Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Internet Explorer Buffer Overflow in Processing Gopher Protocol Responses Allows Remote Users to Execute Code on the Victim's Computer
|
|
SecurityTracker Alert ID: 1004464 |
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jun 5 2002
|
Impact: Execution of arbitrary code via network, User access via network
|
Version(s): 5.5, 6
|
Description: A buffer overflow vulnerability was reported in Microsoft's Internet Explorer web browser. A remote user can create HTML that, when
loaded by the target (victim) user, will redirect the user to a malicious Gopher server that will, in return, supply a specially
crafted response to execute arbitrary code on the target user's system.
A vulnerability was reported in Microsoft Internet Explorer's built-in gopher client. The code that parses responses from Gopher
servers apparently contains a buffer overflow.
A malicious Gopher server can, when contacted by the target user, send a specially
crafted response to trigger the buffer overflow and cause arbitrary code to be executed on the target user's computer. The code
would execute with the privileges of the target user.
The vendor has reportedly been notified.
|
Impact: A remote user can create HTML that, when loaded by the target user's IE browser, will direct IE to automatically visit a malicious
Gopher server. The malicious Gopher server can then cause arbitrary code to be executed on the target user's system. This could
give the remote user access to the target user's system.
|
Solution: No solution was available at the time of this entry.
The author of the report (Online Solutions) indicates that Internet Explorer
users can disable the gopher protocol. This can reportedly be achieved by defining a non-functional gopher proxy in Internet Options.
To do this, select Tools -> Internet options -> Connections and then click on "LAN settings". Check the box marked "Use a proxy
server for your LAN" and then click on "Advanced...". In the Gopher text field, enter "localhost", and in the port text field,
enter "1". According to the report, this will prevent IE from retrieving any gopher documents.
After installing the pending
patch from Microsoft, these temporary gopher proxy settings can be removed.
|
Vendor URL: www.microsoft.com/technet/security/ (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: Windows (Any)
|
Reported By: Jouko Pynnonen <jouko@solutions.fi>
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Tue, 4 Jun 2002 16:07:34 +0300 (EEST)
From: Jouko Pynnonen <jouko@solutions.fi>
Subject: Buffer overflow in MSIE gopher code
|
OVERVIEW
========
Gopher is a protocol developed at the University of Minnesota in the
early 1990's. Gopher servers offer hierarchically organized directories
and files. These form a "gopherspace" which can be thought of as the
predecessor of the World Wide Web. Gopher was mostly abandoned soon after
HTTP and the World Wide Web started gaining popularity.
Microsoft Internet Explorer has a built-in gopher client. Gopher pages can
be accessed via URLs starting with "gopher://". The part of code in IE
which parses gopher replies contains an exploitable buffer overflow
bug. A malicious server may be used to run arbitrary code on an IE user's
system.
DETAILS
=======
When the overflow is triggered, a fixed sized buffer in stack gets
overwritten with data from the gopher server. This data can contain most
octets from 0 to 255 (also nulls) which makes it particularly easy to
inject a working shellcode in it. This is a traditional, trivially
exploitable buffer overflow. A test exploit has been successfully used to
run arbitrary code without user intervention with various IE versions and
systems including IE 5.5 and 6.0.
The attack can be launched via a web page or an HTML mail message which
redirect the user to a malicious gopher server when the victim views them.
The server can be very minimal, ie. a program that can listen on a TCP
port and write a block of data; a fully operational gopher server isn't
necessary in order to carry out the attack.
The exploiter could do anything that a regular user could do on the
system: retrieve, install, or remove files, upload and run programs, etc.
Full technical details aren't disclosed at this time to prevent
exploitation.
WORKAROUND
==========
Internet Explorer users can protect themselves from the flaw by disabling
the gopher protocol. Barely any gopher servers exist on the Internet
today, so this is unlikely to cause problems. If needed, a gopher client
or some other web browser can be used to access the gopherspace.
An easy way to disable processing and displaying gopher pages is to define
a non-functional gopher proxy in Internet Options. Select Tools ->
Internet options -> Connections. Click on "LAN settings". Check "Use a
proxy server for your LAN". Click on "Advanced...". Here you can define
proxy servers to be used with different protocols. Go to the Gopher text
field and enter "localhost", and "1" in the port text field. This will
stop Internet Explorer from fetching any gopher documents.
After installing the patch from Microsoft you can remove these gopher
proxy settings (or restore them to values they had before).
For more information and a vulnerability test see
http://www.solutions.fi
VENDOR STATUS
=============
Microsoft was contacted on May 20th. At the moment of writing this
advisory, Microsoft has started designing and coding a fix, but hasn't
given any approximation of when it would be released. The patch will be
available at
http://www.microsoft.com/technet/security/current.asp
when it is completed.
--
Jouko Pynnonen Online Solutions Ltd Secure your Linux -
jouko@solutions.fi http://www.solutions.fi http://www.secmod.com
|
|
Go to the Top of This SecurityTracker Archive Page
|
