Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Windows Net Apps :: m-088.txt

MS Unchecked Buffer in Gopher Protocol Handler (CIAC M-088)




             __________________________________________________________

                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                 MS Unchecked Buffer in Gopher Protocol Handler
                     [Microsoft Security Bulletin MS02-027]

June 13, 2002 18:00 GMT                                           Number M-088
[Revised 18 June 2002]
______________________________________________________________________________
PROBLEM:       There is an unchecked buffer in a piece of code which handles 
               the response from Gopher servers. This code is used 
               independently in IE, ISA, and Proxy Server. 
PLATFORM:      Any operating system running: 
                 * Microsoft Internet Explorer 
                 * Microsoft Proxy Server 2.0 
			     * Microsoft ISA Server 2000 
DAMAGE:        In the case of ISA and Proxy servers, the vulnerability can be 
               used to gain LocalSystem level access. In the case of IE, the 
               vulnerability can be used to run code in the user's security 
               context. 
SOLUTION:      Disable the Gopher protocol (see 'Frequently asked questions' 
               online for details).  Patches are under development.
______________________________________________________________________________
VULNERABILITY  The risk is HIGH. The assessment is based on the types of 
ASSESSMENT:    systems affected by the vulnerability, their typical deployment 
               patterns, and the effect that exploiting the vulnerability 
               would have on them. 
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/m-088.shtml 
 ORIGINAL BULLETIN:     http://microsoft.com/technet/treeview/default.
                                      asp?url=/technet/security/bulletin/MS02-027
 PATCHES:            - 18 June, 2002 - Microsoft ISA Server 2000
                     http://www.microsoft.com/downloads/release.asp?ReleaseID=39856
					 - 18 June, 2002 - Microsoft Proxy Server 2.0
					 http://www.microsoft.com/downloads/release.asp?ReleaseID=39861 
______________________________________________________________________________
[***** Start Microsoft Security Bulletin MS02-027 *****]


Microsoft Security Bulletin MS02-027  


Unchecked Buffer in Gopher Protocol Handler Can Run Code of Attacker's Choice (Q323889)
Originally posted: June 11, 2002

Summary
Who should read this bulletin: Customers using Microsoft(r) Internet Explorer; System 
administrators running Microsoft Internet Security and Acceleration (ISA) Server 2000 or 
Microsoft Proxy Server 2.0. 

Impact of vulnerability: Run Code of Attacker's Choice. 

Maximum Severity Rating: Critical 

Recommendation: Customers should implement the workaround detailed in the FAQ. 

Affected Software: 

Microsoft Internet Explorer 
Microsoft Proxy Server 2.0 
Microsoft ISA Server 2000 



Technical details

Technical description: 


On June 11, 2002, Microsoft released the original version of this bulletin. In
it, we detailed a work-around procedure that customers could implement to
protect themselves against a publicly disclosed vulnerability. An updated
version of this bulletin was rereleased on June 14, 2002 to announce the
availability of patches for Proxy Server 2.0 and ISA Server 2000 and to advise
customers that the work-around procedure is no longer needed on those
platforms. Patches for IE are forthcoming and this bulletin will be re-released
to announce their availability. 

The Gopher protocol is a legacy protocol that provides for the transfer of text-based 
information across the Internet. Information on Gopher servers is hierarchically 
presented using a menu system, and multiple Gopher servers can be linked together to 
form a collective "Gopherspace". 

There is an unchecked buffer in a piece of code which handles the response from Gopher 
servers. This code is used independently in IE, ISA, and Proxy Server. A security 
vulnerability results because it is possible for an attacker to attempt to exploit this 
flaw by mounting a buffer overrun attack through a specially crafted server response. 
The attacker could seek to exploit the vulnerability by crafting a web page that 
contacted a server under the attacker's control. The attacker could then either post 
this page on a web site or send it as an HTML email. When the page was displayed and the 
server's response received and processed, the attack would be carried out. 

A successful attack requires that the attacker be able to send information to the 
intended target using the Gopher protocol. Anything which inhibited Gopher connectivity 
could protect against attempts to exploit this vulnerability. In the case of IE, the 
code would be run in the user's context. As a result, any limitations on the user would 
apply to the attacker's code as well. 


Mitigating factors: 

A successful attack requires that the attacker's server be able to deliver information 
to the target using the Gopher protocol. Customers who block Gopher at the perimeter 
would be protected against attempts to exploit this vulnerability across the Internet. 

In the case of IE, code would run in the security context of the user. As a result, any 
limitations on the user's ability would also restrict the actions an attacker's code 
could take. 

A successful attack against ISA and Proxy servers would require that the malicious 
response be received by the web proxy service. In practical terms, this means that a 
proxy client would have to submit the initial request through the proxy server. 

Severity Rating:
                         Internet Servers   Intranet Servers   Client Systems 
Internet Explorer 5.01       Moderate          Moderate           Critical 
Internet Explorer 5.5        Moderate          Moderate           Critical 
Internet Explorer 6.0        Moderate          Moderate           Critical 
Proxy Server 2.0             Critical          Critical           None 
ISA Server 2000              Critical          Critical           None 

The above assessment is based on the types of systems affected by the vulnerability, 
their typical deployment patterns, and the effect that exploiting the vulnerability 
would have on them. In the case of ISA and Proxy servers, the vulnerability can be used 
to gain LocalSystem level access. In the case of IE, the vulnerability can be used to 
run code in the user's security context. 


Vulnerability identifier: CAN-2002-0371 

Tested Versions:
Microsoft tested ISA Server 2000, Microsoft Proxy Server 2.0 to assess whether they are 
affected by these vulnerabilities. Previous versions are no longer supported, and may or 
may not be affected by these vulnerabilities. 

The following table indicates which of the currently supported versions of Internet 
Explorer are affected by the vulnerabilities. Versions of IE prior to 5.01 Service Pack 
2 are no longer eligible for hotfix support. IE 5.01 SP2 is supported only via Windows(r) 
2000 Service Packs and Security Roll-up Packages. 

Buffer Overrun in Gopher Protocol Handler (CVE-CAN-2002-0371) 
IE 5.01 SP2   Yes
IE 5.5 SP1    Yes
IE 5.5 SP2    Yes
IE 6.0        Yes


Patch availability

Download locations for this patch 

          - ISA Server 2000:
            http://www.microsoft.com/downloads/release.asp?ReleaseID=39856 
          - Proxy Server 2.0:
            http://www.microsoft.com/downloads/release.asp?ReleaseID=39861 
          - Internet Explorer:
            Patches are under development and will be posted as soon as they are completed.



Additional information about this patch

Installation platforms: 

        -  The ISA Server 2000 patch can be installed on systems running ISA Server 2000 SP1. 
        -  The Proxy Server 2.0 patch can be installed on systems running Proxy Server 2.0 SP 1. 


Obtaining other security patches: 

Patches for other security issues are available from the following locations: 

Security patches are available from the Microsoft Download Center, and can be most 
easily found by doing a keyword search for "security_patch". 

Patches for consumer platforms are available from the WindowsUpdate web site 

All patches available via WindowsUpdate also are available in a redistributable form 
from the WindowsUpdate Corporate site. 



Other information: 


Support: 

Microsoft Knowledge Base article Q323889 discusses this issue and will be available 
approximately 24 hours after the release of this bulletin. Knowledge Base articles can 
be found on the Microsoft Online Support web site. 

Technical support is available from Microsoft Product Support Services. There is no 
charge for support calls associated with security patches. 


Security Resources: The Microsoft TechNet Security Web Site provides additional 
information about security in Microsoft products. 


Disclaimer: 
The information provided in the Microsoft Knowledge Base is provided "as is" without 
warranty of any kind. Microsoft disclaims all warranties, either express or implied, 
including the warranties of merchantability and fitness for a particular purpose. In no 
event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever 
including direct, indirect, incidental, consequential, loss of business profits or 
special damages, even if Microsoft Corporation or its suppliers have been advised of the 
possibility of such damages. Some states do not allow the exclusion or limitation of 
liability for consequential or incidental damages so the foregoing limitation may not 
apply. 


Revisions: 

V1.0 (June 11, 2002): Bulletin Created.
V2.0 (June 14, 2002): Bulletin updated to include patch availability for ISA Server 2000 and Proxy
            Server 2.0 and to correct factual error regarding the efficacy of blocking port 70.  


[***** End Microsoft Security Bulletin MS02-027 *****]
_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Microsoft for the 
information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

M-078: Sun Heap Overflow in Cachefs Daemon (cachefsd)
M-079: Format String Vulnerability in ISC DHCPD
M-080: SGI IRIX fsr_xfs Vulnerability
M-081: SSHD "AllowedAuthentications" Vulnerability
M-082: Microsoft Cumulative Patch for Internet Explorer
M-083: Microsoft Authentication Flaw in Windows Debugger
M-084: Red Hat "pam_ldap" Vulnerability
M-085: IMAP Partial Mailbox Attritbute Buffer Overflow Vulnerability
M-086: Sun SEA SNMP Vulnerability
M-087: SGI IRIX rpc.passwd Vulnerability





TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH