Alert: Microsoft Security Bulletin - MS02-027
From: Russ (Russ.Cooper@RC.ON.CA)Date: 06/12/02
- Previous message: Russ: "Revised: Microsoft Security Bulletin - MS02-026"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 11 Jun 2002 18:39:51 -0400 From: Russ <Russ.Cooper@RC.ON.CA> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
http://www.microsoft.com/technet/security/bulletin/MS02-027.asp
Unchecked Buffer in Gopher Protocol Handler Can Run Code of Attacker's Choice (Q323889)
Originally posted: June 11, 2002
Summary
Who should read this bulletin: Customers using Microsoft® Internet Explorer; System administrators running Microsoft Internet Security and Acceleration (ISA) Server 2000 or Microsoft Proxy Server 2.0.
Impact of vulnerability: Run Code of Attacker's Choice.
Maximum Severity Rating: Critical
Recommendation: Customers should implement the workaround detailed in the FAQ.
Affected Software:
- Microsoft Internet Explorer
- Microsoft Proxy Server 2.0
- Microsoft ISA Server 2000
Technical description:
This is a work-around bulletin that details steps customers can take to protect themselves against a publicly disclosed vulnerability until patches are available.
The Gopher protocol is a legacy protocol that provides for the transfer of text-based information across the Internet. Information on Gopher servers is hierarchically presented using a menu system, and multiple Gopher servers can be linked together to form a collective "Gopherspace".
There is an unchecked buffer in a piece of code which handles the response from Gopher servers. This code is used independently in IE, ISA, and Proxy Server. A security vulnerability results because it is possible for an attacker to attempt to exploit this flaw by mounting a buffer overrun attack through a specially crafted server response. The attacker could seek to exploit the vulnerability by crafting a web page that contacted a server under the attacker's control. The attacker could then either post this page on a web site or send it as an HTML email. When the page was displayed and the server's response received and processed, the attack would be carried out.
A successful attack requires that the attacker be able to send information to the intended target using the Gopher protocol. Anything which inhibited Gopher connectivity could protect against attempts to exploit this vulnerability. In the case of IE, the code would be run in the user's context. As a result, any limitations on the user would apply to the attacker's code as well.
Mitigating factors:
- A successful attack requires that the attacker's server be able to deliver information to the target using the Gopher protocol. Customers who block Gopher at the perimeter would be protected against attempts to exploit this vulnerability across the Internet.
- In the case of IE, code would run in the security context of the user. As a result, any limitations on the user's ability would also restrict the actions an attacker's code could take.
- A successful attack against ISA and Proxy servers would require that the malicious response be received by the web proxy service. In practical terms, this means that a proxy client would have to submit the initial request through the proxy server.
Vulnerability identifier: CAN-2002-0371
This email is sent to NTBugtraq automatically as a service to my subscribers. Since its programmatically created, and since its been a long time since anyone paid actual money for my programming skills, it may or may not look that good...;-]
I can only hope that the information it does contain can be read well enough to serve its purpose.
Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
- Previous message: Russ: "Revised: Microsoft Security Bulletin - MS02-026"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
