__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN MS Unchecked Buffer in Gopher Protocol Handler [Microsoft Security Bulletin MS02-027] June 13, 2002 18:00 GMT Number M-088 [Revised 18 June 2002] ______________________________________________________________________________ PROBLEM: There is an unchecked buffer in a piece of code which handles the response from Gopher servers. This code is used independently in IE, ISA, and Proxy Server. PLATFORM: Any operating system running: * Microsoft Internet Explorer * Microsoft Proxy Server 2.0 * Microsoft ISA Server 2000 DAMAGE: In the case of ISA and Proxy servers, the vulnerability can be used to gain LocalSystem level access. In the case of IE, the vulnerability can be used to run code in the user's security context. SOLUTION: Disable the Gopher protocol (see 'Frequently asked questions' online for details). Patches are under development. ______________________________________________________________________________ VULNERABILITY The risk is HIGH. The assessment is based on the types of ASSESSMENT: systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/m-088.shtml ORIGINAL BULLETIN: http://microsoft.com/technet/treeview/default. asp?url=/technet/security/bulletin/MS02-027 PATCHES: - 18 June, 2002 - Microsoft ISA Server 2000 http://www.microsoft.com/downloads/release.asp?ReleaseID=39856 - 18 June, 2002 - Microsoft Proxy Server 2.0 http://www.microsoft.com/downloads/release.asp?ReleaseID=39861 ______________________________________________________________________________ [***** Start Microsoft Security Bulletin MS02-027 *****] Microsoft Security Bulletin MS02-027 Unchecked Buffer in Gopher Protocol Handler Can Run Code of Attacker's Choice (Q323889) Originally posted: June 11, 2002 Summary Who should read this bulletin: Customers using Microsoft(r) Internet Explorer; System administrators running Microsoft Internet Security and Acceleration (ISA) Server 2000 or Microsoft Proxy Server 2.0. Impact of vulnerability: Run Code of Attacker's Choice. Maximum Severity Rating: Critical Recommendation: Customers should implement the workaround detailed in the FAQ. Affected Software: Microsoft Internet Explorer Microsoft Proxy Server 2.0 Microsoft ISA Server 2000 Technical details Technical description: On June 11, 2002, Microsoft released the original version of this bulletin. In it, we detailed a work-around procedure that customers could implement to protect themselves against a publicly disclosed vulnerability. An updated version of this bulletin was rereleased on June 14, 2002 to announce the availability of patches for Proxy Server 2.0 and ISA Server 2000 and to advise customers that the work-around procedure is no longer needed on those platforms. Patches for IE are forthcoming and this bulletin will be re-released to announce their availability. The Gopher protocol is a legacy protocol that provides for the transfer of text-based information across the Internet. Information on Gopher servers is hierarchically presented using a menu system, and multiple Gopher servers can be linked together to form a collective "Gopherspace". There is an unchecked buffer in a piece of code which handles the response from Gopher servers. This code is used independently in IE, ISA, and Proxy Server. A security vulnerability results because it is possible for an attacker to attempt to exploit this flaw by mounting a buffer overrun attack through a specially crafted server response. The attacker could seek to exploit the vulnerability by crafting a web page that contacted a server under the attacker's control. The attacker could then either post this page on a web site or send it as an HTML email. When the page was displayed and the server's response received and processed, the attack would be carried out. A successful attack requires that the attacker be able to send information to the intended target using the Gopher protocol. Anything which inhibited Gopher connectivity could protect against attempts to exploit this vulnerability. In the case of IE, the code would be run in the user's context. As a result, any limitations on the user would apply to the attacker's code as well. Mitigating factors: A successful attack requires that the attacker's server be able to deliver information to the target using the Gopher protocol. Customers who block Gopher at the perimeter would be protected against attempts to exploit this vulnerability across the Internet. In the case of IE, code would run in the security context of the user. As a result, any limitations on the user's ability would also restrict the actions an attacker's code could take. A successful attack against ISA and Proxy servers would require that the malicious response be received by the web proxy service. In practical terms, this means that a proxy client would have to submit the initial request through the proxy server. Severity Rating: Internet Servers Intranet Servers Client Systems Internet Explorer 5.01 Moderate Moderate Critical Internet Explorer 5.5 Moderate Moderate Critical Internet Explorer 6.0 Moderate Moderate Critical Proxy Server 2.0 Critical Critical None ISA Server 2000 Critical Critical None The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. In the case of ISA and Proxy servers, the vulnerability can be used to gain LocalSystem level access. In the case of IE, the vulnerability can be used to run code in the user's security context. Vulnerability identifier: CAN-2002-0371 Tested Versions: Microsoft tested ISA Server 2000, Microsoft Proxy Server 2.0 to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities. The following table indicates which of the currently supported versions of Internet Explorer are affected by the vulnerabilities. Versions of IE prior to 5.01 Service Pack 2 are no longer eligible for hotfix support. IE 5.01 SP2 is supported only via Windows(r) 2000 Service Packs and Security Roll-up Packages. Buffer Overrun in Gopher Protocol Handler (CVE-CAN-2002-0371) IE 5.01 SP2 Yes IE 5.5 SP1 Yes IE 5.5 SP2 Yes IE 6.0 Yes Patch availability Download locations for this patch - ISA Server 2000: http://www.microsoft.com/downloads/release.asp?ReleaseID=39856 - Proxy Server 2.0: http://www.microsoft.com/downloads/release.asp?ReleaseID=39861 - Internet Explorer: Patches are under development and will be posted as soon as they are completed. Additional information about this patch Installation platforms: - The ISA Server 2000 patch can be installed on systems running ISA Server 2000 SP1. - The Proxy Server 2.0 patch can be installed on systems running Proxy Server 2.0 SP 1. Obtaining other security patches: Patches for other security issues are available from the following locations: Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch". Patches for consumer platforms are available from the WindowsUpdate web site All patches available via WindowsUpdate also are available in a redistributable form from the WindowsUpdate Corporate site. Other information: Support: Microsoft Knowledge Base article Q323889 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site. Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches. Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products. Disclaimer: The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions: V1.0 (June 11, 2002): Bulletin Created. V2.0 (June 14, 2002): Bulletin updated to include patch availability for ISA Server 2000 and Proxy Server 2.0 and to correct factual error regarding the efficacy of blocking port 70. [***** End Microsoft Security Bulletin MS02-027 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Microsoft for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) M-078: Sun Heap Overflow in Cachefs Daemon (cachefsd) M-079: Format String Vulnerability in ISC DHCPD M-080: SGI IRIX fsr_xfs Vulnerability M-081: SSHD "AllowedAuthentications" Vulnerability M-082: Microsoft Cumulative Patch for Internet Explorer M-083: Microsoft Authentication Flaw in Windows Debugger M-084: Red Hat "pam_ldap" Vulnerability M-085: IMAP Partial Mailbox Attritbute Buffer Overflow Vulnerability M-086: Sun SEA SNMP Vulnerability M-087: SGI IRIX rpc.passwd Vulnerability