-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

G   U   A   R   D   E   N   T                        GUARDENT SECURITY ADVISORY
secure digital infrastructure                                       A0208102000
- ------------------------------------------------------------------------------
-
Remote Vulnerability in Gopherd v2.x (University of Minnesota)

August 10, 2000

http://www.guardent.com/advisories/A0208102000.html
- ------------------------------------------------------------------------------
-


- -----------------
EXECUTIVE SUMMARY
- -----------------

There is a vulnerability in the way the standard Unix gopherd 2.x (a.k.a. UMN
gopherd) creates a gopher DES key for authentication.  If properly exploited,
this vulnerability allows a remote user to gain unauthorized root access to
affected systems.


- ----------------
AFFECTED SYSTEMS
- ----------------

Guardent discovered and successfully exploited this vulnerability
under RedHat Linux (although the vulnerability is not platform specific)
using Gopherd 2.3.  Guardent's research and development team immediately
notified the University of Minnesota and provided them with a patch.


- -------------------
DETAILED DISCUSSION
- -------------------

A buffer overflow exists in UMN's gopherd 2.x, which is vulnerable to an
exploit
during the generation of a gopher DES key (called GDESkey).  After the program
returns from the key generation function, it is possible to get arbitrary code
executed by gopherd.  The key generation code is called when the gopher
server attempts to decode a ticket that is received from a client in the form
of: "* <username> <ticket>".  This ticket is where the shellcode may be
stashed.

By default, ALL UMN gopherd 2.x versions are vulnerable unless compiled with
the NO_AUTHENTICATION CPP flag. Compiling with NO_AUTHENTICATION, however,
completely disables user authentication and is probably not done.
Successful exploit of this bug will yield superuser access to the remote
attacker unless gopherd is started with the "-u user_id" switch and "user_id"
is something other than root.


- ------
REMEDY
- ------

Guardent notified the University of Minnesota of this issue immediately after
discovering and verifying the problem.  As a result, U of M was able to apply
our patch to fix the vulnerability.  The latest gopherd has been fixed and is
available for download at:

    ftp://boombox.micro.umn.edu/pub/gopher/Unix/gopher2_3.1.tar.gz

You may opt to install Guardent's official patch manually by using the `patch`
program:

"patch < umn_gopher.patch"

diff -ru gopher2_3.old/gopherd/authenticate.c
gopher2_3/gopherd/authenticate.c
- --- gopher2_3.old/gopherd/authenticate.c    Sat Jun 10 04:03:43 2000
+++ gopher2_3/gopherd/authenticate.c    Thu Aug  3 07:00:56 2000
@@ -494,11 +494,12 @@
      char          keystr[256];
      char         *cp;
      Desnum        c;
- -     int i;
+     int i, keysize;

- -     strcpy(keystr, user);
- -     strcat(keystr, ip);
- -     strcat(keystr, key);
+     i = keysize = sizeof(keystr)-1;
+     strncpy(keystr, user, i), i -= strlen(keystr);
+     strncat(keystr, ip, i), i -= strlen(keystr);
+     strncat(keystr, key, i), keystr[keysize] = '\0';

      Debug("Encoding key %s\n", keystr);


- ----------------------
ADDITIONAL INFORMATION
- ----------------------

To contact the Guardent R&D team, please send email to:

    <guardentresearch@guardent.com>

ALL CONTENTS OF THIS ADVISORY ARE COPYRIGHT 2000 GUARDENT, INC.


- --------------------
ABOUT GUARDENT, INC.
- --------------------

Guardent is a next-generation digital security services firm offering strategic
solutions for technology-enabled enterprises. As a trusted security advisor,
Guardent partners with clients to meet their requirements for the continuous
innovation and development of their IT infrastructures, while mitigating the
risks inherent in today's complex networked environments.

Headquartered in the heart of Boston's technology corridor, Guardent has
operations in Washington, D.C., Minneapolis, San Francisco, Seattle, Toronto,
and London.

Obtain more information on Guardent by calling 888.413.4344 or by visiting
us on the web at http://www.guardent.com.

Press contact:      Dan McCall
                    Executive Vice President, Guardent, Inc.
                    dan.mccall@guardent.com
                    617.513.6623

Technical contact:  Mike Schiffman
                    Director, Research and Development, Guardent, Inc.
                    mike.schiffman@guardent.com
                    888.413.4344

EOF

- --
Mike D. Schiffman
Director of Research and Development
Guardent, Inc.
http://www.guardent.com

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.3

iQA/AwUBOZL9SgHhCsRVdxmnEQJ39wCgsTAfyWbzspi8roBf5IT/v2jYRbUAoNa7
gMz6fHsMznHH+npXP0H6N7bO
=IQiA
-----END PGP SIGNATURE-----