RE: WMF Vulnerability

• From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Thu, 5 Jan 2006 15:36:23 -0600

Hi Jim,

Thanks!!!

Tom

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**

 

> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] 
> Sent: Thursday, January 05, 2006 2:16 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: WMF Vulnerability
> 
> http://www.ISAserver.org
> 
> Sure (please don't post it to isaserver.org yet; not quite baked)
> 
> 1. examines all arrays
> 2. within each array, it examines all rules
> 3. if the rule is:
>   - "allow" 
>   - not "default"
>   - includes the Web Proxy filter
> ..it updates the HTTP Filter settings as:
> 
> Extensions: 
>    If "block specified"
>    Add .emf
>    Add .wmf
>    
>    If "allow specified"
>    Remove .emf
>    Remove .wmf
> 
> Signatures:
>    Name=WMF-1
>    Description="request file type trigger"
>    Type="Request URL"
>    Signature=".emf"
> 
>    Name=WMF-2
>    Description="request file type trigger"
>    Type="Request URL"
>    Signature=".wmf"
> 
>    Name=WMF-3
>    Description="response headers trigger"
>    Type="Response Headers"
>    HTTP Header="content-type"
>    Signature="msmetafile"
> 
>    Name=WMF-4
>    Description="response body file type trigger"
>    Type="Response Body"
>    Signature=".emf"
> 
>    Name=WMF-5
>    Description="response body file type trigger"
>    Type="Response Body"
>    Signature=".wmf"
> 
>    Name=WMF-6
>    Description="response body file header trigger"
>    Type="Response Body"
>    Signature="184Gmg"
> 
> -------------------------------------------------------
>    Jim Harrison
>    MCP(NT4, W2K), A+, Network+, PCG
>    http://isaserver.org/Jim_Harrison/
>    http://isatools.org
>    Read the help / books / articles!
> -------------------------------------------------------
>  
> 
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
> Sent: Thursday, January 05, 2006 11:31
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: WMF Vulnerability
> 
> http://www.ISAserver.org
> 
> Hey Jim,
> 
> Can you give a thumbnail view of what this script does?
> 
> Thanks!
> Tom
> 
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> **Who is John Galt?**
> 
>  
> 
> > -----Original Message-----
> > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> > Sent: Thursday, January 05, 2006 1:27 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: WMF Vulnerability
> > 
> > http://www.ISAserver.org
> > 
> > Ok - found and fixed the bug - twere a logic error in publishing 
> > rules.
> > Also "hardened" the script in a few places.
> > http://isatools.org/block_wmf.zip
> > 
> > Note that it only acts on the array policies for now.
> > 
> > -------------------------------------------------------
> >    Jim Harrison
> >    MCP(NT4, W2K), A+, Network+, PCG
> >    http://isaserver.org/Jim_Harrison/
> >    http://isatools.org
> >    Read the help / books / articles!
> > -------------------------------------------------------
> >  
> > 
> > -----Original Message-----
> > From: John T (Lists) [mailto:johnlist@xxxxxxxxxxxxxxxxxxx]
> > Sent: Thursday, January 05, 2006 10:02
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: WMF Vulnerability
> > 
> > http://www.ISAserver.org
> > 
> > Andy Haigh
> > 
> > And everyone has been ignoring it since.
> > 
> > John T
> > eServices For You
> > 
> > 
> > > -----Original Message-----
> > > From: JosephK [mailto:josephk@xxxxxxxxx]
> > > Sent: Thursday, January 05, 2006 9:43 AM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] RE: WMF Vunrability
> > > 
> > > http://www.ISAserver.org
> > > 
> > > I've noticed that my spell checker stops at the subject
> > line of this
> > > thread.
> > > Who spelled Vunrability???  Damn you guys for making me 
> hit cancel 
> > > first
> > > :)
> > > 
> > > Joseph
> > > 
> > > -----Original Message-----
> > > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> > > Sent: Thursday, January 05, 2006 7:34 AM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] RE: WMF Vunrability
> > > 
> > > http://www.ISAserver.org
> > > 
> > > Hi Joseph,
> > > 
> > > Keeping my eyes open for it.
> > > 
> > > Tom
> > > 
> > > Thomas W Shinder, M.D.
> > > Site: www.isaserver.org
> > > Blog: http://spaces.msn.com/members/drisa/
> > > Book: http://tinyurl.com/3xqb7
> > > MVP -- ISA Firewalls
> > > **Who is John Galt?**
> > > 
> > > 
> > > 
> > > > -----Original Message-----
> > > > From: JosephK [mailto:josephk@xxxxxxxxx]
> > > > Sent: Thursday, January 05, 2006 12:52 AM
> > > > To: [ISAserver.org Discussion List]
> > > > Subject: [isalist] RE: WMF Vunrability
> > > >
> > > > http://www.ISAserver.org
> > > >
> > > > Hi Thomas,
> > > >
> > > > I here that the next round of this type of attack may indeed be 
> > > > *.gif or some other variant.
> > > >
> > > > Joseph
> > > >
> > > > -----Original Message-----
> > > > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> > > > Sent: Wednesday, January 04, 2006 10:33 AM
> > > > To: [ISAserver.org Discussion List]
> > > > Subject: [isalist] RE: WMF Vunrability
> > > >
> > > > http://www.ISAserver.org
> > > >
> > > > Hi Joseph,
> > > >
> > > > Yes, I knew what .wmf meant, was just have some fun there :)
> > > >
> > > > You could change the application that opens the .wmf
> > file, but what
> > > > if they change the file extension to .doc or .xls or
> > .gif? I think
> > > > you still end up getting whacked.
> > > >
> > > > Tom
> > > >
> > > > Thomas W Shinder, M.D.
> > > > Site: www.isaserver.org
> > > > Blog: http://spaces.msn.com/members/drisa/
> > > > Book: http://tinyurl.com/3xqb7
> > > > MVP -- ISA Firewalls
> > > > **Who is John Galt?**
> > > >
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: JosephK [mailto:josephk@xxxxxxxxx]
> > > > > Sent: Wednesday, January 04, 2006 12:03 PM
> > > > > To: [ISAserver.org Discussion List]
> > > > > Subject: [isalist] RE: WMF Vunrability
> > > > >
> > > > > http://www.ISAserver.org
> > > > >
> > > > > Hi Thomas,
> > > > >
> > > > > WMF -- Um, this is a family list! But, I could also
> > think of a few
> > > > > more things.  Google desktop indexing has a flaw...If some 
> > > > > unsuspecting user sets it up incorrectly or some goof
> > uses it on a
> > > > > corporate network, then, the indexing process can show
> > up on the
> > > > > internet!  Now that's why I don't use trash like that.
> > > > >
> > > > > I'm sure you knew that *.wmf was for windows meta file.
> > > > Changing the
> > > > > program that opens that to notepad actually works. At least
> > > > in my test
> > > > > environment.
> > > > >
> > > > > Thank you,
> > > > > Joseph
> > > > >
> > > > > -----Original Message-----
> > > > > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> > > > > Sent: Wednesday, January 04, 2006 10:03 AM
> > > > > To: [ISAserver.org Discussion List]
> > > > > Subject: [isalist] RE: WMF Vunrability
> > > > >
> > > > > http://www.ISAserver.org
> > > > >
> > > > > Hi Jospeh,
> > > > >
> > > > > I read that even if you use Google indexing service on your 
> > > > > computer, it will whack you when the WMF is accessed.
> > > > >
> > > > > BTW, what does WMF stand for? I can think of a few 
> things right 
> > > > > now :))
> > > > >
> > > > > Tom
> > > > >
> > > > > Thomas W Shinder, M.D.
> > > > > Site: www.isaserver.org
> > > > > Blog: http://spaces.msn.com/members/drisa/
> > > > > Book: http://tinyurl.com/3xqb7
> > > > > MVP -- ISA Firewalls
> > > > > **Who is John Galt?**
> > > > >
> > > > >
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: JosephK [mailto:josephk@xxxxxxxxx]
> > > > > > Sent: Wednesday, January 04, 2006 11:53 AM
> > > > > > To: [ISAserver.org Discussion List]
> > > > > > Subject: [isalist] RE: WMF Vunrability
> > > > > >
> > > > > > http://www.ISAserver.org
> > > > > >
> > > > > > Another minor way to fix this from the desktop point
> > of view and
> > > > > > yes it is a pain in the ass. Change the program 
> that opens up 
> > > > > > *.wmf (fax
> > > > > > viewer) to use
> > > > > > notepad instead.  Not very feasible though with a
> > real large shop.
> > > > > >
> > > > > > Joseph
> > > > > >
> > > > > >
> > > > > >
> > > > > > -----Original Message-----
> > > > > > From: Edgardo Balansay [mailto:balansay@xxxxxxxxx]
> > > > > > Sent: Wednesday, January 04, 2006 9:49 AM
> > > > > > To: [ISAserver.org Discussion List]
> > > > > > Subject: [isalist] RE: WMF Vunrability
> > > > > >
> > > > > > http://www.ISAserver.org
> > > > > > I have been thinking similar to "Thor" in that, 
> "... have you 
> > > > > > found the application/x-msmetafile mime block is all
> > you have to
> > > > > > do?"
> > > > > > As .wmf file type is listed as 
> > > > > > 
> http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/mim
> > > > > > etypes.msp
> > > > > > x
> > > > > >
> > > > > > However Jim Harrison, mentions, "...use pattern
> > matching in the
> > > > > > response stream.  Request and response headers are ok
> > unless the
> > > > "bad place"
> > > > > > decides to spoof them."
> > > > > >
> > > > > > So application/x-msmetafile mime block does not
> > completely block
> > > > > > the wmf type of files? Is what Jim is saying is 
> that the "bad
> > > > > place" may spoof
> > > > > > the headers, and Windows will continue to open the
> > file with the
> > > > > > vulnerable application/dll?
> > > > > >
> > > > > > But doesn't ISA Application Filter and therefore able
> > to block
> > > > > > the specific mime type for *.wmf regardless of 
> headers?  Much
> > > > > like how it
> > > > > > blocks executables regardless of extension?
> > > > > >
> > > > > > Just attempting to add to the discussion, thanks!
> > > > > > Edgardo
> > > > > >
> > > > > > (BTW: above quotes are taken from the "OT - texas hold em" 
> > > > > > thread)
> 
> All mail to and from this domain is GFI-scanned.
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion 
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> 

• » RE: WMF Vulnerability
• » RE: WMF Vulnerability
• » RE: WMF Vulnerability
• » RE: WMF Vulnerability
• » RE: WMF Vulnerability
• » RE: WMF Vulnerability
• » RE: WMF Vulnerability
• » RE: WMF Vulnerability
• » RE: WMF Vulnerability
• » RE: WMF Vulnerability
• » RE: WMF Vulnerability
• » RE: WMF Vulnerability
• » RE: WMF Vulnerability
• » RE: WMF Vulnerability
• » RE: WMF Vulnerability
• » RE: WMF Vulnerability
• » RE: WMF Vulnerability
• » RE: WMF Vulnerability
• » RE: WMF Vulnerability
• » RE: WMF Vulnerability
• » RE: WMF Vulnerability
• » RE: WMF Vulnerability
• » RE: WMF Vulnerability
• » RE: WMF Vulnerability
• » RE: WMF Vulnerability
• » RE: WMF Vulnerability
• » RE: WMF Vulnerability
• » RE: WMF Vulnerability
• » RE: WMF Vulnerability
• » RE: WMF Vulnerability
• » RE: WMF Vulnerability
• » RE: WMF Vulnerability
• » RE: WMF Vulnerability
• » RE: WMF Vulnerability
• » RE: WMF Vulnerability

• » Related posts
• » Previous by Date
• » Next by Date
• » This Month's Archive
• » Main Archive Page
• » View list details
• » Manage your subscription