|
Just for your information and
security...
Mit freundlichen Gr��en, with best
regards
Daniel Richardy
________European Witango Mainland Distributor
__________
SoftDes GmbH - St. Georgener Strasse 13 -
D 79111 Freiburg
Web: www.softdes.de Mail: [EMAIL PROTECTED] Phone: +49 - 761 - 4 555 666 Fax: +49 - 761 - 4 555 660 _________________ www.witango.net ___________________ Buffer overflow in Microsoft Internet Explorer gopher codeOVERVIEW Gopher is a protocol developed at the University of Minnesota in the early 1990's. Gopher servers offer hierarchically organized directories and files. These form a "gopherspace" which can be thought of as the predecessor of the World Wide Web. Gopher was mostly abandoned soon after HTTP and the World Wide Web started gaining popularity. Microsoft Internet Explorer has a built-in gopher client. Gopher pages can be accessed via URLs starting with "gopher://". The part of code in IE which parses gopher replies contains an exploitable buffer overflow bug. A malicious server may be used to run arbitrary code on an IE user's system. DETAILS When the overflow is triggered, a fixed sized buffer in stack gets overwritten with data from the gopher server. This data can contain most octets from 0 to 255 (also nulls) which makes it particularly easy to inject a working shellcode in it. This is a traditional, trivially exploitable buffer overflow. A test exploit has been successfully used to run arbitrary code without user intervention with various IE versions and systems including IE 5.5 and 6.0. The attack can be launched via a web page or an HTML mail message which redirect the user to a malicious gopher server when the victim views them. The server can be very minimal, ie. a program that can listen on a TCP port and write a block of data; a fully operational gopher server isn't necessary in order to carry out the attack. The exploiter could do anything that a regular user could do on the system: retrieve, install, or remove files, upload and run programs, etc. Full technical details aren't disclosed at this time to prevent exploitation. WORKAROUND Internet Explorer users can protect themselves from the flaw by disabling the gopher protocol. Barely any gopher servers exist on the Internet today, so this is unlikely to cause problems. If needed, a gopher client or some other web browser can be used to access the gopherspace. An easy way to disable processing and displaying gopher pages is to define a non-functional gopher proxy in Internet Options. Select Tools -> Internet options -> Connections. Click on "LAN settings". Check "Use a proxy server for your LAN". Click on "Advanced...". Here you can define proxy servers to be used with different protocols. Go to the Gopher text field and enter "localhost", and "1" in the port text field. This will stop Internet Explorer from fetching any gopher documents. Dialup users can find the proxy settings by selecting a dialup connection under "Dialup settings" and clicking "Settings...". If you have "Use automatic configuration script" or "Automatically detect settings" checked, you may have to consult your network administrator for the detailed instructions on how to define a gopher proxy. After installing the patch from Microsoft you can remove these gopher proxy settings (or restore them to values they had before). To test whether your browser shows gopher documents, try this link: gopher://www.solutions.fi:7000/0. If you get a text document and use Internet Explorer, you should follow the advice above to get protected from the vulnerability. If you get an error from IE saying the page can't be displayed, then you're probably safe. VENDOR STATUS Microsoft was contacted on May 20th (US time). At the moment of writing this advisory, Microsoft has started designing and coding a fix, but hasn't given any approximation of when it would be released. The patch will be available at http://www.microsoft.com/technet/security/current.asp when it is completed. |
