From bwc0003@jove.acs.unt.edu Wed Aug 28 07:17:02 1996 Received: from mercury.acs.unt.edu (mercury.acs.unt.edu [129.120.1.1]) by suburbia.net (8.7.4/Proff-950810) with ESMTP id HAA31538 for ; Wed, 28 Aug 1996 07:16:54 +1000 Received: from jove.acs.unt.edu (jove.acs.unt.edu [129.120.1.41]) by mercury.acs.unt.edu (8.7.1/8.7.1) with ESMTP id QAA26028; Tue, 27 Aug 1996 16:15:11 -0500 (CDT) Received: from localhost (bwc0003@localhost) by jove.acs.unt.edu (8.7.5/8.7.3) with SMTP id QAA23229; Tue, 27 Aug 1996 16:15:07 -0500 (CDT) Date: Tue, 27 Aug 1996 16:15:06 -0500 (CDT) From: Benjamin Wayne Camp To: best-of-security@suburbia.net cc: benc@geocel.com Subject: Potential Gopher Exploit Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Something funny I noticed about Gopher yesterday.. It does what it's supposed to do. Intro: Gopher is a really simple protocol. It runs on TCP on port 70. Basically it works like this. Client Connects Client Sends: requesteddoc Server Sends: XName of documet < TAB> path to document site < TAB> port + .. and repeats through an index list .. blah... Well.. i'd just assumed that the client would handle FTP (much like most http clients)...wrong Problem: If you send "ftp:ftp.site.com@/" as your requested document, the gopher server logs on to the ftp site anonymously and acts as a proxy. You can do this with all the gopher servers I've tried. This is no secret or magic trick, it seems as though alot of gophers link into FTP servers. I've just never head anyone talking about this, and it appears to be a hugely widespread problem. I doubt gopher's logging facilities are up to par anyway. That makes your ftp a hell of alot more anonymous. Issue: It seems like a relatively trivial thing to access an intranet ftp server on the other side of a firewall if you can make it look like its coming from the gopher server... after all .. it is :) Not to mention, this kind of opens up the field for transferring munitions (uhh.. I mean crypto stuff) and making it look like it came from the US. After all, who runs a crypto gopher site. So Basically: gopher://gopher.anysite.com/ftp:ftp.anothersite.com@/ makes gopher.anysite.com act as a proxy for ftp.anothersite.com Summary: Don't run GopherD on your firewall. This is probably a configuration issue, but since i'm not aa gopher monger I wouldn't know. Ben Camp novotech@iglobal.net novocain ---------------------------------------------------------------------- Disclaimer: I am not the gopher mack daddy.