NASIRC BULLETIN # 94-06 March 11,1994 Security Vulnerability in Gopher =========================================================== __ __ __ ___ ___ ____ ____ /_/\ /_/| /_/ / _/\ /_/| / __/ \ / __/\ | |\ \| || / \ \ | /\/ | || | /\ \/ | | \/ | ||\ \ || / /\ \ \ \ \ | || |_\/ /\ | | | || \ \|| / /--\ \ \ /\_\\ | || | |\ \ \ | \_/\ |_|/ \_|//_/ \_\/ \/__/ |_|/ |_| \_\/ \___\/ NASA Automated Systems Incident Response Capability =========================================================== NASIRC recently received notification of new security vulnerabilities in UNIX-based gopher systems that could allow unauthorized access to files in the directories above the gopher system, including password files. This problem affects both clients and servers, including the recently- released gopher1.13 and 2.012. THE PROBLEM: A failure in the gopher server (gopherd) internal access controls might make the reading of files in directories above the gopher data directory (e.g., the password file) possible if the gopherd does not run chroot. This problem can be found in all versions before gpopher1.1 (Gopher) and gopher2.012 (Gopher+). This vulnerability only affects servers that are started with the option "-c". Without this option, gopherd runs chroot and access to files above the gopher-data directory is disabled. The DFN-CERT in Germany has recommended to its constituency that all sites with public access gopher clients turn them off until a fix is applied. NASIRC agrees that NASA system administrators should apply the fix described below, but we currently do *not* feel that shutting down all gophers in the interim is necessary. DETERMINING YOUR VULNERABILITY: All versions before gopher1.13 (Gopher) and gopher2.012 (Gopher+) are vulnerable. If gopherd is started with the option "-c" (check your local /etc/inetd.conf or /etc/rc.*), the system is vulnerable to an attack. To determine if this vulnerability has been exploited, check the gopher logs as follows: First, to find the actual gopher-log filename, look in the /etc/inetd.conf file (using the -l option) or in the gopherd.conf file (using "Logfile:"), then issue the following command: grep "\.\." logfilename (For example, if your system's gopher-log file is /var/adm/gopher.log, you would type: host% grep "\.\." /var/adm/gopher.log) Every line displayed by this command shows a potential attack; if the "\.\." string is found, all users should change their passwords and you should examine the system for possible intrusions or unauthorized use. FIXING THE PROBLEM: Essentially, the "-c" option should NOT be used to start gopherd. It is also suggested that you run the most recent versions of gopher, as they fix other potential vulnerabilities; these are gopher1.13 (Gopher) and gopher2.012 (Gopher+). They can be acquired via anonymous ftp from several Internet sites, the most notable being boombox.micro.umn.edu; on that system, look in /pub/gopher/Unix for the files gopher1.13.tar.Z and gopher2.012.tar.Z If for some reason your system requires the use of the "-c" option when starting gopherd, a tool called "chrootuid" is available that allows you to run commands in restricted environments; if you use this tool to chroot before the gopher server is started -- similar to the use of the TCP_Wrapper -- you can still use the "-c" option. The use of chrootuid to protect the gopher server is detailed within the tool's README file. The chrootuid package is available via anonymous ftp from the NASIRC server. Note that use of chrootuid and/or changing the gopherd startup syntax constitues a configuration change which will allow you to run the WAIS search engine and FTP Gateway in a secure way, but which may interfere with other gopher-based services; be sure to test all aspects of your client or server before pronouncing the work "done." In addition, the overall security of your local system can be affected by gopher-based services (e.g., storing compressed files, telnet links, other gateways) that you choose to offer. NASIRC will continue to monitor the situation and will post additional information as appropriate. If you have any questions concerning gopher security, feel free to contact us at any of the venues listed below. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= NASIRC ACKNOWLEDGES: The DFN-CERT in Hamburg, Germany, for forwarding this information in a rapid and timely manner. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= =============================================================== For further assistance, please contact the NASIRC Helpdesk: Phone: 1-800-7-NASIRC Fax: 1-301-441-1853 Internet Email: nasirc@nasa.gov 24 Hour/Emergency Pager: 1-800-759-7243/Pin:2023056 STU III: 1-301-982-5480 =============================================================== This bulletin may be forwarded without restriction to sites and system administrators within the NASA community. The NASIRC online archive system is available via anonymous ftp. Just ftp to nasirc.nasa.gov and login as anonymous. You will be required to enter your valid e-mail address. Once there you can access the following information: /toolkits ! contains automated toolkit software /bulletins ! contains NASIRC bulletins Information maintained in these directories is updated on a con- tinuous basis with relevant software and information. Contact the NASIRC Helpdesk for more information or assistance with tool kits or security measures. ----------------- PLEASE NOTE: Users outside of the NASA community may receive NASIRC bulletins. If you are not part of the NASA community, please contact your agency's response team to report incidents. Your agency's team will coordinate with NASIRC, who will ensure the proper internal NASA team(s) are notified. NASIRC is a member of the Forum of Incident Response and Security Teams (FIRST), a world-wide organiza- tion which provides for coordination between incident response teams in handling computer-security-related issues. You can obtain a list of FIRST member organizations and their constituencies by sending email to docserver@first.org with an empty "subject" line and a message body containing the line "send first-contacts".