Buffer overflow in Microsoft Internet Explorer gopher code

More here.

 

Thanks brett

I got tired of waiting for Microsoft to come up with the patch
so I checked out http://www.solutions.fi/index.cgi/news_2002_06_04?lang=en (the page in your link) using IE5.5sp2. I clicked the gopher://www.solutions.fi:7000/0 link and it displayed the page:
A SAMPLE GOPHER DOCUMENT
========================
If you see this document, then you are using gopher. If this appearsin your Internet Explorer, then you're likely to be vulnerable to the gopher buffer overflow bug. (snip)

so I followed the "workaround instructions" in the first link and figured I'd post my results:

I did the following, since I have a dialup connection:
- Under IE Tools Internet Options, Connections tab, I selected my ISP default connection in the dialup settings section.
- I clicked Settings, I placed a checkmark before "use a proxy server" then clicked the Advanced button.
- In the Gopher text field I typed localhost
- I typed 1 in the port text field.
Then I closed IE and disconnected from my ISP. I reopened IE (reconnecting to my ISP) and retested the gopher link and got, "The page cannot be displayed" so the workaround 'worked'


As a side note, the above had no effect on Netscape Communicator 4.79 which can still (safely I gather) display gopher links. Mozilla 1.0rc3 didn't display the gopher link to start with...it just brought up a totally blank page.

EDIT: Here is Microsoft Security Bulletin MS02-027, "Unchecked Buffer in Gopher Protocol Handler Can Run Code of Attacker's Choice (Q323889) "
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-027.asp

 

But wouldn't you only be affected by this vulnerability if you go to gopher sites?

 

This should make things clearer.

 

OK but that article says that it's people who use proxy servers that are affected. I don't use a proxy server, so that means I'm not vulnerable, right?

 

Right. The proxy server software component is the piece that is vulnerable.

The rest of us can visit Gopher sites (and archie, veroinca, et. al. if you can find any these days) in complete safety from this particular hack.

 

Oops - sorry, but I linked to the wrong article (although it does address a similar(ish) issue).

The vulnerabilty affects all IE users. Code inserted within an HTML document (be it a web page or an email) can (without the users knowledge) initiate a connection between a local computer and a gopher server running malicious code.

 

Security Company-PivX, Cleans Up Microsoft’s Gopher Mess
PivX Solutions released Gopher Smoker v0.6 to fix the gopher::root vulnerability in all versions of Microsoft Internet Explorerâ„¢.

NOT a patch, Not a work around

But a real fix.

http://www.pivx.com/gopher_smoker.html

 

If I install this fix, should I then go in and get rid of the localhost 1 thing from the proxy fields?

 

Shadowhawk - I'd suggest holding back on applying that "fix" for the moment. Looking at the PivX documentation, it is unclear:

1) What the program actually does;

2) How easy it is to uninstall the program or undo whatever changes it may make;

3) How the program will interract with any future critical updates released by MS.

#3 is obviously of the most concern.

 

I certainly haven't installed it yet. It's sitting on my desktop, waiting. It can wait till I learn more about it. ITMT, the localhost 1 thing seems to work. I couldn't get to that Gopher site after I did it.

 

Almost two months since the original MS Security Bulletin appeared and still no fix from MS for Internet Explorer.
So like Alice, I got tired of waiting and I used the fix in
gopher://www.solutions.fi:7000/0
and no longer see the "Sample Gopher Document "!!
Looked good!!
Unfortunately, however, I went back to the MS02-027 Bulletin and found it had been modified as of July 31!!
Toward the end of the modified Bulletin, it says (new parts in bold red)
"In the "Proxy addresses to use" textbox next to the word Gopher, Type "LocalHost"
In the "Port" textbox next to the Gopher protocol, Type "1"
Enter proxy information for any other protocols (FTP, HTTP) in the appropriate textboxes.
Click 'OK' until the Internet Options Menu disappears.
Note that after unchecking "automatically detect settings" (as we were instructed to do earlier) you will need to ensure that there are entries for other protocols such as HTTP and FTP. If these boxes are empty, applications that use these protocols may no longer function correctly.
Now what should I/we do? MS gives no info about the "entries" to be made in HTTP, FTP, etc. boxes.

 

Jim - are you on a LAN? If not, the gopher proxy should be created in Tools - Internet Options - Connections - Settings. There should be no need to create a proxy for the other protocols (HTTP, FTP, etc).

The MS Bulletin is awful!!!

 

brett--Thanks for your reply. I am on cable, which I have always assumed meant I was on a LAN. In any event, clicking on Settings rather than Lan Settings on the Connections tab, brings up only the settings for my dial-up connection, which I use only seldomly (when/if cable is down).

 

That being the case, the LAN settings are the correct ones to use. However, I still think that you need only define a gopher proxy. Have you experienced any problems with the settings as they are?

 

PivX Clarifications...

Hello All,
After being notified of this post by Brett, I thought I would shed some light on our little fix for the big gopher hole.

First off, you can find all of the information about it here:
http://www.pivx.com/press_releases/gopher_smoker_pr2.html

and...

You can download the program here:
http://www.pivx.com/gopher_smoker.html

-If you question the validity of the program, please see some of our press coverage from reputable sources relating to this fix:
http://www.pivx.com/ttv_video.html
http://online.securityfocus.com/bid/4930/solution/


Basically our program just modifies the correct registry settings adding a localloop proxy for the gopher protocol, AND* it goes one step further by fixing all of the problems that adding that localloop proxy creates within:
-Windows Media Player (Pre 7.3)
-MSN Messanger
-Outlook
-Outlook Express
-AIM Messanger (Some Versions)

FAQs:
Q1) Will this disable me from installing any windows software or updates in the future?
A1) NO, it will not do anything of the sort.

Q2) Should I backup my registery before I run your program?
A2) If you would like to, that would not hurt, but our program will not modify any vital operating keys, or make any malicous changes.

Q3) Will your fix alone save me from the gopher vulnerability?
A3) Rest sure little Timmy, once you have installed our fix, you are safe from this vulnerability

Q4) Will this delete my operating system just like Microsoft Windows does to Linux durring a dual booted install?
A4) NO, it will not use any strong arm tactics to remove any current or other installed operating systems/ programs.

Q5) Why the name "Gopher Smoker "?
A5) Just one word... Caddyshack


If you have any further questions, please email me directly here: gshively@pivx.com but please note that I will be out of the office on business in Europe with limited internet access in some areas where GSM phone coverage is not provided.

Thank You,
Geoff Shively, CHO
PivX Solutions, LLC
http://www.pivx.com

 

Thanks for the clarifiction, Geoff

 

brett--Not yet. All the other boxes in that panel (FTP, HTTP, etc.) are blank as was the one for Gopher before the manual fix.

Good grief!! I had not seen there was a page two, and thought I was just responding to brett's post of August 7 21:49GMT.
I am going to have to ponder pivx's post. Do I still need his fix if I have already done the manual fix? If yes, do I undo the manual fix first and then use pivx's program?
I tried the pivx test for Windows Media Player. The maximusmiximus site did not work, but other media streams did. Talk about confusing.

 

Should be ok - it's only the gopher protocol which you need to redirect to a false proxy.

It would appear that the PivX "fix" also addresses which arise in relation to other pieces of software.

I would say, yes. It appears that the PivX program simply makes some changes to the registry. It'd probably be sensible to backup the registry before installing the "fix" (as suggested above).

 

WelshJim , I'm glad you recognized that there might be problems with the workaround.

Thanks to pivx for identifying possible problems:

With the gopher localhost proxy set, I couldn't listen to any of the WindowsMedia.com radio tuner stations, for example, Public Radio:
WNYC 820 AM or WNYC 93.9 FM - http://www.wnyc.org/ with WindowsMedia 6.4
I got an Error: Cannot Open. Please verify that the path and filename are correct. [Error=C00D0035]
As soon as I undid the gopher proxy workaround, Windows Media Player 6.4 could open and the radio stations played.

I'm hesitant about installing third party programs, especially to fix a Microsoft security issue, so I'll have to think about this awhile.