[25779] in bugtraq
Flawed workaround in MS02-027 -- gopher can run on _any_ port, not just
daemon@ATHENA.MIT.EDU (Mikael Olsson)
Thu Jun 13 20:31:14 2002
Message-ID: <3D08CEE3.EBD65117@clavister.com>
Date: Thu, 13 Jun 2002 18:57:07 +0200
From: Mikael Olsson <mikael.olsson@clavister.com>
MIME-Version: 1.0
To: bugtraq@securityfocus.com
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Just a quick heads-up:
MS02-027 cites blocking port 70 as an effective protection against
exploitation of the Gopher buffer overrun in IE / ISA server / MS proxy:
"Most notably, customers who block access to the Gopher protocol (TCP
port 70) at the perimeter firewall would be protected against attempts
to exploit this vulnerability across the Internet."
This is untrue. Gopher servers can run on any port, e.g.
"gopher://evilhacker.net:1234", or why not ":80", so don't trust
blocking port 70 at all. Use the other workarounds instead.
(In fact, in the case of *nix servers, it's even easier for an attacker
to run the fake gopher server on a high port; this way, he won't even
need root priviliges.)
Take care,
/Mikael Olsson
--
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50 WWW: http://www.clavister.com
