TUCoPS :: Windows Net Apps

TUCoPS :: Windows Net Apps :: M-088.TXT
MS Unchecked Buffer in Gopher Protocol Handler (CIAC M-088)

__________________________________________________________

The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________

INFORMATION BULLETIN

MS Unchecked Buffer in Gopher Protocol Handler
[Microsoft Security Bulletin MS02-027]

June 13, 2002 18:00 GMT Number M-088
[Revised 18 June 2002]
______________________________________________________________________________
PROBLEM: There is an unchecked buffer in a piece of code which handles
the response from Gopher servers. This code is used
independently in IE, ISA, and Proxy Server.
PLATFORM: Any operating system running:
* Microsoft Internet Explorer
* Microsoft Proxy Server 2.0
* Microsoft ISA Server 2000
DAMAGE: In the case of ISA and Proxy servers, the vulnerability can be
used to gain LocalSystem level access. In the case of IE, the
vulnerability can be used to run code in the user's security
context.
SOLUTION: Disable the Gopher protocol (see 'Frequently asked questions'
online for details). Patches are under development.
______________________________________________________________________________
VULNERABILITY The risk is HIGH. The assessment is based on the types of
ASSESSMENT: systems affected by the vulnerability, their typical deployment
patterns, and the effect that exploiting the vulnerability
would have on them.
______________________________________________________________________________
LINKS:
CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/m-088.shtml
ORIGINAL BULLETIN: http://microsoft.com/technet/treeview/default.
asp?url=/technet/security/bulletin/MS02-027
PATCHES: - 18 June, 2002 - Microsoft ISA Server 2000
http://www.microsoft.com/downloads/release.asp?ReleaseID=39856
- 18 June, 2002 - Microsoft Proxy Server 2.0
http://www.microsoft.com/downloads/release.asp?ReleaseID=39861
______________________________________________________________________________
[***** Start Microsoft Security Bulletin MS02-027 *****]

Microsoft Security Bulletin MS02-027

Unchecked Buffer in Gopher Protocol Handler Can Run Code of Attacker's Choice (Q323889)
Originally posted: June 11, 2002

Summary
Who should read this bulletin: Customers using Microsoft(r) Internet Explorer; System
administrators running Microsoft Internet Security and Acceleration (ISA) Server 2000 or
Microsoft Proxy Server 2.0.

Impact of vulnerability: Run Code of Attacker's Choice.

Maximum Severity Rating: Critical

Recommendation: Customers should implement the workaround detailed in the FAQ.

Affected Software:

Microsoft Internet Explorer
Microsoft Proxy Server 2.0
Microsoft ISA Server 2000

Technical details

Technical description:

On June 11, 2002, Microsoft released the original version of this bulletin. In
it, we detailed a work-around procedure that customers could implement to
protect themselves against a publicly disclosed vulnerability. An updated
version of this bulletin was rereleased on June 14, 2002 to announce the
availability of patches for Proxy Server 2.0 and ISA Server 2000 and to advise
customers that the work-around procedure is no longer needed on those
platforms. Patches for IE are forthcoming and this bulletin will be re-released
to announce their availability.

The Gopher protocol is a legacy protocol that provides for the transfer of text-based
information across the Internet. Information on Gopher servers is hierarchically
presented using a menu system, and multiple Gopher servers can be linked together to
form a collective "Gopherspace".

There is an unchecked buffer in a piece of code which handles the response from Gopher
servers. This code is used independently in IE, ISA, and Proxy Server. A security
vulnerability results because it is possible for an attacker to attempt to exploit this
flaw by mounting a buffer overrun attack through a specially crafted server response.
The attacker could seek to exploit the vulnerability by crafting a web page that
contacted a server under the attacker's control. The attacker could then either post
this page on a web site or send it as an HTML email. When the page was displayed and the
server's response received and processed, the attack would be carried out.

A successful attack requires that the attacker be able to send information to the
intended target using the Gopher protocol. Anything which inhibited Gopher connectivity
could protect against attempts to exploit this vulnerability. In the case of IE, the
code would be run in the user's context. As a result, any limitations on the user would
apply to the attacker's code as well.

Mitigating factors:

A successful attack requires that the attacker's server be able to deliver information
to the target using the Gopher protocol. Customers who block Gopher at the perimeter
would be protected against attempts to exploit this vulnerability across the Internet.

In the case of IE, code would run in the security context of the user. As a result, any
limitations on the user's ability would also restrict the actions an attacker's code
could take.

A successful attack against ISA and Proxy servers would require that the malicious
response be received by the web proxy service. In practical terms, this means that a
proxy client would have to submit the initial request through the proxy server.

Severity Rating:
Internet Servers Intranet Servers Client Systems
Internet Explorer 5.01 Moderate Moderate Critical
Internet Explorer 5.5 Moderate Moderate Critical
Internet Explorer 6.0 Moderate Moderate Critical
Proxy Server 2.0 Critical Critical None
ISA Server 2000 Critical Critical None

The above assessment is based on the types of systems affected by the vulnerability,
their typical deployment patterns, and the effect that exploiting the vulnerability
would have on them. In the case of ISA and Proxy servers, the vulnerability can be used
to gain LocalSystem level access. In the case of IE, the vulnerability can be used to
run code in the user's security context.

Vulnerability identifier: CAN-2002-0371

Tested Versions:
Microsoft tested ISA Server 2000, Microsoft Proxy Server 2.0 to assess whether they are
affected by these vulnerabilities. Previous versions are no longer supported, and may or
may not be affected by these vulnerabilities.

The following table indicates which of the currently supported versions of Internet
Explorer are affected by the vulnerabilities. Versions of IE prior to 5.01 Service Pack
2 are no longer eligible for hotfix support. IE 5.01 SP2 is supported only via Windows(r)
2000 Service Packs and Security Roll-up Packages.

Buffer Overrun in Gopher Protocol Handler (CVE-CAN-2002-0371)
IE 5.01 SP2 Yes
IE 5.5 SP1 Yes
IE 5.5 SP2 Yes
IE 6.0 Yes

Patch availability

Download locations for this patch

- ISA Server 2000:
http://www.microsoft.com/downloads/release.asp?ReleaseID=39856
- Proxy Server 2.0:
http://www.microsoft.com/downloads/release.asp?ReleaseID=39861
- Internet Explorer:
Patches are under development and will be posted as soon as they are completed.

Additional information about this patch

Installation platforms:

- The ISA Server 2000 patch can be installed on systems running ISA Server 2000 SP1.
- The Proxy Server 2.0 patch can be installed on systems running Proxy Server 2.0 SP 1.

Obtaining other security patches:

Patches for other security issues are available from the following locations:

Security patches are available from the Microsoft Download Center, and can be most
easily found by doing a keyword search for "security_patch".

Patches for consumer platforms are available from the WindowsUpdate web site

All patches available via WindowsUpdate also are available in a redistributable form
from the WindowsUpdate Corporate site.

Other information:

Support:

Microsoft Knowledge Base article Q323889 discusses this issue and will be available
approximately 24 hours after the release of this bulletin. Knowledge Base articles can
be found on the Microsoft Online Support web site.

Technical support is available from Microsoft Product Support Services. There is no
charge for support calls associated with security patches.

Security Resources: The Microsoft TechNet Security Web Site provides additional
information about security in Microsoft products.

Disclaimer:
The information provided in the Microsoft Knowledge Base is provided "as is" without
warranty of any kind. Microsoft disclaims all warranties, either express or implied,
including the warranties of merchantability and fitness for a particular purpose. In no
event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever
including direct, indirect, incidental, consequential, loss of business profits or
special damages, even if Microsoft Corporation or its suppliers have been advised of the
possibility of such damages. Some states do not allow the exclusion or limitation of
liability for consequential or incidental damages so the foregoing limitation may not
apply.

Revisions:

V1.0 (June 11, 2002): Bulletin Created.
V2.0 (June 14, 2002): Bulletin updated to include patch availability for ISA Server 2000 and Proxy
Server 2.0 and to correct factual error regarding the efficacy of blocking port 70.

[***** End Microsoft Security Bulletin MS02-027 *****]
_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Microsoft for the
information contained in this bulletin.
_______________________________________________________________________________

CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 925-422-8193 (7x24)
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

World Wide Web: http://www.ciac.org/
Anonymous FTP: ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

M-078: Sun Heap Overflow in Cachefs Daemon (cachefsd)
M-079: Format String Vulnerability in ISC DHCPD
M-080: SGI IRIX fsr_xfs Vulnerability
M-081: SSHD "AllowedAuthentications" Vulnerability
M-082: Microsoft Cumulative Patch for Internet Explorer
M-083: Microsoft Authentication Flaw in Windows Debugger
M-084: Red Hat "pam_ldap" Vulnerability
M-085: IMAP Partial Mailbox Attritbute Buffer Overflow Vulnerability
M-086: Sun SEA SNMP Vulnerability
M-087: SGI IRIX rpc.passwd Vulnerability