----- Forwarded message from Mike Schiffman <[EMAIL PROTECTED]> ----- > From: Mike Schiffman <[EMAIL PROTECTED]> > Reply-To: [EMAIL PROTECTED] > X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) > Date: Thu, 10 Aug 2000 12:06:51 -0700 > To: [EMAIL PROTECTED] > Subject: Remote vulnerability in Gopherd 2.x > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > G U A R D E N T GUARDENT SECURITY ADVISORY > secure digital infrastructure A0208102000 > - ------------------------------------------------------------------------------ > - > Remote Vulnerability in Gopherd v2.x (University of Minnesota) > > August 10, 2000 > > http://www.guardent.com/advisories/A0208102000.html > - ------------------------------------------------------------------------------ > - > > > - ----------------- > EXECUTIVE SUMMARY > - ----------------- > > There is a vulnerability in the way the standard Unix gopherd 2.x (a.k.a. UMN > gopherd) creates a gopher DES key for authentication. If properly exploited, > this vulnerability allows a remote user to gain unauthorized root access to > affected systems. > > > - ---------------- > AFFECTED SYSTEMS > - ---------------- > > Guardent discovered and successfully exploited this vulnerability > under RedHat Linux (although the vulnerability is not platform specific) > using Gopherd 2.3. Guardent's research and development team immediately > notified the University of Minnesota and provided them with a patch. > > > - ------------------- > DETAILED DISCUSSION > - ------------------- > > A buffer overflow exists in UMN's gopherd 2.x, which is vulnerable to an > exploit > during the generation of a gopher DES key (called GDESkey). After the program > returns from the key generation function, it is possible to get arbitrary code > executed by gopherd. The key generation code is called when the gopher > server attempts to decode a ticket that is received from a client in the form > of: "* <username> <ticket>". This ticket is where the shellcode may be > stashed. > > By default, ALL UMN gopherd 2.x versions are vulnerable unless compiled with > the NO_AUTHENTICATION CPP flag. Compiling with NO_AUTHENTICATION, however, > completely disables user authentication and is probably not done. > Successful exploit of this bug will yield superuser access to the remote > attacker unless gopherd is started with the "-u user_id" switch and "user_id" > is something other than root. > > > - ------ > REMEDY > - ------ > > Guardent notified the University of Minnesota of this issue immediately after > discovering and verifying the problem. As a result, U of M was able to apply > our patch to fix the vulnerability. The latest gopherd has been fixed and is > available for download at: > > ftp://boombox.micro.umn.edu/pub/gopher/Unix/gopher2_3.1.tar.gz > > You may opt to install Guardent's official patch manually by using the `patch` > program: > > "patch < umn_gopher.patch" > > diff -ru gopher2_3.old/gopherd/authenticate.c > gopher2_3/gopherd/authenticate.c > - --- gopher2_3.old/gopherd/authenticate.c Sat Jun 10 04:03:43 2000 > +++ gopher2_3/gopherd/authenticate.c Thu Aug 3 07:00:56 2000 > @@ -494,11 +494,12 @@ > char keystr[256]; > char *cp; > Desnum c; > - - int i; > + int i, keysize; > > - - strcpy(keystr, user); > - - strcat(keystr, ip); > - - strcat(keystr, key); > + i = keysize = sizeof(keystr)-1; > + strncpy(keystr, user, i), i -= strlen(keystr); > + strncat(keystr, ip, i), i -= strlen(keystr); > + strncat(keystr, key, i), keystr[keysize] = '\0'; > > Debug("Encoding key %s\n", keystr); > > > - ---------------------- > ADDITIONAL INFORMATION > - ---------------------- > > To contact the Guardent R&D team, please send email to: > > <[EMAIL PROTECTED]> > > ALL CONTENTS OF THIS ADVISORY ARE COPYRIGHT 2000 GUARDENT, INC. > > > - -------------------- > ABOUT GUARDENT, INC. > - -------------------- > > Guardent is a next-generation digital security services firm offering strategic > solutions for technology-enabled enterprises. As a trusted security advisor, > Guardent partners with clients to meet their requirements for the continuous > innovation and development of their IT infrastructures, while mitigating the > risks inherent in today's complex networked environments. > > Headquartered in the heart of Boston's technology corridor, Guardent has > operations in Washington, D.C., Minneapolis, San Francisco, Seattle, Toronto, > and London. > > Obtain more information on Guardent by calling 888.413.4344 or by visiting > us on the web at http://www.guardent.com. > > Press contact: Dan McCall > Executive Vice President, Guardent, Inc. > [EMAIL PROTECTED] > 617.513.6623 > > Technical contact: Mike Schiffman > Director, Research and Development, Guardent, Inc. > [EMAIL PROTECTED] > 888.413.4344 > > EOF > > - -- > Mike D. Schiffman > Director of Research and Development > Guardent, Inc. > http://www.guardent.com > > -----BEGIN PGP SIGNATURE----- > Version: PGP 6.5.3 > > iQA/AwUBOZL9SgHhCsRVdxmnEQJ39wCgsTAfyWbzspi8roBf5IT/v2jYRbUAoNa7 > gMz6fHsMznHH+npXP0H6N7bO > =IQiA > -----END PGP SIGNATURE----- > > ----- End forwarded message ----- -------------------------------------------------------------------------- Utk berhenti langganan, kirim email ke [EMAIL PROTECTED] Informasi arsip di http://www.linux.or.id/milis.php3 Pengelola dapat dihubungi lewat [EMAIL PROTECTED]
