5354235 2000-08-12  03:49  /154 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <12173>
Ärende: Remote vulnerability in Gopherd 2.x
------------------------------------------------------------
From: Mike Schiffman <michael.schiffman@GUARDENT.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <NEBBIMCMELMGHFGLLFEIOEAOCCAA.michael.schiffman@guardent.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

G   U   A   R   D   E   N   T                        GUARDENT SECURITY ADVISORY
secure digital infrastructure                                       A0208102000
- ------------------------------------------------------------------------------
-
Remote Vulnerability in Gopherd v2.x (University of Minnesota)

August 10, 2000

http://www.guardent.com/advisories/A0208102000.html
- ------------------------------------------------------------------------------
-


- -----------------
EXECUTIVE SUMMARY
- -----------------

There is a vulnerability in the way the standard Unix gopherd 2.x
(a.k.a. UMN gopherd) creates a gopher DES key for authentication.  If
properly exploited, this vulnerability allows a remote user to gain
unauthorized root access to affected systems.


- ----------------
AFFECTED SYSTEMS
- ----------------

Guardent discovered and successfully exploited this vulnerability
under RedHat Linux (although the vulnerability is not platform
specific) using Gopherd 2.3.  Guardent's research and development
team immediately notified the University of Minnesota and provided
them with a patch.


- -------------------
DETAILED DISCUSSION
- -------------------

A buffer overflow exists in UMN's gopherd 2.x, which is vulnerable to
an exploit during the generation of a gopher DES key (called
GDESkey).  After the program returns from the key generation
function, it is possible to get arbitrary code executed by gopherd.
The key generation code is called when the gopher server attempts to
decode a ticket that is received from a client in the form of: "*
<username> <ticket>".  This ticket is where the shellcode may be
stashed.

By default, ALL UMN gopherd 2.x versions are vulnerable unless
compiled with the NO_AUTHENTICATION CPP flag. Compiling with
NO_AUTHENTICATION, however, completely disables user authentication
and is probably not done.  Successful exploit of this bug will yield
superuser access to the remote attacker unless gopherd is started
with the "-u user_id" switch and "user_id" is something other than
root.


- ------
REMEDY
- ------

Guardent notified the University of Minnesota of this issue
immediately after discovering and verifying the problem.  As a
result, U of M was able to apply our patch to fix the vulnerability.
The latest gopherd has been fixed and is available for download at:

    ftp://boombox.micro.umn.edu/pub/gopher/Unix/gopher2_3.1.tar.gz

You may opt to install Guardent's official patch manually by using
the `patch` program:

"patch < umn_gopher.patch"

diff -ru gopher2_3.old/gopherd/authenticate.c
gopher2_3/gopherd/authenticate.c
- --- gopher2_3.old/gopherd/authenticate.c    Sat Jun 10 04:03:43 2000
+++ gopher2_3/gopherd/authenticate.c    Thu Aug  3 07:00:56 2000
@@ -494,11 +494,12 @@
      char          keystr[256];
      char         *cp;
      Desnum        c;
- -     int i;
+     int i, keysize;

- -     strcpy(keystr, user);
- -     strcat(keystr, ip);
- -     strcat(keystr, key);
+     i = keysize = sizeof(keystr)-1;
+     strncpy(keystr, user, i), i -= strlen(keystr);
+     strncat(keystr, ip, i), i -= strlen(keystr);
+     strncat(keystr, key, i), keystr[keysize] = '\0';

      Debug("Encoding key %s\n", keystr);


- ----------------------
ADDITIONAL INFORMATION
- ----------------------

To contact the Guardent R&D team, please send email to:

    <guardentresearch@guardent.com>

ALL CONTENTS OF THIS ADVISORY ARE COPYRIGHT 2000 GUARDENT, INC.


- --------------------
ABOUT GUARDENT, INC.
- --------------------

Guardent is a next-generation digital security services firm offering
strategic solutions for technology-enabled enterprises. As a trusted
security advisor, Guardent partners with clients to meet their
requirements for the continuous innovation and development of their
IT infrastructures, while mitigating the risks inherent in today's
complex networked environments.

Headquartered in the heart of Boston's technology corridor, Guardent
has operations in Washington, D.C., Minneapolis, San Francisco,
Seattle, Toronto, and London.

Obtain more information on Guardent by calling 888.413.4344 or by
visiting us on the web at http://www.guardent.com.

Press contact:      Dan McCall
                    Executive Vice President, Guardent, Inc.
                    dan.mccall@guardent.com
                    617.513.6623

Technical contact:  Mike Schiffman
                    Director, Research and Development, Guardent, Inc.
                    mike.schiffman@guardent.com
                    888.413.4344

EOF

- --
Mike D. Schiffman
Director of Research and Development
Guardent, Inc.
http://www.guardent.com

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.3

iQA/AwUBOZL9SgHhCsRVdxmnEQJ39wCgsTAfyWbzspi8roBf5IT/v2jYRbUAoNa7
gMz6fHsMznHH+npXP0H6N7bO
=IQiA
-----END PGP SIGNATURE-----
(5354235) ------------------------------------------(Ombruten)

5360799 2000-08-14  18:39  /70 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <12202>
Ärende: Remote vulnerability in Gopherd 2.x patch redux
------------------------------------------------------------
From: Mike Schiffman <michael.schiffman@GUARDENT.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <NEBBIMCMELMGHFGLLFEIGECLCCAA.michael.schiffman@guardent.com>

The workaround patch included in advisory A0208102000 is flawed.
Unfortunately this was not noticed until just after the advisory was
posted.  The original patch made use of strncpy (which is not
guaranteed to NUL terminate the resulting string) and it also passed
in a signed length to strncat (which takes an unsigned length
parameter).  Due to these two flaws, the opportunity for overflowing
the destination buffer still existed.  The following replacement
patch fixes these two issues (as well as the original buffer flow).
We apologize for any inconvenience this mistake may have caused, and
would like to thank all those who noticed these flaws and gave us
feedback.


2.3 patch:

diff -ru gopher2_3.old/gopherd/authenticate.c
gopher2_3/gopherd/authenticate.c
--- gopher2_3.old/gopherd/authenticate.c	Sat Aug 12 16:34:47 2000
+++ gopher2_3/gopherd/authenticate.c	Sat Aug 12 16:51:51 2000
@@ -494,11 +494,12 @@
      char          keystr[256];
      char         *cp;
      Desnum        c;
-     int i;
+     int i, keysize;

-     strcpy(keystr, user);
-     strcat(keystr, ip);
-     strcat(keystr, key);
+     keysize = sizeof(keystr)-1, memset(keystr, 0, keysize+1);
+     strncat(keystr, user, keysize), i = keysize - strlen(keystr);
+     strncat(keystr, ip, i), i = keysize - strlen(keystr);
+     strncat(keystr, key, i);

      Debug("Encoding key %s\n", keystr);


2.3.1 patch:

diff -ru gopher2_3.1.old/gopherd/authenticate.c
gopher2_3.1/gopherd/authenticate.c
--- gopher2_3.1.old/gopherd/authenticate.c	Sat Aug 12 16:34:57 2000
+++ gopher2_3.1/gopherd/authenticate.c	Sat Aug 12 16:51:40 2000
@@ -496,13 +496,10 @@
      Desnum        c;
      int i, keysize;

-/*     strcpy(keystr, user);
-     strcat(keystr, ip);
-     strcat(keystr, key); */
-	i = keysize = sizeof(keystr)-1;
-	strncpy(keystr, user, i), i -= strlen(keystr);
-	strncat(keystr, ip, i), i -= strlen(keystr);
-	strncat(keystr, key, i), keystr[keysize] = '\0';
+     keysize = sizeof(keystr)-1, memset(keystr, 0, keysize+1);
+     strncat(keystr, user, keysize), i = keysize - strlen(keystr);
+     strncat(keystr, ip, i), i = keysize - strlen(keystr);
+     strncat(keystr, key, i);

      Debug("Encoding key %s\n", keystr);


--
Mike D. Schiffman
Director of Research and Development
Guardent, Inc.
http://www.guardent.com
(5360799) ------------------------------------------(Ombruten)