|
-
June 5th, 2002, 03:37 PM
#1
 IE Gopher Vulnerability
gopher...gopher...ya you read it right....check out the webopedia link...since many of you were probably wearing diapers when gopher was popular... 
INFORMATION ALERT
AN EMERGING ISSUE WITH:
MICROSOFT IE 5.5 AND 6.0 GOPHER ENGINE BUFFER OVERFLOW
SEVERITY:
Medium
DATE:
June 4, 2002
SUMMARY:
In a post to Bugtraq today, Jouko Pynnonen described a buffer
overflow in Microsoft Internet Explorer (IE) 5.5 and 6's Gopher
engine. By sending you an HTML e-mail or enticing you to a malicious
Web site, a hacker could exploit this buffer overflow to run
malicious code on your machine. There is no direct impact on
WatchGuard products. Administrators using IE in their network should
have their clients follow the workaround below until a patch is
available.
EXPOSURE:
Gopher <http://www.webopedia.com/TERM/g/gopher.html> is an old
system used to organize and display files on the Internet, now
outdated by HTML Web technology. Although few people use it
nowadays, IE includes built-in, legacy Gopher support.
In his advisory <http://online.securityfocus.com/arch...75344/2002-06-
01/2002-06-07/0>,
Jouko Pynnonen describes a buffer overflow
<https://www3.watchguard.com/archive/....asp?pack=1188>
found in IE 5.5 and 6's Gopher engine. A hacker could send you an
HTML e-mail or entice you to a Web site that redirects you to his
malicious Gopher server. The malicious server could then send an
overly long string that would cause a buffer overflow in IE's Gopher
engine. A well crafted buffer overflow could execute arbitrary code
on your system, which may result in the hacker taking control of
your computer.
Keep in mind, even if you normally don't use Gopher, the Gopher code
is present within IE. A hacker could craft this attack in a way that
you might unknowingly follow a Gopher link from a Web page or HTML
e-mail, without you realizing you are using Gopher (until it's too
late).
SOLUTION PATH:
Microsoft has not yet released a patch. However, Pynnonen has
supplied a viable workaround. Defining a non-functional proxy for
Gopher prevents IE from downloading any Gopher documents. Here's
how:
* In Internet Explorer click on Tools => Internet Options =>
Connections tab.
* Click the LAN Settings button.
* Check, "Use a proxy server for your LAN" and then click the
Advanced button.
* Under the "Gopher" dialogs, enter 127.0.0.1 as the proxy
server and 1 as the port.
* Click Ok three times to return to IE's normal display.
-- For WatchGuard SOHO Users:
Gopher traffic passes over TCP port 70. You can use your SOHO to
egress filter Gopher traffic. From the SOHO management page, click
the Custom Service link. Input "gopher" as the Service Name and add
TCP port 70 under Protocol Settings. Press the Submit button at the
bottom of the page. Next click Outgoing on the left side of the
page. Scroll down to Custom Services and find your new "gopher"
service. Change the "gopher" service's Filter to "Deny" and press
the Submit button at the bottom of the page. This will protect your
users from this buffer overflow vulnerability. Keep in mind, this
also prevents your users from accessing normal Gopher documents as
well.
I used to be With IT. But then they changed what IT was. Now what I'm with isn't IT, and what's IT seems scary and weird." - Abe Simpson
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote