5354235 2000-08-12 03:49 /154 rader/ Brevbäraren (som är implementerad i) Python Mottagare: Bugtraq (import) <12173> Ärende: Remote vulnerability in Gopherd 2.x ------------------------------------------------------------ From: Mike Schiffman <michael.schiffman@GUARDENT.COM> To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <NEBBIMCMELMGHFGLLFEIOEAOCCAA.michael.schiffman@guardent.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 G U A R D E N T GUARDENT SECURITY ADVISORY secure digital infrastructure A0208102000 - ------------------------------------------------------------------------------ - Remote Vulnerability in Gopherd v2.x (University of Minnesota) August 10, 2000 http://www.guardent.com/advisories/A0208102000.html - ------------------------------------------------------------------------------ - - ----------------- EXECUTIVE SUMMARY - ----------------- There is a vulnerability in the way the standard Unix gopherd 2.x (a.k.a. UMN gopherd) creates a gopher DES key for authentication. If properly exploited, this vulnerability allows a remote user to gain unauthorized root access to affected systems. - ---------------- AFFECTED SYSTEMS - ---------------- Guardent discovered and successfully exploited this vulnerability under RedHat Linux (although the vulnerability is not platform specific) using Gopherd 2.3. Guardent's research and development team immediately notified the University of Minnesota and provided them with a patch. - ------------------- DETAILED DISCUSSION - ------------------- A buffer overflow exists in UMN's gopherd 2.x, which is vulnerable to an exploit during the generation of a gopher DES key (called GDESkey). After the program returns from the key generation function, it is possible to get arbitrary code executed by gopherd. The key generation code is called when the gopher server attempts to decode a ticket that is received from a client in the form of: "* <username> <ticket>". This ticket is where the shellcode may be stashed. By default, ALL UMN gopherd 2.x versions are vulnerable unless compiled with the NO_AUTHENTICATION CPP flag. Compiling with NO_AUTHENTICATION, however, completely disables user authentication and is probably not done. Successful exploit of this bug will yield superuser access to the remote attacker unless gopherd is started with the "-u user_id" switch and "user_id" is something other than root. - ------ REMEDY - ------ Guardent notified the University of Minnesota of this issue immediately after discovering and verifying the problem. As a result, U of M was able to apply our patch to fix the vulnerability. The latest gopherd has been fixed and is available for download at: ftp://boombox.micro.umn.edu/pub/gopher/Unix/gopher2_3.1.tar.gz You may opt to install Guardent's official patch manually by using the `patch` program: "patch < umn_gopher.patch" diff -ru gopher2_3.old/gopherd/authenticate.c gopher2_3/gopherd/authenticate.c - --- gopher2_3.old/gopherd/authenticate.c Sat Jun 10 04:03:43 2000 +++ gopher2_3/gopherd/authenticate.c Thu Aug 3 07:00:56 2000 @@ -494,11 +494,12 @@ char keystr[256]; char *cp; Desnum c; - - int i; + int i, keysize; - - strcpy(keystr, user); - - strcat(keystr, ip); - - strcat(keystr, key); + i = keysize = sizeof(keystr)-1; + strncpy(keystr, user, i), i -= strlen(keystr); + strncat(keystr, ip, i), i -= strlen(keystr); + strncat(keystr, key, i), keystr[keysize] = '\0'; Debug("Encoding key %s\n", keystr); - ---------------------- ADDITIONAL INFORMATION - ---------------------- To contact the Guardent R&D team, please send email to: <guardentresearch@guardent.com> ALL CONTENTS OF THIS ADVISORY ARE COPYRIGHT 2000 GUARDENT, INC. - -------------------- ABOUT GUARDENT, INC. - -------------------- Guardent is a next-generation digital security services firm offering strategic solutions for technology-enabled enterprises. As a trusted security advisor, Guardent partners with clients to meet their requirements for the continuous innovation and development of their IT infrastructures, while mitigating the risks inherent in today's complex networked environments. Headquartered in the heart of Boston's technology corridor, Guardent has operations in Washington, D.C., Minneapolis, San Francisco, Seattle, Toronto, and London. Obtain more information on Guardent by calling 888.413.4344 or by visiting us on the web at http://www.guardent.com. Press contact: Dan McCall Executive Vice President, Guardent, Inc. dan.mccall@guardent.com 617.513.6623 Technical contact: Mike Schiffman Director, Research and Development, Guardent, Inc. mike.schiffman@guardent.com 888.413.4344 EOF - -- Mike D. Schiffman Director of Research and Development Guardent, Inc. http://www.guardent.com -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.3 iQA/AwUBOZL9SgHhCsRVdxmnEQJ39wCgsTAfyWbzspi8roBf5IT/v2jYRbUAoNa7 gMz6fHsMznHH+npXP0H6N7bO =IQiA -----END PGP SIGNATURE----- (5354235) ------------------------------------------(Ombruten) 5360799 2000-08-14 18:39 /70 rader/ Brevbäraren (som är implementerad i) Python Mottagare: Bugtraq (import) <12202> Ärende: Remote vulnerability in Gopherd 2.x patch redux ------------------------------------------------------------ From: Mike Schiffman <michael.schiffman@GUARDENT.COM> To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <NEBBIMCMELMGHFGLLFEIGECLCCAA.michael.schiffman@guardent.com> The workaround patch included in advisory A0208102000 is flawed. Unfortunately this was not noticed until just after the advisory was posted. The original patch made use of strncpy (which is not guaranteed to NUL terminate the resulting string) and it also passed in a signed length to strncat (which takes an unsigned length parameter). Due to these two flaws, the opportunity for overflowing the destination buffer still existed. The following replacement patch fixes these two issues (as well as the original buffer flow). We apologize for any inconvenience this mistake may have caused, and would like to thank all those who noticed these flaws and gave us feedback. 2.3 patch: diff -ru gopher2_3.old/gopherd/authenticate.c gopher2_3/gopherd/authenticate.c --- gopher2_3.old/gopherd/authenticate.c Sat Aug 12 16:34:47 2000 +++ gopher2_3/gopherd/authenticate.c Sat Aug 12 16:51:51 2000 @@ -494,11 +494,12 @@ char keystr[256]; char *cp; Desnum c; - int i; + int i, keysize; - strcpy(keystr, user); - strcat(keystr, ip); - strcat(keystr, key); + keysize = sizeof(keystr)-1, memset(keystr, 0, keysize+1); + strncat(keystr, user, keysize), i = keysize - strlen(keystr); + strncat(keystr, ip, i), i = keysize - strlen(keystr); + strncat(keystr, key, i); Debug("Encoding key %s\n", keystr); 2.3.1 patch: diff -ru gopher2_3.1.old/gopherd/authenticate.c gopher2_3.1/gopherd/authenticate.c --- gopher2_3.1.old/gopherd/authenticate.c Sat Aug 12 16:34:57 2000 +++ gopher2_3.1/gopherd/authenticate.c Sat Aug 12 16:51:40 2000 @@ -496,13 +496,10 @@ Desnum c; int i, keysize; -/* strcpy(keystr, user); - strcat(keystr, ip); - strcat(keystr, key); */ - i = keysize = sizeof(keystr)-1; - strncpy(keystr, user, i), i -= strlen(keystr); - strncat(keystr, ip, i), i -= strlen(keystr); - strncat(keystr, key, i), keystr[keysize] = '\0'; + keysize = sizeof(keystr)-1, memset(keystr, 0, keysize+1); + strncat(keystr, user, keysize), i = keysize - strlen(keystr); + strncat(keystr, ip, i), i = keysize - strlen(keystr); + strncat(keystr, key, i); Debug("Encoding key %s\n", keystr); -- Mike D. Schiffman Director of Research and Development Guardent, Inc. http://www.guardent.com (5360799) ------------------------------------------(Ombruten)