[3908] in WWW Security List Archive
Potential Gopher Exploit (fwd)
daemon@ATHENA.MIT.EDU (Benjamin Wayne Camp)
Sat Dec 28 04:23:13 1996
Date: Sat, 28 Dec 1996 01:23:13 -0600 (CST)
From: Benjamin Wayne Camp <bwc0003@jove.acs.unt.edu>
To: www-security@ns2.rutgers.edu
cc: aisecur!HReilly@bpd.treas.gov
Errors-To: owner-www-security@ns2.rutgers.edu
This is a repost of something from about 4 months ago about
---------- Forwarded message ----------
Date: Tue, 27 Aug 1996 16:15:06 -0500 (CDT)
From: Benjamin Wayne Camp <bwc0003@jove.acs.unt.edu>
To: best-of-security@suburbia.net
Cc: benc@geocel.com
Subject: BoS: Potential Gopher Exploit
Resent-Date: Wed, 28 Aug 1996 07:17:15 +1000
Resent-From: best-of-security@suburbia.net
Something funny I noticed about Gopher yesterday.. It does what it's
supposed to do.
Intro:
Gopher is a really simple protocol. It runs on TCP on port 70. Basically
it works like this.
Client Connects
Client Sends: requesteddoc<CRLF>
Server Sends: XName of documet < TAB> path to document <TAB> site < TAB>
port <TAB> +
.. and repeats through an index list ..
blah...
Well.. i'd just assumed that the client would handle FTP (much like most
http clients)...wrong
Problem:
If you send "ftp:ftp.site.com@/" as your requested document, the gopher
server logs on to the ftp site anonymously and acts as a proxy. You can
do this with all the gopher servers I've tried. This is no secret or
magic trick, it seems as though alot of gophers link into FTP servers.
I've just never head anyone talking about this, and it appears to be a
hugely widespread problem. I doubt gopher's logging facilities are up to
par anyway. That makes your ftp a hell of alot more anonymous.
Issue:
It seems like a relatively trivial thing to access an intranet ftp server
on the other side of a firewall if you can make it look like its coming
from the gopher server... after all .. it is :)
Not to mention, this kind of opens up the field for transferring munitions
(uhh.. I mean crypto stuff) and making it look like it came from the US.
After all, who runs a crypto gopher site.
So Basically:
gopher://gopher.anysite.com/ftp:ftp.anothersite.com@/ makes
gopher.anysite.com act as a proxy for ftp.anothersite.com
Summary:
Don't run GopherD on your firewall. This is probably a configuration
issue, but since i'm not aa gopher monger I wouldn't know.
Ben Camp
----------------------------------------------------------------------
Disclaimer: I am not the gopher mack daddy.
