From: SMTP%"bwc0003@jove.acs.unt.edu" 27-AUG-1996 20:08:10.17 To: EVERHART CC: Subj: BoS: Potential Gopher Exploit Resent-Date: Wed, 28 Aug 1996 07:17:06 +1000 Date: Tue, 27 Aug 1996 16:15:06 -0500 (CDT) From: Benjamin Wayne Camp <bwc0003@jove.acs.unt.edu> To: best-of-security@suburbia.net cc: benc@geocel.com Message-ID: <Pine.GSO.3.95.960827154630.9634B-100000@jove.acs.unt.edu> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Resent-Message-ID: <"IDRjo1.0.xi7.HNs8o"@suburbia> Resent-From: best-of-security@suburbia.net X-Mailing-List: <best-of-security@suburbia.net> archive/latest/290 X-Loop: best-of-security@suburbia.net Precedence: list Resent-Sender: best-of-security-request@suburbia.net Subject: BoS: Potential Gopher Exploit Something funny I noticed about Gopher yesterday.. It does what it's supposed to do. Intro: Gopher is a really simple protocol. It runs on TCP on port 70. Basically it works like this. Client Connects Client Sends: requesteddoc<CRLF> Server Sends: XName of documet < TAB> path to document <TAB> site < TAB> port <TAB> + .. and repeats through an index list .. blah... Well.. i'd just assumed that the client would handle FTP (much like most http clients)...wrong Problem: If you send "ftp:ftp.site.com@/" as your requested document, the gopher server logs on to the ftp site anonymously and acts as a proxy. You can do this with all the gopher servers I've tried. This is no secret or magic trick, it seems as though alot of gophers link into FTP servers. I've just never head anyone talking about this, and it appears to be a hugely widespread problem. I doubt gopher's logging facilities are up to par anyway. That makes your ftp a hell of alot more anonymous. Issue: It seems like a relatively trivial thing to access an intranet ftp server on the other side of a firewall if you can make it look like its coming from the gopher server... after all .. it is :) Not to mention, this kind of opens up the field for transferring munitions (uhh.. I mean crypto stuff) and making it look like it came from the US. After all, who runs a crypto gopher site. So Basically: gopher://gopher.anysite.com/ftp:ftp.anothersite.com@/ makes gopher.anysite.com act as a proxy for ftp.anothersite.com Summary: Don't run GopherD on your firewall. This is probably a configuration issue, but since i'm not aa gopher monger I wouldn't know. Ben Camp novotech@iglobal.net novocain ---------------------------------------------------------------------- Disclaimer: I am not the gopher mack daddy.