home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Forum of Incident Response & Security Teams
/
Forum_of_Incident_Response_and_Security_Teams_FIRST_October_1994.iso
/
teaminfo
/
nasirc
/
nasa9406.txt
< prev
next >
Wrap
Text File
|
1994-07-02
|
7KB
|
138 lines
NASIRC BULLETIN # 94-06 March 11,1994
Security Vulnerability in Gopher
===========================================================
__ __ __ ___ ___ ____ ____
/_/\ /_/| /_/ / _/\ /_/| / __/ \ / __/\
| |\ \| || / \ \ | /\/ | || | /\ \/ | | \/
| ||\ \ || / /\ \ \ \ \ | || |_\/ /\ | |
| || \ \|| / /--\ \ \ /\_\\ | || | |\ \ \ | \_/\
|_|/ \_|//_/ \_\/ \/__/ |_|/ |_| \_\/ \___\/
NASA Automated Systems Incident Response Capability
===========================================================
NASIRC recently received notification of new security vulnerabilities in
UNIX-based gopher systems that could allow unauthorized access to files
in the directories above the gopher system, including password files.
This problem affects both clients and servers, including the recently-
released gopher1.13 and 2.012.
THE PROBLEM:
A failure in the gopher server (gopherd) internal access controls might
make the reading of files in directories above the gopher data directory
(e.g., the password file) possible if the gopherd does not run chroot.
This problem can be found in all versions before gpopher1.1 (Gopher) and
gopher2.012 (Gopher+).
This vulnerability only affects servers that are started with the option
"-c". Without this option, gopherd runs chroot and access to files above
the gopher-data directory is disabled.
The DFN-CERT in Germany has recommended to its constituency that all
sites with public access gopher clients turn them off until a fix is
applied. NASIRC agrees that NASA system administrators should apply the
fix described below, but we currently do *not* feel that shutting down
all gophers in the interim is necessary.
DETERMINING YOUR VULNERABILITY:
All versions before gopher1.13 (Gopher) and gopher2.012 (Gopher+) are
vulnerable. If gopherd is started with the option "-c" (check your local
/etc/inetd.conf or /etc/rc.*), the system is vulnerable to an attack.
To determine if this vulnerability has been exploited, check the gopher
logs as follows: First, to find the actual gopher-log filename, look in
the /etc/inetd.conf file (using the -l option) or in the gopherd.conf
file (using "Logfile:"), then issue the following command:
grep "\.\." logfilename
(For example, if your system's gopher-log file is /var/adm/gopher.log,
you would type: host% grep "\.\." /var/adm/gopher.log)
Every line displayed by this command shows a potential attack; if the
"\.\." string is found, all users should change their passwords and you
should examine the system for possible intrusions or unauthorized use.
FIXING THE PROBLEM:
Essentially, the "-c" option should NOT be used to start gopherd.
It is also suggested that you run the most recent versions of gopher, as
they fix other potential vulnerabilities; these are gopher1.13 (Gopher)
and gopher2.012 (Gopher+). They can be acquired via anonymous ftp from
several Internet sites, the most notable being boombox.micro.umn.edu; on
that system, look in /pub/gopher/Unix for the files gopher1.13.tar.Z
and gopher2.012.tar.Z
If for some reason your system requires the use of the "-c" option when
starting gopherd, a tool called "chrootuid" is available that allows
you to run commands in restricted environments; if you use this tool to
chroot before the gopher server is started -- similar to the use of the
TCP_Wrapper -- you can still use the "-c" option. The use of chrootuid
to protect the gopher server is detailed within the tool's README file.
The chrootuid package is available via anonymous ftp from the NASIRC
server.
Note that use of chrootuid and/or changing the gopherd startup syntax
constitues a configuration change which will allow you to run the WAIS
search engine and FTP Gateway in a secure way, but which may interfere
with other gopher-based services; be sure to test all aspects of your
client or server before pronouncing the work "done." In addition, the
overall security of your local system can be affected by gopher-based
services (e.g., storing compressed files, telnet links, other gateways)
that you choose to offer.
NASIRC will continue to monitor the situation and will post additional
information as appropriate. If you have any questions concerning gopher
security, feel free to contact us at any of the venues listed below.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
NASIRC ACKNOWLEDGES: The DFN-CERT in Hamburg, Germany, for
forwarding this information in a rapid and timely manner.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
===============================================================
For further assistance, please contact the NASIRC Helpdesk:
Phone: 1-800-7-NASIRC Fax: 1-301-441-1853
Internet Email: nasirc@nasa.gov
24 Hour/Emergency Pager: 1-800-759-7243/Pin:2023056
STU III: 1-301-982-5480
===============================================================
This bulletin may be forwarded without restriction to sites and
system administrators within the NASA community.
The NASIRC online archive system is available via anonymous ftp.
Just ftp to nasirc.nasa.gov and login as anonymous. You will be
required to enter your valid e-mail address. Once there you can
access the following information:
/toolkits ! contains automated toolkit software
/bulletins ! contains NASIRC bulletins
Information maintained in these directories is updated on a con-
tinuous basis with relevant software and information. Contact
the NASIRC Helpdesk for more information or assistance with tool
kits or security measures.
-----------------
PLEASE NOTE: Users outside of the NASA community may receive NASIRC
bulletins. If you are not part of the NASA community, please contact
your agency's response team to report incidents. Your agency's team
will coordinate with NASIRC, who will ensure the proper internal
NASA team(s) are notified. NASIRC is a member of the Forum of
Incident Response and Security Teams (FIRST), a world-wide organiza-
tion which provides for coordination between incident response teams
in handling computer-security-related issues. You can obtain a list
of FIRST member organizations and their constituencies by sending
email to docserver@first.org with an empty "subject" line and a
message body containing the line "send first-contacts".