[3933] in WWW Security List Archive
Re: Potential Gopher Exploit (fwd)
daemon@ATHENA.MIT.EDU (Neophytos Iacovou)
Tue Dec 31 19:52:45 1996
From: Neophytos Iacovou <iacovou@phish.micro.umn.edu>
To: bwc0003@jove.acs.unt.edu (Benjamin Wayne Camp)
Date: Tue, 31 Dec 1996 15:20:28 -0600 (CST)
Cc: www-security@ns2.rutgers.edu, aisecur!HReilly@bpd.treas.gov
In-Reply-To: <Pine.GSO.3.95.961228012134.26249B-100000@jove.acs.unt.edu> from "Benjamin Wayne Camp" at Dec 28, 96 01:23:13 am
Reply-To: iacovou@boombox.micro.umn.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Benjamin Wayne Camp writes:
>
> This is a repost of something from about 4 months ago about
Benjamin, can you do me a favor? next time you re-post your original
message can you re-post my original response? I've had a lot of
e-mail on this in the last few days. Thanks!
Here is a copy just in case:
> I am not sure of other Gopher servers but in the case of the UofMn
> gopherd is seems this behavior does not exist in versions 2.1 pl4
> and higher (as an aside during 2.2 pl0 the ftp gateway was re-written).
> It is possible that it is fixed in one of these versions as well:
> 2.1 pl1, 2.1 pl2, 2.1 pl3 (but I don't have these running).
>
> I don't have a server around with the reported behavior so I can not
> verify what the logs report but I bet it does show the retrieved item
> as well as the date/time/host the connection originated from.
>
> I would suggest upgrading the server to at least 2.2 pl0 (if not 2.3)
>
>
> BTW: Benjamin, thanks for pointing this out.
> ---------- Forwarded message ----------
> Date: Tue, 27 Aug 1996 16:15:06 -0500 (CDT)
> From: Benjamin Wayne Camp <bwc0003@jove.acs.unt.edu>
> To: best-of-security@suburbia.net
> Cc: benc@geocel.com
> Subject: BoS: Potential Gopher Exploit
> Resent-Date: Wed, 28 Aug 1996 07:17:15 +1000
> Resent-From: best-of-security@suburbia.net
>
> Something funny I noticed about Gopher yesterday.. It does what it's
> supposed to do.
>
> Intro:
> Gopher is a really simple protocol. It runs on TCP on port 70. Basically
> it works like this.
>
> Client Connects
> Client Sends: requesteddoc<CRLF>
> Server Sends: XName of documet < TAB> path to document <TAB> site < TAB>
> port <TAB> +
> .. and repeats through an index list ..
>
> blah...
>
> Well.. i'd just assumed that the client would handle FTP (much like most
> http clients)...wrong
>
> Problem:
> If you send "ftp:ftp.site.com@/" as your requested document, the gopher
> server logs on to the ftp site anonymously and acts as a proxy. You can
> do this with all the gopher servers I've tried. This is no secret or
> magic trick, it seems as though alot of gophers link into FTP servers.
> I've just never head anyone talking about this, and it appears to be a
> hugely widespread problem. I doubt gopher's logging facilities are up to
> par anyway. That makes your ftp a hell of alot more anonymous.
>
> Issue:
> It seems like a relatively trivial thing to access an intranet ftp server
> on the other side of a firewall if you can make it look like its coming
> from the gopher server... after all .. it is :)
>
> Not to mention, this kind of opens up the field for transferring munitions
> (uhh.. I mean crypto stuff) and making it look like it came from the US.
> After all, who runs a crypto gopher site.
>
> So Basically:
> gopher://gopher.anysite.com/ftp:ftp.anothersite.com@/ makes
> gopher.anysite.com act as a proxy for ftp.anothersite.com
>
> Summary:
> Don't run GopherD on your firewall. This is probably a configuration
> issue, but since i'm not aa gopher monger I wouldn't know.
>
> Ben Camp
> ----------------------------------------------------------------------
> Disclaimer: I am not the gopher mack daddy.
>
>
>
--------------------------------------------------------------------------------
Neophytos Iacovou University of Minnesota
Academic & Distributed Computing Services 100 Union St. SE
email: iacovou@boombox.micro.umn.edu Minneapolis, MN 55455 USA
