research and Development
Guardent, Inc.
http://www.guardent.com

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.3

iQA/AwUBOZL9SgHhCsRVdxmnEQJ39wCgsTAfyWbzspi8roBf5IT/v2jYRbUAoNa7
gMz6fHsMznHH+npXP0H6N7bO
=IQiA
-----END PGP SIGNATURE-----

------------------------------

End of this Digest
******************
Prev by Subject: (fwd) Re: SuSE Security Announcement: Netscape
Next by Subject: (fwd) Security Update: sperl vulnerability
Previous by thread: Re: CD Repair
Next by thread: Mounting a FAT32 partition
Index(es):
- Subject
- Thread