Re: [squid-users] Gopher

From: Henrik Nordström <hno@dont-contact.us>
Date: Mon, 17 Jun 2002 20:40:40 +0200

If Squid is uses as a proxy for Gopher then quoted advisory does not apply as
the Gopher code of the browser is then not used at all. It is then Squid's
responsibility to handle Gopher.

If Squid is not used as a proxy for Gopher then it cannot control any aspects
of it either..

Regards
Henrik

Luis Henrique Machado Jr. wrote:
> Squid can block Gopher protocol?
>
>
> Microsoft Security Bulletin MS02-027 Print
>
>
> Unchecked Buffer in Gopher Protocol Handler Can Run Code of Attacker's
> Choice (Q323889)
> Originally posted: June 11, 2002
> Revised: June 14, 2002
>
> Summary
> Who should read this bulletin: Customers using Microsoft(r) Internet
> Explorer; System administrators running Microsoft Internet Security and
> Acceleration (ISA) Server 2000 or Microsoft Proxy Server 2.0.
>
> Impact of vulnerability: Run Code of Attacker's Choice.
>
> Maximum Severity Rating: Critical
>
> Recommendation: Administrators of ISA Server 2000 and Proxy Server 2.0
> systems should apply the patch. Customers using IE should implement the
> workaround detailed in the FAQ.
>
> Affected Software:
>
> Microsoft Internet Explorer
> Microsoft Proxy Server 2.0
> Microsoft ISA Server 2000
>
> Technical details
> Technical description:
>
>
> On June 11, 2002, Microsoft released the original version of this bulletin.
> In it, we detailed a work-around procedure that customers could implement
> to protect themselves against a publicly disclosed vulnerability. An
> updated version of this bulletin was rereleased on June 14, 2002 to
> announce the availability of patches for Proxy Server 2.0 and ISA Server
> 2000 and to advise customers that the work-around procedure is no longer
> needed on those platforms. Patches for IE are forthcoming and this bulletin
> will be re-released to announce their availability.
>
> The Gopher protocol is a legacy protocol that provides for the transfer of
> text-based information across the Internet. Information on Gopher servers
> is hierarchically presented using a menu system, and multiple Gopher
> servers can be linked together to form a collective "Gopherspace".
>
> There is an unchecked buffer in a piece of code which handles the response
> from Gopher servers. This code is used independently in IE, ISA, and Proxy
> Server. A security vulnerability results because it is possible for an
> attacker to attempt to exploit this flaw by mounting a buffer overrun
> attack through a specially crafted server response. The attacker could seek
> to exploit the vulnerability by crafting a web page that contacted a server
> under the attacker's control. The attacker could then either post this page
> on a web site or send it as an HTML email. When the page was displayed and
> the server's response received and processed, the attack would be carried
> out.
>
> A successful attack requires that the attacker be able to send information
> to the intended target. Anything which inhibited connectivity could protect
> against attempts to exploit this vulnerability. In the case of IE, the code
> would be run in the user's context. As a result, any limitations on the
> user would apply to the attacker's code as well.
>
> Mitigating factors:
>
> A successful attack requires that the attacker's server be able to deliver
> information to the target.
> In the case of IE, code would run in the security context of the user. As a
> result, any limitations on the user's ability would also restrict the
> actions an attacker's code could take.
> A successful attack against ISA and Proxy servers would require that the
> malicious response be received by the web proxy service. In practical
> terms, this means that a proxy client would have to submit the initial
> request through the proxy server.
> Severity Rating: Internet Servers Intranet Servers Client Systems
> Internet Explorer 5.01 Moderate Moderate Critical
> Internet Explorer 5.5 Moderate Moderate Critical
> Internet Explorer 6.0 Moderate Moderate Critical
> Proxy Server 2.0 Critical Critical None
> ISA Server 2000 Critical Critical None
> The above assessment is based on the types of systems affected by the
> vulnerability, their typical deployment patterns, and the effect that
> exploiting the vulnerability would have on them. In the case of ISA and
> Proxy servers, the vulnerability can be used to gain LocalSystem level
> access. In the case of IE, the vulnerability can be used to run code in the
> user's security context.
>
> Vulnerability identifier: CAN-2002-0371
>
> Tested Versions:
> Microsoft tested ISA Server 2000, Microsoft Proxy Server 2.0 to assess
> whether they are affected by these vulnerabilities. Previous versions are
> no longer supported, and may or may not be affected by these
> vulnerabilities.
>
> The following table indicates which of the currently supported versions of
> Internet Explorer are affected by the vulnerabilities. Versions of IE prior
> to 5.01 Service Pack 2 are no longer eligible for hotfix support. IE 5.01
> SP2 is supported only via Windows(r) 2000 Service Packs and Security
> Roll-up Packages.
> IE 5.01 SP2 IE 5.5 SP1 IE 5.5 SP2 IE 6.0
> Buffer Overrun in Gopher Protocol Handler (CVE-CAN-2002-0371) Yes Yes Yes
> Yes
>
>
>
> Frequently asked questions
> Why is Microsoft re-releasing this bulletin?
>
> Microsoft originally released this bulletin on June 11, 2002 to advise
> customers of work-around procedures that could be used while patches were
> under development. On June 14, 2002 Microsoft completed development of
> patches for ISA Server 2000 and Proxy Server 2.0 and rereleased this
> bulletin to advise customers of their availability. Patches for IE are
> under development and will be made available as soon as they are completed.
>
> Why is Microsoft releasing a work-around bulletin rather than a patch for
> this issue?
>
> Microsoft is currently working on patches to address this vulnerability.
> However, the information required to exploit this vulnerability has been
> released before the patches have been completed. To allow customers to take
> action to protect themselves while the patches are built, Microsoft is
> releasing work-around information. Microsoft will update this bulletin to
> announce the availability of patches as soon as they are available.
>
> What's the scope of this vulnerability?
>
> This is a buffer overrun vulnerability. A successful exploit of this
> vulnerability could enable an attacker to run code on the local system. An
> attacker could seek to exploit this vulnerability by creating a specially
> formed web page that would contact a server under the attacker's control.
> The web page could either be posted on a web site under the attacker's
> control or sent as an HTML email. When the attacker's server returned
> information to the target, the vulnerability could be exploited and the
> attacker's code would run in the context of the program that submitted the
> request to the attacker's server.
>
> In the case of ISA and Proxy Server, the attacker's code would run in the
> LocalSystem context. This could give the attacker complete control over the
> server and allow them to take any action on the server including but not
> limited to formatting the hard drive, adding administrators to the system,
> and loading network services.
>
> In the case of IE, the attacker's code would run in the user's context.
> This means that it could take any action that user could, including adding,
> changing or deleting files or changing security settings.
>
> Successfully exploiting the vulnerability requires that the intended target
> be able to receive information from an attacker's server using the Gopher
> protocol. Anything that prevents this access, such as blocking the Gopher
> protocol or blocking access to the attacker's server, would have the effect
> of preventing against attempts to exploit this vulnerability. In addition,
> in the case of IE, the code would run in the security context of the user.
> As a result, any limitations on the user's account would also apply to the
> attacker's code. For example, if a user were prevented by security policies
> from deleting files or changes security settings, the attacker's code would
> also be prevented from those actions.
>
> What causes the vulnerability?
>
> The vulnerability results because of an unchecked buffer in code which
> handles information returned from a server using the Gopher protocol. By
> configuring a Gopher server to return information in a particular manner in
> response to requests, and attacker could attempt to overflow the buffer and
> load code on the system.
>
> Why does this vulnerability affect ISA and Proxy Servers in addition to IE?
>
> The particular piece of code which has the unchecked buffer is used
> independently in ISA and Proxy Servers, in addition to being used in IE.
>
> What is Gopher?
>
> Gopher is network protocol or language that supports the transfer of
> information across the Internet. In many ways, it is similar to HTTP, the
> protocol that is the language of the World Wide Web. Unlike HTTP, however,
> Gopher is completely text based. The Gopher protocol is discussed in RFC
> 1436.
>
> Gopher works to organize the information on a site into a hierarchical
> menu. In addition, multiple Gopher sites can be linked together by menus
> creating what is referred to as "Gopherspace".
>
> Most of the functions and capabilities of Gopher have been superceded by
> HTTP. Gopher is mainly used now to provide legacy support for information
> that has not been migrated to web sites.
>
> The protocol is called Gopher after the mascot of the University of
> Minnesota where it was first developed.
>
> What's wrong with how Gopher is handled?
>
> There is an unchecked buffer in the code which handles information returned
> from a Gopher server.
>
> What could this vulnerability enable an attacker to do?
>
> This vulnerability could enable an attacker to levy a buffer overrun attack
> and attempt to run code in the same process space as the running program.
> As a consequence, an attacker's code could run with the same privileges as
> the running program.
>
> In the case of ISA and Proxy Server, this could enable an attacker to run
> code as the operating system. This would give the attacker complete control
> over the server.
>
> In the case of IE, this could enable an attacker to run code as the
> currently logged on user. The attacker would be able to do anything that
> the user could. The attacker would also be limited by any constraints that
> govern the user's privileges.
>
> How could an attacker exploit this vulnerability?
>
> An attacker could seek to exploit this vulnerability by building a web page
> that contacts the attacker's server. When the response from the attacker's
> server was processed, the buffer would be overrun and the attacker's code
> would execute.
>
> In the case of IE, the attacker could either post the web page on a server
> or send it as an HTML email. In either instance, as soon as the page was
> displayed and the response from the attacker's server received, the attack
> would be carried out.
>
> In the case of ISA and Proxy server, a successful attack would require that
> the web proxy service receive the malformed Gopher response. In practical
> terms, this means that a proxy server client would most likely have to make
> a request to the attacker's server. When the server received and processed
> the malicious response, the attack would be carried out.
>
> I'm running email in the Restricted Sites zone, am I at risk from this
> vulnerability?
>
> While the Restricted Sites zone often provides protection against HTML
> email-based vulnerabilities, it does not protect against attempts to
> exploit this vulnerability by email. This is because basic HTML
> functionality, which is permitted in the Restricted Sites zone, is
> sufficient to invoke the vulnerability.
>
> Is there anything that can mitigate against attempts to exploit this
> vulnerability by email?
>
> Yes. The "Read as Plain Text" feature in Outlook 2002 SP1 can protect
> against attempts to exploit this vulnerability by HTML email. This is
> because this feature disables all HTML functionality.
>
> Is there anything that can mitigate against this vulnerability?
>
> Yes. A successful attack requires that the attacker's server be able to
> send network traffic to the intended target. Anything which inhibits the
> attacker's ability to send traffic would help protect against this
> vulnerability.
>
> How can I protect against this vulnerability in IE until patches are
> completed?
>
> Customers can protect themselves against this vulnerability in IE by
> defining a non-functional Gopher proxy in Internet Explorer. This has the
> result of essentially disabling the Gopher protocol in IE by making it
> impossible for IE to send and receive Gopher traffic.
>
> How can I implement this work-around manually?
>
> Customers can implement the work-around manually by following the steps
> listed below:
>
>
> Right Click on Internet Explorer(IE) Icon on the Desktop or while IE is
> open, Click on "Tools" and select "Internet Options"
> Click on the "Connections" Tab
> Click on the "LAN Settings..." button
> Uncheck "automatically detect settings"
> If "automatic configuration script" is set, check with your administrator
> if gopher server is called out.
> Check the "Use proxy server for your LAN..." Checkbox
> Click on the "Advanced..." button
> Ensure "use the same proxy server for all protocols" is unchecked.
> In the "Proxy addresses to use" textbox next to the word Gopher, Type
> "LocalHost"
> In the "Port" textbox next to the Gopher protocol, Type "1"
> Enter proxy information for any other protocols (FTP, HTTP) in the
> appropriate textboxes.
> Click 'OK' until the Internet Options Menu disappears.
> Note that after unchecking "automatically detect settings" you will need to
> ensure that there are entries for other protocols such as HTTP and FTP. If
> these boxes are empty, applications that use these protocols may no longer
> function correctly.
>
> I'm a network administrator, how can I implement this work-around in my
> Enterprise?
>
> Administrators can use the "Automatic Proxy Configuration Script" feature
> in IE to implement this workaround in a .pac file. Below is an example of
> how this could be implemented:
>
>
> function FindProxyForURL(url, host)
> {
> if (url.substring(0, 7).toLowerCase() == "gopher:") {
>
>
> return "PROXY localhost:1";
> }
> else {
>
> return "DIRECT";
> }
> }
> Note that customers using a specific proxy should modify the line: return
> "DIRECT" ; to return "PROXY ;"
>
>
>
> What do the ISA Server and Proxy Server 2.0 patches do?
>
> The patch eliminates the vulnerability by implementing proper checking on
> the buffer that handles server responses.
>
> I implemented the work-around on my ISA Servers, how do I re-enable the
> Gopher protocol?
>
> Customers who implemented the work-around on an ISA array can re-enable the
> Gopher protocol by deleting the rule that they created by follow the steps
> listed below:
>
> Go to the node: Servers and Arrays, Array node, Access policy, Protocol
> Rules.
> Select rule created to implement the work-around. Select "Delete"
> Customer using the enterprise edition of ISA server who implemented the
> work-around using the enterprise policy can re-enable the Gopher protocol
> by deleting the rule that they created by follow the steps listed below:
>
> Go to the node: Enterprise, Policies, applied enterprise policy, Protocol
> Rules.
> Select rule created to implement the work-around. Select "Delete"
>
> I implemented the work-around on my Proxy 2.0 Servers, how do I re-enable
> the Gopher protocol?
>
> By default, denied to any protocol for any users or group of users on Proxy
> 2.0. If you have enabled protocol access for users and want to exclude
> Gopher from that access, follow the steps listed below:
>
>
> Click Start, point to Programs, point to Microsoft Proxy Server and click
> Microsoft Management Console.
> Double-click on the computer name.
> On the right pane double click on the Web Proxy.
> Use the Web Proxy Permission tab to determine which users or group of users
> can access via the protocol.
> Check-in Enable access control.
> Ensure the gopher "grant access" list has the appropriate access list,
> probably everyone.
> OR, Ensure that the "unlimited access" list has the appropriate access
> list.
>
> Click OK
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> Patch availability
> Download locations for this patch
> ISA Server 2000:
> http://www.microsoft.com/downloads/release.asp?ReleaseID=39856
> Proxy Server 2.0:
> http://www.microsoft.com/downloads/release.asp?ReleaseID=39861
> Internet Explorer:
> Patches are under development and will be posted as soon as they are
> completed.
>
> Additional information about this patch
> Installation platforms:
>
> The ISA Server 2000 patch can be installed on systems running ISA Server
> 2000 SP1.
> The Proxy Server 2.0 patch can be installed on systems running Proxy Server
> 2.0 SP 1.
> Inclusion in future service packs:
> The fix for this issue will be included in ISA Server 2000 SP2
>
> Reboot needed:
>
>
> ISA Server 2000: No
> Proxy Server 2.0: Yes
> Superseded patches: None.
>
> Verifying patch installation:
>
> ISA Server 2000 and Proxy Server 2.0:
> Verify the file versions as indicated in the file manifest in Q323889
> Caveats:
> None
>
> Localization:
> Localized versions of this patch are available at the locations discussed
> in "Obtaining other security patches".
>
> Obtaining other security patches:
> Patches for other security issues are available from the following
> locations:
>
> Security patches are available from the Microsoft Download Center, and can
> be most easily found by doing a keyword search for "security_patch".
> Patches for consumer platforms are available from the WindowsUpdate web
> site
>
> All patches available via WindowsUpdate also are available in a
> redistributable form from the WindowsUpdate Corporate site.
> Other information:
> Support:
>
> Microsoft Knowledge Base article Q323889 discusses this issue and will be
> available approximately 24 hours after the release of this bulletin.
> Knowledge Base articles can be found on the Microsoft Online Support web
> site.
> Technical support is available from Microsoft Product Support Services.
> There is no charge for support calls associated with security patches.
> Security Resources: The Microsoft TechNet Security Web Site provides
> additional information about security in Microsoft products.
>
> Disclaimer:
> The information provided in the Microsoft Knowledge Base is provided "as
> is" without warranty of any kind. Microsoft disclaims all warranties,
> either express or implied, including the warranties of merchantability and
> fitness for a particular purpose. In no event shall Microsoft Corporation
> or its suppliers be liable for any damages whatsoever including direct,
> indirect, incidental, consequential, loss of business profits or special
> damages, even if Microsoft Corporation or its suppliers have been advised
> of the possibility of such damages. Some states do not allow the exclusion
> or limitation of liability for consequential or incidental damages so the
> foregoing limitation may not apply.
>
> Revisions:
>
>
> V1.0 (June 11, 2002): Bulletin Created.
> V2.0 (June 14, 2002): Bulletin updated to include patch availability for
> ISA Server 2000 and Proxy Server 2.0 and to correct factual error regarding
> the efficacy of blocking port 70.

-- 
Basic free Squid support provided thanks to MARA Systems AB
Your source of advanced reverse proxy solutions or customized
Squid solutions. http://www.marasystems.com/products/
Received on Mon Jun 17 2002 - 12:40:54 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:08:42 MST