[NT] Buffer Overflow in MSIE Gopher Code
From: support@securiteam.comDate: 06/09/02
- Previous message: support@securiteam.com: "[NT] IE 'Folder View for FTP sites' Script Execution Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Sun, 9 Jun 2002 20:43:08 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Buffer Overflow in MSIE Gopher Code
------------------------------------------------------------------------
SUMMARY
Gopher is a protocol developed at the University of Minnesota in the early
1990's. Gopher servers offer hierarchically organized directories and
files. These form a "gopherspace" which can be thought of as the
predecessor of the World Wide Web. Gopher was mostly abandoned soon after
HTTP and the World Wide Web started gaining popularity.
Microsoft Internet Explorer has a built-in gopher client. Gopher pages can
be accessed via URLs starting with "gopher://". The part of code in IE
that parses gopher replies contains an exploitable buffer overflow bug. A
malicious server may be used to run arbitrary code on an IE user's system.
DETAILS
When the overflow is triggered, a fixed sized buffer in stack is
overwritten with data from the gopher server. This data can contain most
octets from 0 to 255 (also nulls) which makes it particularly easy to
inject a working shellcode in it. This is a traditional, trivially
exploitable buffer overflow. A test exploit has been successfully used to
run arbitrary code without user intervention with various IE versions and
systems including IE 5.5 and 6.0.
The attack can be launched via a web page or an HTML mail message that
redirect the user to a malicious gopher server when the victim views them.
The server can be minimal, i.e. a program that can listen on a TCP port
and write a block of data; a fully operational gopher server is not
necessary in order to carry out the attack.
The exploiter could do anything that a regular user could do on the
system: retrieve, install, or remove files, upload and run programs, etc.
Workaround:
Internet Explorer users can protect themselves from the flaw by disabling
the gopher protocol. Barely any gopher servers exist on the Internet
today, so this is unlikely to cause problems. If needed, a gopher client
or some other web browser can be used to access the gopherspace.
An easy way to disable processing and displaying gopher pages is to define
a non-functional gopher proxy in Internet Options. Select Tools ->
Internet options -> Connections. Click on "LAN settings". Check "Use a
proxy server for your LAN". Click on "Advanced...". Here you can define
proxy servers to be used with different protocols. Go to the Gopher text
field and enter "localhost", and "1" in the port text field. This will
stop Internet Explorer from fetching any gopher documents.
After installing the patch from Microsoft, you can remove these gopher
proxy settings (or restore them to values they had before).
For more information and a vulnerability test see:
<http://www.solutions.fi> http://www.solutions.fi
Vendor status:
Microsoft was contacted on May 20. At the moment of writing this advisory,
Microsoft has started designing and coding a fix, but has not given any
approximation of when it would be released. The patch will be available
at:
<http://www.microsoft.com/technet/security/current.asp>
http://www.microsoft.com/technet/security/current.asp
When it is completed.
ADDITIONAL INFORMATION
The information has been provided by <mailto:jouko@solutions.fi> Jouko
Pynnonen.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NT] IE 'Folder View for FTP sites' Script Execution Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
