Much thankling you, sir! -------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! -------------------------------------------- -----Original Message----- From: Paul Crisp [mailto:PCrisp@xxxxxxxxxxxxxxxxx] Sent: Friday, January 06, 2006 1:54 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: WMF Vulnerability http://www.ISAserver.org Hi Jim, Can confirm all has worked this time, superb scripting my friend :) Regards Paul Crisp Snr Network Support Analyst -----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: 06 January 2006 05:08 To: [ISAserver.org Discussion List] Subject: [isalist] RE: WMF Vulnerability http://www.ISAserver.org Ok - code review & final testing done. Version 1.0 is at http://isatools.org/block_wmf.zip ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- -----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: Thursday, January 05, 2006 16:24 To: [ISAserver.org Discussion List] Subject: [isalist] RE: WMF Vulnerability http://www.ISAserver.org Ok - script updated to operate on Enterprise Edition. V 0.3 available at http://isatools.org/block_wmf.zip If no bugs reported and in-house code review is good, we'll release it tonight. ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Thursday, January 05, 2006 13:36 To: [ISAserver.org Discussion List] Subject: [isalist] RE: WMF Vulnerability http://www.ISAserver.org Hi Jim, Thanks!!! Tom Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls **Who is John Galt?** > -----Original Message----- > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > Sent: Thursday, January 05, 2006 2:16 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: WMF Vulnerability > > http://www.ISAserver.org > > Sure (please don't post it to isaserver.org yet; not quite baked) > > 1. examines all arrays > 2. within each array, it examines all rules 3. if the rule is: > - "allow" > - not "default" > - includes the Web Proxy filter > ..it updates the HTTP Filter settings as: > > Extensions: > If "block specified" > Add .emf > Add .wmf > > If "allow specified" > Remove .emf > Remove .wmf > > Signatures: > Name=WMF-1 > Description="request file type trigger" > Type="Request URL" > Signature=".emf" > > Name=WMF-2 > Description="request file type trigger" > Type="Request URL" > Signature=".wmf" > > Name=WMF-3 > Description="response headers trigger" > Type="Response Headers" > HTTP Header="content-type" > Signature="msmetafile" > > Name=WMF-4 > Description="response body file type trigger" > Type="Response Body" > Signature=".emf" > > Name=WMF-5 > Description="response body file type trigger" > Type="Response Body" > Signature=".wmf" > > Name=WMF-6 > Description="response body file header trigger" > Type="Response Body" > Signature="184Gmg" > > ------------------------------------------------------- > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://isaserver.org/Jim_Harrison/ > http://isatools.org > Read the help / books / articles! > ------------------------------------------------------- > > > -----Original Message----- > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] > Sent: Thursday, January 05, 2006 11:31 > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: WMF Vulnerability > > http://www.ISAserver.org > > Hey Jim, > > Can you give a thumbnail view of what this script does? > > Thanks! > Tom > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://spaces.msn.com/members/drisa/ > Book: http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > **Who is John Galt?** > > > > > -----Original Message----- > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > > Sent: Thursday, January 05, 2006 1:27 PM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: WMF Vulnerability > > > > http://www.ISAserver.org > > > > Ok - found and fixed the bug - twere a logic error in publishing > > rules. > > Also "hardened" the script in a few places. > > http://isatools.org/block_wmf.zip > > > > Note that it only acts on the array policies for now. > > > > ------------------------------------------------------- > > Jim Harrison > > MCP(NT4, W2K), A+, Network+, PCG > > http://isaserver.org/Jim_Harrison/ > > http://isatools.org > > Read the help / books / articles! > > ------------------------------------------------------- > > > > > > -----Original Message----- > > From: John T (Lists) [mailto:johnlist@xxxxxxxxxxxxxxxxxxx] > > Sent: Thursday, January 05, 2006 10:02 > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: WMF Vulnerability > > > > http://www.ISAserver.org > > > > Andy Haigh > > > > And everyone has been ignoring it since. > > > > John T > > eServices For You > > > > > > > -----Original Message----- > > > From: JosephK [mailto:josephk@xxxxxxxxx] > > > Sent: Thursday, January 05, 2006 9:43 AM > > > To: [ISAserver.org Discussion List] > > > Subject: [isalist] RE: WMF Vunrability > > > > > > http://www.ISAserver.org > > > > > > I've noticed that my spell checker stops at the subject > > line of this > > > thread. > > > Who spelled Vunrability??? Damn you guys for making me > hit cancel > > > first > > > :) > > > > > > Joseph > > > > > > -----Original Message----- > > > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] > > > Sent: Thursday, January 05, 2006 7:34 AM > > > To: [ISAserver.org Discussion List] > > > Subject: [isalist] RE: WMF Vunrability > > > > > > http://www.ISAserver.org > > > > > > Hi Joseph, > > > > > > Keeping my eyes open for it. > > > > > > Tom > > > > > > Thomas W Shinder, M.D. > > > Site: www.isaserver.org > > > Blog: http://spaces.msn.com/members/drisa/ > > > Book: http://tinyurl.com/3xqb7 > > > MVP -- ISA Firewalls > > > **Who is John Galt?** > > > > > > > > > > > > > -----Original Message----- > > > > From: JosephK [mailto:josephk@xxxxxxxxx] > > > > Sent: Thursday, January 05, 2006 12:52 AM > > > > To: [ISAserver.org Discussion List] > > > > Subject: [isalist] RE: WMF Vunrability > > > > > > > > http://www.ISAserver.org > > > > > > > > Hi Thomas, > > > > > > > > I here that the next round of this type of attack may indeed be > > > > *.gif or some other variant. > > > > > > > > Joseph > > > > > > > > -----Original Message----- > > > > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] > > > > Sent: Wednesday, January 04, 2006 10:33 AM > > > > To: [ISAserver.org Discussion List] > > > > Subject: [isalist] RE: WMF Vunrability > > > > > > > > http://www.ISAserver.org > > > > > > > > Hi Joseph, > > > > > > > > Yes, I knew what .wmf meant, was just have some fun there :) > > > > > > > > You could change the application that opens the .wmf > > file, but what > > > > if they change the file extension to .doc or .xls or > > .gif? I think > > > > you still end up getting whacked. > > > > > > > > Tom > > > > > > > > Thomas W Shinder, M.D. > > > > Site: www.isaserver.org > > > > Blog: http://spaces.msn.com/members/drisa/ > > > > Book: http://tinyurl.com/3xqb7 > > > > MVP -- ISA Firewalls > > > > **Who is John Galt?** > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > From: JosephK [mailto:josephk@xxxxxxxxx] > > > > > Sent: Wednesday, January 04, 2006 12:03 PM > > > > > To: [ISAserver.org Discussion List] > > > > > Subject: [isalist] RE: WMF Vunrability > > > > > > > > > > http://www.ISAserver.org > > > > > > > > > > Hi Thomas, > > > > > > > > > > WMF -- Um, this is a family list! But, I could also > > think of a few > > > > > more things. Google desktop indexing has a flaw...If some > > > > > unsuspecting user sets it up incorrectly or some goof > > uses it on a > > > > > corporate network, then, the indexing process can show > > up on the > > > > > internet! Now that's why I don't use trash like that. > > > > > > > > > > I'm sure you knew that *.wmf was for windows meta file. > > > > Changing the > > > > > program that opens that to notepad actually works. At least > > > > in my test > > > > > environment. > > > > > > > > > > Thank you, > > > > > Joseph > > > > > > > > > > -----Original Message----- > > > > > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] > > > > > Sent: Wednesday, January 04, 2006 10:03 AM > > > > > To: [ISAserver.org Discussion List] > > > > > Subject: [isalist] RE: WMF Vunrability > > > > > > > > > > http://www.ISAserver.org > > > > > > > > > > Hi Jospeh, > > > > > > > > > > I read that even if you use Google indexing service on your > > > > > computer, it will whack you when the WMF is accessed. > > > > > > > > > > BTW, what does WMF stand for? I can think of a few > things right > > > > > now :)) > > > > > > > > > > Tom > > > > > > > > > > Thomas W Shinder, M.D. > > > > > Site: www.isaserver.org > > > > > Blog: http://spaces.msn.com/members/drisa/ > > > > > Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls **Who is > > > > > John Galt?** > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > From: JosephK [mailto:josephk@xxxxxxxxx] > > > > > > Sent: Wednesday, January 04, 2006 11:53 AM > > > > > > To: [ISAserver.org Discussion List] > > > > > > Subject: [isalist] RE: WMF Vunrability > > > > > > > > > > > > http://www.ISAserver.org > > > > > > > > > > > > Another minor way to fix this from the desktop point > > of view and > > > > > > yes it is a pain in the ass. Change the program > that opens up > > > > > > *.wmf (fax > > > > > > viewer) to use > > > > > > notepad instead. Not very feasible though with a > > real large shop. > > > > > > > > > > > > Joseph > > > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > From: Edgardo Balansay [mailto:balansay@xxxxxxxxx] > > > > > > Sent: Wednesday, January 04, 2006 9:49 AM > > > > > > To: [ISAserver.org Discussion List] > > > > > > Subject: [isalist] RE: WMF Vunrability > > > > > > > > > > > > http://www.ISAserver.org > > > > > > I have been thinking similar to "Thor" in that, > "... have you > > > > > > found the application/x-msmetafile mime block is all > > you have to > > > > > > do?" > > > > > > As .wmf file type is listed as > > > > > > > http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/mim > > > > > > etypes.msp > > > > > > x > > > > > > > > > > > > However Jim Harrison, mentions, "...use pattern > > matching in the > > > > > > response stream. Request and response headers are ok > > unless the > > > > "bad place" > > > > > > decides to spoof them." > > > > > > > > > > > > So application/x-msmetafile mime block does not > > completely block > > > > > > the wmf type of files? Is what Jim is saying is > that the "bad > > > > > place" may spoof > > > > > > the headers, and Windows will continue to open the > > file with the > > > > > > vulnerable application/dll? > > > > > > > > > > > > But doesn't ISA Application Filter and therefore able > > to block > > > > > > the specific mime type for *.wmf regardless of > headers? Much > > > > > like how it > > > > > > blocks executables regardless of extension? > > > > > > > > > > > > Just attempting to add to the discussion, thanks! > > > > > > Edgardo > > > > > > > > > > > > (BTW: above quotes are taken from the "OT - texas hold em" > > > > > > thread) > > All mail to and from this domain is GFI-scanned. > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: pcrisp@xxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned.