Flawed workaround in MS02-027 -- gopher can run on _any_ port, not just 70

[Mikael Olsson <mikael.olsson () clavister com>]

Just a quick heads-up:

MS02-027 cites blocking port 70 as an effective protection against
exploitation of the Gopher buffer overrun in IE / ISA server / MS proxy:

"Most notably, customers who block access to the Gopher protocol (TCP 
 port 70) at the perimeter firewall would be protected against attempts 
 to exploit this vulnerability across the Internet."


This is untrue. Gopher servers can run on any port, e.g.
"gopher://evilhacker.net:1234";, or why not ":80", so don't trust 
blocking port 70 at all. Use the other workarounds instead.

(In fact, in the case of *nix servers, it's even easier for an attacker 
to run the fake gopher server on a high port; this way, he won't even 
need root priviliges.)


Take care,
/Mikael Olsson

-- 
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50       WWW: http://www.clavister.com