===============================================================================
Security Advisory                                                       CERT-NL
===============================================================================
Author/Source : CERT-NL (Erik-Jan Bos)                      Index  :    S-93-16
Distribution  : World                                       Page   :          1
Classification: External                                    Version:      Final
Subject       : UMN UNIX gopher and gopher+ Vulnerabilities Date   :  09-Aug-93
===============================================================================


CERT-NL has received information concerning vulnerabilities in versions
of the UMN UNIX gopher and gopher+ server and client available before
August 6, 1993. Vulnerable versions were available on
boombox.micro.umn.edu:/pub/gopher/Unix/gopher1.12s.tar.Z,
boombox.micro.umn.edu:/pub/gopher/Unix/gopher2.03.tar.Z, and many other
anonymous FTP sites mirroring these software versions.

CERT-NL strongly recommends that any site using versions of UMN UNIX
gopher and gopher+ dated prior to August 6, 1993 (including version
1.12, 1.12s, 2.0+, 2.03, and all earlier versions) immediately take
corrective action.

If you have further questions regarding UMN UNIX gopher or gopher+ software, 
send e-mail to: gopher@boombox.micro.umn.edu 
---------------------------------------------------------------------------

I.   Description

     Several vulnerabilities have been identified in UMN UNIX gopher
     and gopher+ when configured as a server or public access client.

     Intruders are known to have exploited these vulnerabilities to
     obtain password files. Other actions may also have been taken by
     intruders exploiting these vulnerabilities. CERT has already
     contacted those sites currently known to have been victims of
     these activities. However, sites may want to check for weak
     passwords, or consider changing passwords, after installing the
     new gopher software.

II.  Impact

     Anyone (remote or local) can potentially gain unrestricted access
     to the account running the public access client, thereby
     permitting them to read any files accessible to this account
     (possibly including /etc/passwd or other sensitive files).

     In certain configurations, anyone (remote or local) can
     potentially gain access to any account, including root, on a host
     configured as a server running gopherd.

III. Solution

     Affected sites should consider disabling gopherd service and
     public gopher logins until they have installed the new software.

     New versions of the UMN UNIX gopher and gopher+ software have been 
     released that provide bug fixes and correct these security problems.  
     Sites can obtain these new versions via anonymous FTP from 
     boombox.micro.umn.edu (134.84.132.2). The files are located in:

     Filename                                Size     Checksum
     --------                                ------   -----------
     Gopher:
     /pub/gopher/Unix/gopher1.12S.tar.Z      306872   46311   300
     Gopher+:
     /pub/gopher/Unix/gopher2.04.tar.Z       294872   29411   288

---------------------------------------------------------------------------
CERT-NL wishes to thank CERT Coordination Center for supplying CERT-NL
with their Advisory, which text is used in this CERT-NL advisory.

The CERT Coordination Center wishes to thank Matt Schroth, Williams
College, and others for informing us of these vulnerabilities.  We
would also like to thank Paul Lindner, University of Minnesota, for his
quick response to these problems.
---------------------------------------------------------------------------

==============================================================================
CERT-NL is the Computer Emergency Response Team, located in The
Netherlands. CERT-NL is a Full Member of the Forum of Incident Response
and Security Teams (FIRST). The constituency of CERT-NL are the SURFnet
connected institutions.

Past CERT-NL Security Bulletins and other CERT-NL related material can
be found on the anonymous FTP server of SURFnet bv:
"ftp.nic.surfnet.nl" [192.87.46.3], in the directory
"surfnet/net-security/cert-nl/docs/bulletin".  This information is also
available using email. Send an email saying "help" to
"mailserv@nic.surfnet.nl".

In case of computer or network security problems please contact CERT-NL
or the CERT of your own constituency. Please be aware of the fact that
we are one (when DST is in effect two) hour(s) ahead of Universal Time
Coordinated (i.e. UTC+0100 (UTC+0200)).
Email:     cert-nl@surfnet.nl
Phone:     +31 30 310290
Fax:       +31 30 340903
Snailmail: SURFnet bv
           Attn. CERT-NL
           P.O. Box 19035
           NL - 3501 DA  UTRECHT
           The Netherlands
A 7*24h phonenumber is available to SURFnet SSC's and FIRST members on request
==============================================================================

SSC's,

dit is een korte aanvulling op de Gopher Advisory, naar aanleiding
van een paar vragen die wellicht ook elders opkomen.

/Een vraagje over deze advisory. Ik raak een beetje verward door de volgende
/regels
/
/> CERT-NL has received information concerning vulnerabilities in versions
/> of the UMN UNIX gopher and gopher+ server and client available before
/> August 6, 1993. Vulnerable versions were available on
/> boombox.micro.umn.edu:/pub/gopher/Unix/gopher1.12s.tar.Z,
/> boombox.micro.umn.edu:/pub/gopher/Unix/gopher2.03.tar.Z, and many other
/> anonymous FTP sites mirroring these software versions.
/>
/> CERT-NL strongly recommends that any site using versions of UMN UNIX
/> gopher and gopher+ dated prior to August 6, 1993 (including version
/> 1.12, 1.12s, 2.0+, 2.03, and all earlier versions) immediately take
/> corrective action.
/
/hetgeen de beweert dat versie 1.12s niet veilig is doch uit:
/
/> III. Solution
/>
/>      Affected sites should consider disabling gopherd service and
/>      public gopher logins until they have installed the new software.
/>
/>      New versions of the UMN UNIX gopher and gopher+ software have been
/>      released that provide bug fixes and correct these security problems.
/>      Sites can obtain these new versions via anonymous FTP from
/>      boombox.micro.umn.edu (134.84.132.2). The files are located in:
/>
/>      Filename                                Size     Checksum
/>      --------                                ------   -----------
/>      Gopher:
/>      /pub/gopher/Unix/gopher1.12S.tar.Z      306872   46311   300
/>      Gopher+:
/>      /pub/gopher/Unix/gopher2.04.tar.Z       294872   29411   288
/>
/
/Ah ik merk net het subtiele verschil op 1.12S is dus wel veilig in tegen
/stelling tot versie 1.12s, correct?

de conclusie is juist. De nieuwe versie heeft een hoofdletter S in de naam.

/Maar ik had nog een vraag. Betreft de vulnerability het niet goed gebruiken
/van de ...... of zijn er ook nog andere problemen. Ik heb namelijk
/via een ...... onze eigen server geprobeerd om het password
/file op te halen maar dat werkte niet.

/Heb ik gewoon mazzel ... of is het
/probleem iets ingewikkelder. Dit omdat ik graag even zeker wil weten of
/we op dit moment kwetsbaar zijn voordat ik overhaast onze gopher server down
/breng en een nieuwe versie installeer.

Er is meer dan een security fout gecorrigeerd. In hackers kringen is bekend
hoe de combinatie van fouten benut kan worden. Ga ervanuit dat je met de
genoemde oude versies wel degelijk kwetsbaar bent.

teun