Microsoft Security Bulletin MS02-027 - Unchecked Buffer in Gopher Protocol Handler Can Run Code of Attacker's Choice.
8beadf73156ab5e7067fe4cb488a1655a9bbaa1e3e636f4bd1054f9263da1a67 TechNet Home > Security > Bulletins
Microsoft Security Bulletin MS02-027
[Print] Print
Unchecked Buffer in Gopher Protocol Handler Can Run Code of Attacker's
Choice (Q323889)
Originally posted: June 11, 2002
Revised: June 14, 2002
Summary
Who should read this bulletin: Customers using Microsoft®
Internet Explorer; System administrators running Microsoft
Internet Security and Acceleration (ISA) Server 2000 or
Microsoft Proxy Server 2.0.
Impact of vulnerability: Run Code of Attacker's Choice.
Maximum Severity Rating: Critical
Recommendation: Administrators of ISA Server 2000 and Proxy
Server 2.0 systems should apply the patch. Customers using IE
should implement the workaround detailed in the FAQ.
Affected Software:
* Microsoft Internet Explorer
* Microsoft Proxy Server 2.0
* Microsoft ISA Server 2000
Technical details
Technical description:
On June 11, 2002, Microsoft released the original version of
this bulletin. In it, we detailed a work-around procedure that
customers could implement to protect themselves against a
publicly disclosed vulnerability. An updated version of this
bulletin was re-released on June 14, 2002 to announce the
availability of patches for Proxy Server 2.0 and ISA Server
2000 and to advise customers that the work-around procedure is
no longer needed on those platforms. Patches for IE are
forthcoming and this bulletin will be re-released to announce
their availability.
The Gopher protocol is a legacy protocol that provides for the
transfer of text-based information across the Internet.
Information on Gopher servers is hierarchically presented
using a menu system, and multiple Gopher servers can be linked
together to form a collective "Gopherspace".
There is an unchecked buffer in a piece of code which handles
the response from Gopher servers. This code is used
independently in IE, ISA, and Proxy Server. A security
vulnerability results because it is possible for an attacker
to attempt to exploit this flaw by mounting a buffer overrun
attack through a specially crafted server response. The
attacker could seek to exploit the vulnerability by crafting a
web page that contacted a server under the attacker's control.
The attacker could then either post this page on a web site or
send it as an HTML email. When the page was displayed and the
server's response received and processed, the attack would be
carried out.
A successful attack requires that the attacker be able to send
information to the intended target. Anything which inhibited
connectivity could protect against attempts to exploit this
vulnerability. In the case of IE, the code would be run in the
user's context. As a result, any limitations on the user would
apply to the attacker's code as well.
Mitigating factors:
* A successful attack requires that the attacker's server
be able to deliver information to the target.
* In the case of IE, code would run in the security context
of the user. As a result, any limitations on the user's
ability would also restrict the actions an attacker's
code could take.
* A successful attack against ISA and Proxy servers would
require that the malicious response be received by the
web proxy service. In practical terms, this means that a
proxy client would have to submit the initial request
through the proxy server.
Severity Rating:
Internet Intranet
Servers Servers Client Systems
Internet Explorer
5.01 Moderate Moderate Critical
Internet Explorer
5.5 Moderate Moderate Critical
Internet Explorer
6.0 Moderate Moderate Critical
Proxy Server 2.0 Critical Critical None
ISA Server 2000 Critical Critical None
The above assessment is based on the types of systems affected
by the vulnerability, their typical deployment patterns, and
the effect that exploiting the vulnerability would have on
them. In the case of ISA and Proxy servers, the vulnerability
can be used to gain LocalSystem level access. In the case of
IE, the vulnerability can be used to run code in the user's
security context.
Vulnerability identifier: CAN-2002-0371
Tested Versions:
Microsoft tested ISA Server 2000, Microsoft Proxy Server 2.0
to assess whether they are affected by these vulnerabilities.
Previous versions are no longer supported, and may or may not
be affected by these vulnerabilities.
The following table indicates which of the currently supported
versions of Internet Explorer are affected by the
vulnerabilities. Versions of IE prior to 5.01 Service Pack 2
are no longer eligible for hotfix support. IE 5.01 SP2 is
supported only via Windows® 2000 Service Packs and Security
Roll-up Packages.
IE 5.01 IE 5.5 IE 5.5 IE
SP2 SP1 SP2 6.0
Buffer Overrun in Gopher Protocol
Handler (CVE-CAN-2002-0371) Yes Yes Yes Yes
Frequently asked questions
Why is Microsoft re-releasing this bulletin?
Microsoft originally released this bulletin on June 11, 2002
to advise customers of work-around procedures that could be
used while patches were under development. On June 14, 2002
Microsoft completed development of patches for ISA Server 2000
and Proxy Server 2.0 and rereleased this bulletin to advise
customers of their availability. Patches for IE are under
development and will be made available as soon as they are
completed.
Why is Microsoft releasing a work-around bulletin rather than
a patch for this issue?
Microsoft is currently working on patches to address this
vulnerability. However, the information required to exploit
this vulnerability has been released before the patches have
been completed. To allow customers to take action to protect
themselves while the patches are built, Microsoft is releasing
work-around information. Microsoft will update this bulletin
to announce the availability of patches as soon as they are
available.
What’s the scope of this vulnerability?
This is a buffer overrun vulnerability. A successful exploit
of this vulnerability could enable an attacker to run code on
the local system. An attacker could seek to exploit this
vulnerability by creating a specially formed web page that
would contact a server under the attacker's control. The web
page could either be posted on a web site under the attacker's
control or sent as an HTML email. When the attacker's server
returned information to the target, the vulnerability could be
exploited and the attacker's code would run in the context of
the program that submitted the request to the attacker's
server.
In the case of ISA and Proxy Server, the attacker's code would
run in the LocalSystem context. This could give the attacker
complete control over the server and allow them to take any
action on the server including but not limited to formatting
the hard drive, adding administrators to the system, and
loading network services.
In the case of IE, the attacker's code would run in the user's
context. This means that it could take any action that user
could, including adding, changing or deleting files or
changing security settings.
Successfully exploiting the vulnerability requires that the
intended target be able to receive information from an
attacker's server using the Gopher protocol. Anything that
prevents this access, such as blocking the Gopher protocol or
blocking access to the attacker's server, would have the
effect of preventing against attempts to exploit this
vulnerability. In addition, in the case of IE, the code would
run in the security context of the user. As a result, any
limitations on the user's account would also apply to the
attacker's code. For example, if a user were prevented by
security policies from deleting files or changes security
settings, the attacker's code would also be prevented from
those actions.
What causes the vulnerability?
The vulnerability results because of an unchecked buffer in
code which handles information returned from a server using
the Gopher protocol. By configuring a Gopher server to return
information in a particular manner in response to requests,
and attacker could attempt to overflow the buffer and load
code on the system.
Why does this vulnerability affect ISA and Proxy Servers in
addition to IE?
The particular piece of code which has the unchecked buffer is
used independently in ISA and Proxy Servers, in addition to
being used in IE.
What is Gopher?
Gopher is network protocol or language that supports the
transfer of information across the Internet. In many ways, it
is similar to HTTP, the protocol that is the language of the
World Wide Web. Unlike HTTP, however, Gopher is completely
text based. The Gopher protocol is discussed in RFC 1436.
Gopher works to organize the information on a site into a
hierarchical menu. In addition, multiple Gopher sites can be
linked together by menus creating what is referred to as
"Gopherspace". Most of the functions and capabilities of
Gopher have been superceded by HTTP. Gopher is mainly used now
to provide legacy support for information that has not been
migrated to web sites.
What's wrong with how Gopher is handled?
There is an unchecked buffer in the code which handles
information returned from a Gopher server.
What could this vulnerability enable an attacker to do?
This vulnerability could enable an attacker to levy a buffer
overrun attack and attempt to run code in the same process
space as the running program. As a consequence, an attacker's
code could run with the same privileges as the running
program.
In the case of ISA and Proxy Server, this could enable an
attacker to run code as the operating system. This would give
the attacker complete control over the server.
In the case of IE, this could enable an attacker to run code
as the currently logged on user. The attacker would be able to
do anything that the user could. The attacker would also be
limited by any constraints that govern the user's privileges.
How could an attacker exploit this vulnerability?
An attacker could seek to exploit this vulnerability by
building a web page that contacts the attacker's server. When
the response from the attacker's server was processed, the
buffer would be overrun and the attacker's code would execute.
In the case of IE, the attacker could either post the web page
on a server or send it as an HTML email. In either instance,
as soon as the page was displayed and the response from the
attacker's server received, the attack would be carried out.
In the case of ISA and Proxy server, a successful attack would
require that the web proxy service receive the malformed
Gopher response. In practical terms, this means that a proxy
server client would most likely have to make a request to the
attacker's server. When the server received and processed the
malicious response, the attack would be carried out.
I'm running email in the Restricted Sites zone, am I at risk
from this vulnerability?
While the Restricted Sites zone often provides protection
against HTML email-based vulnerabilities, it does not protect
against attempts to exploit this vulnerability by email. This
is because basic HTML functionality, which is permitted in the
Restricted Sites zone, is sufficient to invoke the
vulnerability.
Is there anything that can mitigate against attempts to
exploit this vulnerability by email?
Yes. The "Read as Plain Text" feature in Outlook 2002 SP1 can
protect against attempts to exploit this vulnerability by HTML
email. This is because this feature disables all HTML
functionality.
Is there anything that can mitigate against this
vulnerability?
Yes. A successful attack requires that the attacker's server
be able to send network traffic to the intended target.
Anything which inhibits the attacker's ability to send traffic
would help protect against this vulnerability.
How can I protect against this vulnerability in IE until
patches are completed?
Customers can protect themselves against this vulnerability in
IE by defining a non-functional Gopher proxy in Internet
Explorer. This has the result of essentially disabling the
Gopher protocol in IE by making it impossible for IE to send
and receive Gopher traffic.
How can I implement this work-around manually?
Customers can implement the work-around manually by following
the steps listed below:
* Right Click on Internet Explorer(IE) Icon on the Desktop
or while IE is open, Click on "Tools" and select
"Internet Options"
* Click on the "Connections" Tab
* Click on the "LAN Settings..." button
o Uncheck “automatically detect settings”
o If "automatic configuration script" is set, check
with your administrator if gopher server is called
out.
* Check the "Use proxy server for your LAN..." Checkbox
* Click on the "Advanced..." button
o Ensure “use the same proxy server for all protocols”
is unchecked.
* In the "Proxy addresses to use" textbox next to the word
Gopher, Type "LocalHost"
* In the "Port" textbox next to the Gopher protocol, Type
"1"
* Enter proxy information for any other protocols (FTP,
HTTP) in the appropriate textboxes.
* Click 'OK' until the Internet Options Menu disappears.
Note that after unchecking "automatically detect settings" you
will need to ensure that there are entries for other protocols
such as HTTP and FTP. If these boxes are empty, applications
that use these protocols may no longer function correctly.
I'm a network administrator, how can I implement this
work-around in my Enterprise?
Administrators can use the "Automatic Proxy Configuration
Script" feature in IE to implement this workaround in a .pac
file. Below is an example of how this could be implemented:
function FindProxyForURL(url, host)
{
if (url.substring(0, 7).toLowerCase() == "gopher:") {
return "PROXY localhost:1";
}
else {
return "DIRECT";
}
}
Note that customers using a specific proxy should modify the
line: return "DIRECT" ; to return "PROXY ;"
What do the ISA Server and Proxy Server 2.0 patches do?
The patch eliminates the vulnerability by implementing proper
checking on the buffer that handles server responses.
I implemented the work-around on my ISA Servers, how do I
re-enable the Gopher protocol?
Customers who implemented the work-around on an ISA array can
re-enable the Gopher protocol by deleting the rule that they
created by follow the steps listed below:
* Go to the node: Servers and Arrays, Array node, Access
policy, Protocol Rules.
* Select rule created to implement the work-around. Select
"Delete"
Customer using the enterprise edition of ISA server who
implemented the work-around using the enterprise policy can
re-enable the Gopher protocol by deleting the rule that they
created by follow the steps listed below:
* Go to the node: Enterprise, Policies, applied enterprise
policy, Protocol Rules.
* Select rule created to implement the work-around. Select
"Delete"
I implemented the work-around on my Proxy 2.0 Servers, how do
I re-enable the Gopher protocol?
By default, denied to any protocol for any users or group of
users on Proxy 2.0. If you have enabled protocol access for
users and want to exclude Gopher from that access, follow the
steps listed below:
* Click Start, point to Programs, point to Microsoft Proxy
Server and click Microsoft Management Console.
* Double-click on the computer name.
* On the right pane double click on the Web Proxy.
* Use the Web Proxy Permission tab to determine which users
or group of users can access via the protocol.
* Check-in Enable access control.
* Ensure the gopher “grant access” list has the appropriate
access list, probably everyone.
* OR, Ensure that the "unlimited access" list has the
appropriate access list.
* Click OK
Patch availability
Download locations for this patch
* ISA Server 2000:
http://www.microsoft.com/downloads/release.asp?ReleaseID=39856
* Proxy Server 2.0:
http://www.microsoft.com/downloads/release.asp?ReleaseID=39861
* Internet Explorer:
MS02-047
Additional information about this patch
Installation platforms:
* The ISA Server 2000 patch can be installed on systems
running ISA Server 2000 SP1.
* The Proxy Server 2.0 patch can be installed on systems
running Proxy Server 2.0 SP 1.
Inclusion in future service packs:
The fix for this issue will be included in ISA Server 2000 SP2
Reboot needed:
* ISA Server 2000: No
* Proxy Server 2.0: Yes
Superseded patches: None.
Verifying patch installation:
* ISA Server 2000 and Proxy Server 2.0:
Verify the file versions as indicated in the file
manifest in Q323889
Caveats:
None
Localization:
Localized versions of this patch are available at the
locations discussed in "Obtaining other security patches".
Obtaining other security patches:
Patches for other security issues are available from the
following locations:
* Security patches are available from the Microsoft
Download Center, and can be most easily found by doing a
keyword search for "security_patch".
* Patches for consumer platforms are available from the
WindowsUpdate web site
* All patches available via WindowsUpdate also are
available in a redistributable form from the
WindowsUpdate Corporate site.
Other information:
Support:
* Microsoft Knowledge Base article Q323889 discusses this
issue and will be available approximately 24 hours after
the release of this bulletin. Knowledge Base articles can
be found on the Microsoft Online Support web site.
* Technical support is available from Microsoft Product
Support Services. There is no charge for support calls
associated with security patches.
Security Resources: The Microsoft TechNet Security Web Site
provides additional information about security in Microsoft
products.
Disclaimer:
The information provided in the Microsoft Knowledge Base is
provided "as is" without warranty of any kind. Microsoft
disclaims all warranties, either express or implied, including
the warranties of merchantability and fitness for a particular
purpose. In no event shall Microsoft Corporation or its
suppliers be liable for any damages whatsoever including
direct, indirect, incidental, consequential, loss of business
profits or special damages, even if Microsoft Corporation or
its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation
of liability for consequential or incidental damages so the
foregoing limitation may not apply.
Revisions:
* V1.0 (June 11, 2002): Bulletin Created.
* V2.0 (June 14, 2002): Bulletin updated to include patch
availability for ISA Server 2000 and Proxy Server 2.0 and
to correct factual error regarding the efficacy of
blocking port 70.
* V2.1 (July 31, 2002): Bulletin updated to provide links
to workaround information.
* V3.0 (August 23, 2002): Bulletin updated to include patch
availability for Internet Explorer.
Contact Us | E-mail this Page | TechNet Newsletter
© 2002 Microsoft Corporation. All rights reserved. Terms of Use Privacy Statement Accessibility
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed