From:	SMTP%"bwc0003@jove.acs.unt.edu" 27-AUG-1996 20:08:10.17
To:	EVERHART
CC:	
Subj:	BoS: Potential Gopher Exploit

Resent-Date: Wed, 28 Aug 1996 07:17:06 +1000
Date: Tue, 27 Aug 1996 16:15:06 -0500 (CDT)
From: Benjamin Wayne Camp <bwc0003@jove.acs.unt.edu>
To: best-of-security@suburbia.net
cc: benc@geocel.com
Message-ID: <Pine.GSO.3.95.960827154630.9634B-100000@jove.acs.unt.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Resent-Message-ID: <"IDRjo1.0.xi7.HNs8o"@suburbia>
Resent-From: best-of-security@suburbia.net
X-Mailing-List: <best-of-security@suburbia.net> archive/latest/290
X-Loop: best-of-security@suburbia.net
Precedence: list
Resent-Sender: best-of-security-request@suburbia.net
Subject: BoS: Potential Gopher Exploit

Something funny I noticed about Gopher yesterday..  It does what it's
supposed to do.

Intro:
Gopher is a really simple protocol.  It runs on TCP on port 70.  Basically
it works like this.

Client Connects
Client Sends: requesteddoc<CRLF>
Server Sends: XName of documet < TAB> path to document <TAB> site < TAB>
port <TAB> +
.. and repeats through an index list ..

blah...

Well.. i'd just assumed that the client would handle FTP (much like most
http clients)...wrong

Problem:
If you send "ftp:ftp.site.com@/" as your requested document, the gopher
server logs on to the ftp site anonymously and acts as a proxy.  You can
do this with all the gopher servers I've tried.  This is no secret or
magic trick, it seems as though alot of gophers link into FTP servers.
I've just never head anyone talking about this, and it appears to be a
hugely widespread problem.  I doubt gopher's logging facilities are up to
par anyway.  That makes your ftp a hell of alot more anonymous.

Issue:
It seems like a relatively trivial thing to access an intranet ftp server
on the other side of a firewall if you can make it look like its coming
from the gopher server... after all .. it is :)

Not to mention, this kind of opens up the field for transferring munitions
(uhh.. I mean crypto stuff) and making it look like it came from the US.
After all, who runs a crypto gopher site.

So Basically:
gopher://gopher.anysite.com/ftp:ftp.anothersite.com@/ makes
gopher.anysite.com act as a proxy for ftp.anothersite.com

Summary:
Don't run GopherD on your firewall.  This is probably a configuration
issue, but since i'm not aa gopher monger I wouldn't know.


Ben Camp   novotech@iglobal.net
novocain
----------------------------------------------------------------------
Disclaimer: I am not the gopher mack daddy.