IE Gopher Vulnerability
Results 1 to 7 of 7

Thread: IE Gopher Vulnerability

  1. #1
    Senior Member
    Join Date
    Jan 2002
    Posts
    682

    Exclamation IE Gopher Vulnerability

    gopher...gopher...ya you read it right....check out the webopedia link...since many of you were probably wearing diapers when gopher was popular...



    INFORMATION ALERT


    AN EMERGING ISSUE WITH:
    MICROSOFT IE 5.5 AND 6.0 GOPHER ENGINE BUFFER OVERFLOW


    SEVERITY:
    Medium

    DATE:
    June 4, 2002


    SUMMARY:

    In a post to Bugtraq today, Jouko Pynnonen described a buffer
    overflow in Microsoft Internet Explorer (IE) 5.5 and 6's Gopher
    engine. By sending you an HTML e-mail or enticing you to a malicious
    Web site, a hacker could exploit this buffer overflow to run
    malicious code on your machine. There is no direct impact on
    WatchGuard products. Administrators using IE in their network should
    have their clients follow the workaround below until a patch is
    available.


    EXPOSURE:

    Gopher <http://www.webopedia.com/TERM/g/gopher.html> is an old
    system used to organize and display files on the Internet, now
    outdated by HTML Web technology. Although few people use it
    nowadays, IE includes built-in, legacy Gopher support.

    In his advisory <http://online.securityfocus.com/arch...75344/2002-06-
    01/2002-06-07/0>,
    Jouko Pynnonen describes a buffer overflow
    <https://www3.watchguard.com/archive/....asp?pack=1188>
    found in IE 5.5 and 6's Gopher engine. A hacker could send you an
    HTML e-mail or entice you to a Web site that redirects you to his
    malicious Gopher server. The malicious server could then send an
    overly long string that would cause a buffer overflow in IE's Gopher
    engine. A well crafted buffer overflow could execute arbitrary code
    on your system, which may result in the hacker taking control of
    your computer.

    Keep in mind, even if you normally don't use Gopher, the Gopher code
    is present within IE. A hacker could craft this attack in a way that
    you might unknowingly follow a Gopher link from a Web page or HTML
    e-mail, without you realizing you are using Gopher (until it's too
    late).


    SOLUTION PATH:

    Microsoft has not yet released a patch. However, Pynnonen has
    supplied a viable workaround. Defining a non-functional proxy for
    Gopher prevents IE from downloading any Gopher documents. Here's
    how:

    * In Internet Explorer click on Tools => Internet Options =>
    Connections tab.

    * Click the LAN Settings button.

    * Check, "Use a proxy server for your LAN" and then click the
    Advanced button.

    * Under the "Gopher" dialogs, enter 127.0.0.1 as the proxy
    server and 1 as the port.

    * Click Ok three times to return to IE's normal display.

    -- For WatchGuard SOHO Users:

    Gopher traffic passes over TCP port 70. You can use your SOHO to
    egress filter Gopher traffic. From the SOHO management page, click
    the Custom Service link. Input "gopher" as the Service Name and add
    TCP port 70 under Protocol Settings. Press the Submit button at the
    bottom of the page. Next click Outgoing on the left side of the
    page. Scroll down to Custom Services and find your new "gopher"
    service. Change the "gopher" service's Filter to "Deny" and press
    the Submit button at the bottom of the page. This will protect your
    users from this buffer overflow vulnerability. Keep in mind, this
    also prevents your users from accessing normal Gopher documents as
    well.
    I used to be With IT. But then they changed what IT was. Now what I'm with isn't IT, and what's IT seems scary and weird." - Abe Simpson

  2. #2
    AntiOnline Senior Member souleman's Avatar
    Join Date
    Oct 2001
    Location
    Flint, MI
    Posts
    2,884
    I remeber gopher. That system kicked ass. I think we should dump the internet and go back to using gopher and archie and veronica. I miss the simplicty and the speed.
    \"Ignorance is bliss....
    but only for your enemy\"
    -- souleman

  3. #3
    Senior Member
    Join Date
    Jan 2002
    Posts
    682
    I think we should dump the internet and go back to using gopher and archie and veronica. I miss the simplicty and the speed.

    <shameless plug>
    oh...and btw...check out my article in AO Newsletter 3 if you want some more info on what souleman is talking about...
    </shameless plug>
    I used to be With IT. But then they changed what IT was. Now what I'm with isn't IT, and what's IT seems scary and weird." - Abe Simpson

  4. #4

    Re: IE Gopher Vulnerability

    CodeTek Studios has just released, for free public beta, SafeOffice 1.0 for Windows XP. It is designed to prevent vulnerabilities just like this from being able to cause any damage to your system.

    SafeOffice is able to provide an extra layer of security for people running Internet Explorer, Outlook Express, AOL Instant Messenger, and more. And it will prevent these vulnerabilities from being used by an attacker to corrupt your system or to view your private data, even on an unpatched system.

    For more information, or to try out the beta for free, go to: http://www.codetek.com/php/beta.php

  5. #5
    Senior Member
    Join Date
    Jan 2002
    Posts
    682
    talk about shameless plugs...you gonna fork over some cash to JP for that ad?

    fyi...regardless of the value of your product...it is highly inappropriate to post such unsolicited material here...

    i expect you shall be soundly flamed...so i will step aside now...

    I used to be With IT. But then they changed what IT was. Now what I'm with isn't IT, and what's IT seems scary and weird." - Abe Simpson

  6. #6
    Senior Member
    Join Date
    Jan 2002
    Posts
    115
    gopher is umm not really used anymore.. anyways, not like most people are in real danger... just wait out for the patch.. unless its out already.. whatever

  7. #7
    Senior Member
    Join Date
    Jan 2002
    Posts
    682
    Keep in mind, even if you normally don't use Gopher, the Gopher code
    is present within IE. A hacker could craft this attack in a way that
    you might unknowingly follow a Gopher link from a Web page or HTML
    e-mail, without you realizing you are using Gopher (until it's too
    late).

    not like most people are in real danger... just wait out for the patch.. unless its out already.. whatever

    hmmm...not a great way to look a security...do you work for microsoft????
    I used to be With IT. But then they changed what IT was. Now what I'm with isn't IT, and what's IT seems scary and weird." - Abe Simpson

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •