Advisories : Remote Vulnerability in Gopherd v2.x

main menu

- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news

discussions

- read forum
- new topic
- search

meetings

- meetings list
- recent additions
- add your info

top 100 sites

- visit top sites
- sign up now
- members

webmasters

- add your url
- add domain
- search box
- link to us

projects

- our projects
- free email

m4d network

- security software
- secureroot
- m4d.com

Home : Advisories : Remote Vulnerability in Gopherd v2.x

Title:	Remote Vulnerability in Gopherd v2.x
Released by:	GUARDENT
Date:	10th August 2000
Printable version:	Click here

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1



G   U   A   R   D   E   N   T                        GUARDENT SECURITY ADVISORY

secure digital infrastructure                                       A0208102000

- ------------------------------------------------------------------------------

-

Remote Vulnerability in Gopherd v2.x (University of Minnesota)



August 10, 2000



http://www.guardent.com/advisories/A0208102000.html

- ------------------------------------------------------------------------------

-





- -----------------

EXECUTIVE SUMMARY

- -----------------



There is a vulnerability in the way the standard Unix gopherd 2.x (a.k.a. UMN

gopherd) creates a gopher DES key for authentication.  If properly exploited,

this vulnerability allows a remote user to gain unauthorized root access to

affected systems.





- ----------------

AFFECTED SYSTEMS

- ----------------



Guardent discovered and successfully exploited this vulnerability

under RedHat Linux (although the vulnerability is not platform specific)

using Gopherd 2.3.  Guardent's research and development team immediately

notified the University of Minnesota and provided them with a patch.





- -------------------

DETAILED DISCUSSION

- -------------------



A buffer overflow exists in UMN's gopherd 2.x, which is vulnerable to an

exploit

during the generation of a gopher DES key (called GDESkey).  After the program

returns from the key generation function, it is possible to get arbitrary code

executed by gopherd.  The key generation code is called when the gopher

server attempts to decode a ticket that is received from a client in the form

of: "*  ".  This ticket is where the shellcode may be

stashed.



By default, ALL UMN gopherd 2.x versions are vulnerable unless compiled with

the NO_AUTHENTICATION CPP flag. Compiling with NO_AUTHENTICATION, however,

completely disables user authentication and is probably not done.

Successful exploit of this bug will yield superuser access to the remote

attacker unless gopherd is started with the "-u user_id" switch and "user_id"

is something other than root.





- ------

REMEDY

- ------



Guardent notified the University of Minnesota of this issue immediately after

discovering and verifying the problem.  As a result, U of M was able to apply

our patch to fix the vulnerability.  The latest gopherd has been fixed and is

available for download at:



    http://boombox.micro.umn.edu/pub/gopher/Unix/gopher2_3.1.tar.gz



You may opt to install Guardent's official patch manually by using the `patch`

program:



"patch < umn_gopher.patch"



diff -ru gopher2_3.old/gopherd/authenticate.c

gopher2_3/gopherd/authenticate.c

- --- gopher2_3.old/gopherd/authenticate.c    Sat Jun 10 04:03:43 2000

+++ gopher2_3/gopherd/authenticate.c    Thu Aug  3 07:00:56 2000

@@ -494,11 +494,12 @@

      char          keystr[256];

      char         *cp;

      Desnum        c;

- -     int i;

+     int i, keysize;



- -     strcpy(keystr, user);

- -     strcat(keystr, ip);

- -     strcat(keystr, key);

+     i = keysize = sizeof(keystr)-1;

+     strncpy(keystr, user, i), i -= strlen(keystr);

+     strncat(keystr, ip, i), i -= strlen(keystr);

+     strncat(keystr, key, i), keystr[keysize] = '\0';



      Debug("Encoding key %s\n", keystr);





- ----------------------

ADDITIONAL INFORMATION

- ----------------------



To contact the Guardent R&D team, please send email to:



    



ALL CONTENTS OF THIS ADVISORY ARE COPYRIGHT 2000 GUARDENT, INC.





- --------------------

ABOUT GUARDENT, INC.

- --------------------



Guardent is a next-generation digital security services firm offering strategic

solutions for technology-enabled enterprises. As a trusted security advisor,

Guardent partners with clients to meet their requirements for the continuous

innovation and development of their IT infrastructures, while mitigating the

risks inherent in today's complex networked environments.



Headquartered in the heart of Boston's technology corridor, Guardent has

operations in Washington, D.C., Minneapolis, San Francisco, Seattle, Toronto,

and London.



Obtain more information on Guardent by calling 888.413.4344 or by visiting

us on the web at http://www.guardent.com.



Press contact:      Dan McCall

                    Executive Vice President, Guardent, Inc.

                    dan.mccall@guardent.com

                    617.513.6623



Technical contact:  Mike Schiffman

                    Director, Research and Development, Guardent, Inc.

                    mike.schiffman@guardent.com

                    888.413.4344



EOF



- --

Mike D. Schiffman

Director of Research and Development

Guardent, Inc.

http://www.guardent.com



-----BEGIN PGP SIGNATURE-----

Version: PGP 6.5.3



iQA/AwUBOZL9SgHhCsRVdxmnEQJ39wCgsTAfyWbzspi8roBf5IT/v2jYRbUAoNa7

gMz6fHsMznHH+npXP0H6N7bO

=IQiA

-----END PGP SIGNATURE-----