Microsoft KB Archive/323889

= Unchecked Buffer in Gopher Protocol Handler Can Run Code of Attacker's Choice =

Article ID: 323889

Article Last Modified on 10/29/2007

-

APPLIES TO


 * Microsoft Internet Explorer 5.5 Service Pack 1
 * Microsoft Internet Explorer 5.5 Service Pack 2
 * Microsoft Internet Explorer 5.01
 * Microsoft Internet Explorer 5.5 Service Pack 1
 * Microsoft Internet Explorer 5.5 Service Pack 2
 * Microsoft Internet Explorer 5.5 Service Pack 1
 * Microsoft Internet Explorer 5.5 Service Pack 2
 * Microsoft Internet Explorer 5.5 Service Pack 1
 * Microsoft Internet Explorer 5.5 Service Pack 2
 * Microsoft Internet Explorer 5.5
 * Microsoft Internet Explorer 5.5
 * Microsoft Internet Explorer 5.5 Service Pack 1
 * Microsoft Internet Explorer 5.5 Service Pack 2
 * Microsoft Internet Explorer 5.01
 * Microsoft Internet Explorer 5.01
 * Microsoft Internet Security and Acceleration Server 2000 Standard Edition
 * Microsoft Internet Security and Acceleration Server 2000 Service Pack 1
 * Microsoft Proxy Server 2.0 Standard Edition
 * Microsoft Internet Explorer 6.0
 * Microsoft Internet Explorer 6.0
 * Microsoft Internet Explorer 6.0
 * Microsoft Internet Explorer 6.0
 * Microsoft Internet Explorer 6.0
 * Microsoft Internet Explorer 6.0

-



This article was previously published under Q323889



SYMPTOMS
A problem may occur on an Internet Security and Acceleration (ISA) Server-based or Proxy Server 2.0-based computer during the processing of Internet Gopher protocol requests. A typical Gopher request may look similar to this:

gopher://gopher. .com:70/11/ %09%09%2b

When a malicious request is received, the ISA Server-based or Proxy Server 2.0-based computer may send back a response that is not valid, generate an access violation error message, and stop providing services.

A successful attack against the ISA Server-based or Proxy Server 2.0-based computer requires a malicious Gopher request. This request must originate from a valid user who is permitted by the firewall policy and that is received by the Web Proxy service. This means that a valid client would have to submit the initial request.



CAUSE
The vulnerability results because of an unchecked buffer in the code. This code handles information that is returned from a server by using the Gopher protocol. By configuring a Gopher server to return information in a particular manner in response to requests, an attacker might attempt to overflow the buffer and load code on the computer.



ISA Server
You must install ISA Server Service Pack 1 (SP1) before you apply the following hotfix.

For additional information about how to obtain the latest ISA Server service pack, click the article number below to view the article in the Microsoft Knowledge Base:

313139 How to Obtain the Latest Internet Security and Acceleration Server 2000 Service Pack

The following file is available for download from the Microsoft Download Center:

Download Isahf177.exe now.

To install the fix, run the self-extracting file. You do not need to restart the ISA Server computer. If the computer is part of an ISA Server array, you do not need to shut the whole array down; you can still install this fix on a one-by-one basis.

The English version of the ISA Server fix should have the following file attributes or later:

  Date         Time   Version       Size     File name --  11-Jun-2002  13:08  3.0.1200.177  30,992   W3pinet.dll This fix also applies to the French, German, Spanish, and Japanese versions of ISA Server.

Release Date: June 14, 2002

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Proxy Server 2.0
You must install Proxy Server 2.0 Service Pack 1 (SP1) before you apply the following hotfix.

For additional information about Proxy Server 2.0 SP1, click the article number below to view the article in the Microsoft Knowledge Base:

238375 Proxy Server 2.0 Service Pack 1: List of Fixes

The following file is available for download from the Microsoft Download Center:

Download 29106_ENU_i386_zip.exe now.

The English version of the Proxy Server 2.0 fix should have the following file attributes or later:

  Date         Time   Version       Size     File name --  11-Jun-2002  09:09  2.0.390.16    37,136   W3pinet.dll This fix also applies to the French, German, Spanish, and Japanese versions of Proxy Server 2.0.

Release Date: June 14, 2002

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on secure servers that prevent any unauthorized changes to the file.



WORKAROUND
Workarounds exist for:
 * Internet Explorer
 * ISA Server-based computers
 * ISA Server-based arrays
 * Multiple ISA Server-based arrays
 * Proxy 2.0 Server-based computers

For step-by-step instructions for these workarounds, please view the &quot;Frequently asked questions&quot; section of the following security bulletin:

Microsoft Security Bulletin MS02-027



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.



MORE INFORMATION
Successfully exploiting the vulnerability requires that the intended target be able to receive information from an attacker's server by using the Gopher protocol. Anything that prevents this access, such as blocking the Gopher protocol or blocking access to the attacker's server, would have the effect of preventing attempts to exploit this vulnerability. Because of this, this vulnerability does not affect the default installation of ISA Server.

The Gopher protocol is an earlier protocol that provides for the transfer of text-based information across the Internet. Information on Gopher servers is hierarchically presented by using a menu system, and multiple Gopher servers can be linked together to form a collective &quot;Gopherspace&quot;. More information about this protocol is included in Request for Comments number 1436.

For more information about this vulnerability, please view the following security bulletin:

Microsoft Security Bulletin MS02-027

Additional query words: legacy

Keywords: kbproductlink kbhotfixserver kbqfe atdownload kbbug kbenv kbfix kbqfe KB323889

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.