Unchecked Buffer in Gopher Protocol Handler Can Run Code of Attacker's Choice (323889)


The information in this article applies to:

  • Microsoft Internet Explorer 5.5 for Windows NT 4.0 SP 1
  • Microsoft Internet Explorer 5.5 for Windows NT 4.0 SP 2
  • Microsoft Internet Explorer 5.01 for Windows NT 4.0 SP 2
  • Microsoft Internet Explorer 5.5 for Windows Millennium Edition SP 1
  • Microsoft Internet Explorer 5.5 for Windows Millennium Edition SP 2
  • Microsoft Internet Explorer 5.5 for Windows 98 Second Edition SP 1
  • Microsoft Internet Explorer 5.5 for Windows 98 Second Edition SP 2
  • Microsoft Internet Explorer 5.5 for Windows 98 SP 1
  • Microsoft Internet Explorer 5.5 for Windows 98 SP 2
  • Microsoft Internet Explorer 5.5 for Windows 95 SP 1
  • Microsoft Internet Explorer 5.5 for Windows 95 SP 2
  • Microsoft Internet Explorer 5.5 for Windows 2000 SP 1
  • Microsoft Internet Explorer 5.5 for Windows 2000 SP 2
  • Microsoft Internet Explorer 5.01 for Windows 2000 SP 1
  • Microsoft Internet Explorer 5.01 for Windows 2000 SP 2
  • Microsoft Internet Security and Acceleration Server 2000
  • Microsoft Internet Security and Acceleration Server 2000 SP1
  • Microsoft Proxy Server 2.0
  • Microsoft Internet Explorer version 6 for Windows XP
  • Microsoft Internet Explorer version 6 for Windows 2000
  • Microsoft Internet Explorer version 6 for Windows NT 4.0
  • Microsoft Internet Explorer version 6 for Windows Millennium Edition
  • Microsoft Internet Explorer version 6 for Windows 98 Second Edition
  • Microsoft Internet Explorer version 6 for Windows 98
This article was previously published under Q323889

SYMPTOMS

A problem may occur on an Internet Security and Acceleration (ISA) Server-based or Proxy Server 2.0-based computer during the processing of Internet Gopher protocol requests. A typical Gopher request may look similar to this:

gopher://gopher.example.com:70/11/example%09%09%2b

When a malicious request is received, the ISA Server-based or Proxy Server 2.0-based computer may send back a response that is not valid, generate an access violation error message, and stop providing services.

A successful attack against the ISA Server-based or Proxy Server 2.0-based computer requires a malicious Gopher request. This request must originate from a valid user who is permitted by the firewall policy and that is received by the Web Proxy service. This means that a valid client would have to submit the initial request.

CAUSE

The vulnerability results because of an unchecked buffer in the code. This code handles information that is returned from a server by using the Gopher protocol. By configuring a Gopher server to return information in a particular manner in response to requests, an attacker might attempt to overflow the buffer and load code on the computer.

RESOLUTION

ISA Server

You must install ISA Server Service Pack 1 (SP1) before you apply the following hotfix.

For additional information about how to obtain the latest ISA Server service pack, click the article number below to view the article in the Microsoft Knowledge Base:

313139 How to Obtain the Latest Internet Security and Acceleration Server 2000 Service Pack

The following file is available for download from the Microsoft Download Center:

Download Isahf177.exe now.

To install the fix, run the self-extracting file. You do not need to restart the ISA Server computer. If the computer is part of an ISA Server array, you do not need to shut the whole array down; you can still install this fix on a one-by-one basis.

The English version of the ISA Server fix should have the following file attributes or later:
   Date         Time   Version       Size     File name
   ------------------------------------------------------
   11-Jun-2002  13:08  3.0.1200.177  30,992   W3pinet.dll
This fix also applies to the French, German, Spanish, and Japanese versions of ISA Server.

Release Date: June 14, 2002

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Proxy Server 2.0

You must install Proxy Server 2.0 Service Pack 1 (SP1) before you apply the following hotfix.

For additional information about Proxy Server 2.0 SP1, click the article number below to view the article in the Microsoft Knowledge Base:

238375 Proxy Server 2.0 Service Pack 1: List of Fixes

The following file is available for download from the Microsoft Download Center:

Download 29106_ENU_i386_zip.exe now.


The English version of the Proxy Server 2.0 fix should have the following file attributes or later:
   Date         Time   Version       Size     File name
   ------------------------------------------------------
   11-Jun-2002  09:09  2.0.390.16    37,136   W3pinet.dll
This fix also applies to the French, German, Spanish, and Japanese versions of Proxy Server 2.0.


Release Date: June 14, 2002

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on secure servers that prevent any unauthorized changes to the file.



WORKAROUND

Workarounds exist for:
  • Internet Explorer
  • ISA Server-based computers
  • ISA Server-based arrays
  • Multiple ISA Server-based arrays
  • Proxy 2.0 Server-based computers
For step-by-step instructions for these workarounds, please view the "Frequently asked questions" section of the following security bulletin:

Microsoft Security Bulletin MS02-027

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

MORE INFORMATION

Successfully exploiting the vulnerability requires that the intended target be able to receive information from an attacker's server by using the Gopher protocol. Anything that prevents this access, such as blocking the Gopher protocol or blocking access to the attacker's server, would have the effect of preventing attempts to exploit this vulnerability. Because of this, this vulnerability does not affect the default installation of ISA Server.

The Gopher protocol is an earlier protocol that provides for the transfer of text-based information across the Internet. Information on Gopher servers is hierarchically presented by using a menu system, and multiple Gopher servers can be linked together to form a collective "Gopherspace". More information about this protocol is included in Request for Comments number 1436.

For more information about this vulnerability, please view the following security bulletin:

Microsoft Security Bulletin MS02-027

Modification Type:MajorLast Reviewed:3/15/2006
Keywords:kbHotfixServer kbQFE ATdownload kbbug kbenv kbfix kbQFE KB323889
©2004 Microsoft Corporation. All rights reserved.