Article ID: 323889 - Last Review: October 29, 2007 - Revision: 5.5

Unchecked Buffer in Gopher Protocol Handler Can Run Code of Attacker's Choice

View products that this article applies to.
This article was previously published under Q323889

On This Page

Expand all | Collapse all

SYMPTOMS

A problem may occur on an Internet Security and Acceleration (ISA) Server-based or Proxy Server 2.0-based computer during the processing of Internet Gopher protocol requests. A typical Gopher request may look similar to this:
gopher://gopher.example.com:70/11/example%09%09%2b
When a malicious request is received, the ISA Server-based or Proxy Server 2.0-based computer may send back a response that is not valid, generate an access violation error message, and stop providing services.

A successful attack against the ISA Server-based or Proxy Server 2.0-based computer requires a malicious Gopher request. This request must originate from a valid user who is permitted by the firewall policy and that is received by the Web Proxy service. This means that a valid client would have to submit the initial request.
Back to the top

CAUSE

The vulnerability results because of an unchecked buffer in the code. This code handles information that is returned from a server by using the Gopher protocol. By configuring a Gopher server to return information in a particular manner in response to requests, an attacker might attempt to overflow the buffer and load code on the computer.
Back to the top

RESOLUTION

ISA Server

You must install ISA Server Service Pack 1 (SP1) before you apply the following hotfix.

For additional information about how to obtain the latest ISA Server service pack, click the article number below to view the article in the Microsoft Knowledge Base:
313139  (http://support.microsoft.com/kb/313139/EN-US/ ) How to Obtain the Latest Internet Security and Acceleration Server 2000 Service Pack
The following file is available for download from the Microsoft Download Center:
Download Isahf177.exe now (http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=FA5A158E-B0E1-448C-9D42-FE0653226EB9) .
To install the fix, run the self-extracting file. You do not need to restart the ISA Server computer. If the computer is part of an ISA Server array, you do not need to shut the whole array down; you can still install this fix on a one-by-one basis.

The English version of the ISA Server fix should have the following file attributes or later:
   Date         Time   Version       Size     File name
   ------------------------------------------------------
   11-Jun-2002  13:08  3.0.1200.177  30,992   W3pinet.dll
This fix also applies to the French, German, Spanish, and Japanese versions of ISA Server.

Release Date: June 14, 2002

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591  (http://support.microsoft.com/kb/119591/EN-US/ ) How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Back to the top

Proxy Server 2.0

You must install Proxy Server 2.0 Service Pack 1 (SP1) before you apply the following hotfix.

For additional information about Proxy Server 2.0 SP1, click the article number below to view the article in the Microsoft Knowledge Base:
238375  (http://support.microsoft.com/kb/238375/EN-US/ ) Proxy Server 2.0 Service Pack 1: List of Fixes
The following file is available for download from the Microsoft Download Center:
Download 29106_ENU_i386_zip.exe now (http://www.microsoft.com/downloads/details.aspx?FamilyID=2581b8c5-e709-4914-91bc-cfa13d031bc8&DisplayLang=en) .

The English version of the Proxy Server 2.0 fix should have the following file attributes or later:
   Date         Time   Version       Size     File name
   ------------------------------------------------------
   11-Jun-2002  09:09  2.0.390.16    37,136   W3pinet.dll
This fix also applies to the French, German, Spanish, and Japanese versions of Proxy Server 2.0.


Release Date: June 14, 2002

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591  (http://support.microsoft.com/kb/119591/EN-US/ ) How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on secure servers that prevent any unauthorized changes to the file.



Back to the top

WORKAROUND

Workarounds exist for:
  • Internet Explorer
  • ISA Server-based computers
  • ISA Server-based arrays
  • Multiple ISA Server-based arrays
  • Proxy 2.0 Server-based computers
For step-by-step instructions for these workarounds, please view the "Frequently asked questions" section of the following security bulletin:
Microsoft Security Bulletin MS02-027 (http://www.microsoft.com/technet/security/bulletin/MS02-027.mspx)
Back to the top

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.
Back to the top

MORE INFORMATION

Successfully exploiting the vulnerability requires that the intended target be able to receive information from an attacker's server by using the Gopher protocol. Anything that prevents this access, such as blocking the Gopher protocol or blocking access to the attacker's server, would have the effect of preventing attempts to exploit this vulnerability. Because of this, this vulnerability does not affect the default installation of ISA Server.

The Gopher protocol is an earlier protocol that provides for the transfer of text-based information across the Internet. Information on Gopher servers is hierarchically presented by using a menu system, and multiple Gopher servers can be linked together to form a collective "Gopherspace". More information about this protocol is included in Request for Comments number 1436.

For more information about this vulnerability, please view the following security bulletin:
Microsoft Security Bulletin MS02-027 (http://www.microsoft.com/technet/security/bulletin/MS02-027.mspx)
Back to the top
APPLIES TO
  • Microsoft Internet Explorer 5.5 Service Pack 1
  • Microsoft Internet Explorer 5.5 Service Pack 2
  • Microsoft Internet Explorer 5.01
  • Microsoft Internet Explorer 5.5
  • Microsoft Internet Security and Acceleration Server 2000 Standard Edition
  • Microsoft Internet Security and Acceleration Server 2000 Service Pack 1
  • Microsoft Proxy Server 2.0 Standard Edition
  • Microsoft Internet Explorer 6.0, when used with:
    • Microsoft Windows XP Home Edition
    • Microsoft Windows XP Professional
    • Microsoft Windows XP Media Center Edition
    • Microsoft Windows XP Tablet PC Edition
    • Microsoft Windows 2000 Advanced Server
    • Microsoft Windows 2000 Datacenter Server
    • Microsoft Windows 2000 Professional Edition
    • Microsoft Windows 2000 Server
    • Microsoft Windows NT Server 4.0 Standard Edition
    • Microsoft Windows NT Server 4.0, Terminal Server Edition
    • Microsoft Windows NT Workstation 4.0 Developer Edition
    • Microsoft Windows Millennium Edition
    • Microsoft Windows 98 Second Edition
    • Microsoft Windows 98 Standard Edition
Back to the top
Keywords: 
kbbug kbfix kbqfe kbenv atdownload kbhotfixserver kbproductlink KB323889
Back to the top
 

Get Help Now

Contact a support professional by E-mail, Online, or Phone

Article Translations