RE: WMF Vulnerability
- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Fri, 6 Jan 2006 06:46:46 -0800
Much thankling you, sir!
--------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
--------------------------------------------
-----Original Message-----
From: Paul Crisp [mailto:PCrisp@xxxxxxxxxxxxxxxxx]
Sent: Friday, January 06, 2006 1:54 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: WMF Vulnerability
http://www.ISAserver.org
Hi Jim,
Can confirm all has worked this time, superb scripting my friend :)
Regards
Paul Crisp
Snr Network Support Analyst
-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: 06 January 2006 05:08
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: WMF Vulnerability
http://www.ISAserver.org
Ok - code review & final testing done.
Version 1.0 is at http://isatools.org/block_wmf.zip
-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-------------------------------------------------------
-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Thursday, January 05, 2006 16:24
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: WMF Vulnerability
http://www.ISAserver.org
Ok - script updated to operate on Enterprise Edition.
V 0.3 available at http://isatools.org/block_wmf.zip
If no bugs reported and in-house code review is good, we'll release it
tonight.
-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-------------------------------------------------------
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Thursday, January 05, 2006 13:36
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: WMF Vulnerability
http://www.ISAserver.org
Hi Jim,
Thanks!!!
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**
> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> Sent: Thursday, January 05, 2006 2:16 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: WMF Vulnerability
>
> http://www.ISAserver.org
>
> Sure (please don't post it to isaserver.org yet; not quite baked)
>
> 1. examines all arrays
> 2. within each array, it examines all rules 3. if the rule is:
> - "allow"
> - not "default"
> - includes the Web Proxy filter
> ..it updates the HTTP Filter settings as:
>
> Extensions:
> If "block specified"
> Add .emf
> Add .wmf
>
> If "allow specified"
> Remove .emf
> Remove .wmf
>
> Signatures:
> Name=WMF-1
> Description="request file type trigger"
> Type="Request URL"
> Signature=".emf"
>
> Name=WMF-2
> Description="request file type trigger"
> Type="Request URL"
> Signature=".wmf"
>
> Name=WMF-3
> Description="response headers trigger"
> Type="Response Headers"
> HTTP Header="content-type"
> Signature="msmetafile"
>
> Name=WMF-4
> Description="response body file type trigger"
> Type="Response Body"
> Signature=".emf"
>
> Name=WMF-5
> Description="response body file type trigger"
> Type="Response Body"
> Signature=".wmf"
>
> Name=WMF-6
> Description="response body file header trigger"
> Type="Response Body"
> Signature="184Gmg"
>
> -------------------------------------------------------
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://isaserver.org/Jim_Harrison/
> http://isatools.org
> Read the help / books / articles!
> -------------------------------------------------------
>
>
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> Sent: Thursday, January 05, 2006 11:31
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: WMF Vulnerability
>
> http://www.ISAserver.org
>
> Hey Jim,
>
> Can you give a thumbnail view of what this script does?
>
> Thanks!
> Tom
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> **Who is John Galt?**
>
>
>
> > -----Original Message-----
> > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> > Sent: Thursday, January 05, 2006 1:27 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: WMF Vulnerability
> >
> > http://www.ISAserver.org
> >
> > Ok - found and fixed the bug - twere a logic error in publishing
> > rules.
> > Also "hardened" the script in a few places.
> > http://isatools.org/block_wmf.zip
> >
> > Note that it only acts on the array policies for now.
> >
> > -------------------------------------------------------
> > Jim Harrison
> > MCP(NT4, W2K), A+, Network+, PCG
> > http://isaserver.org/Jim_Harrison/
> > http://isatools.org
> > Read the help / books / articles!
> > -------------------------------------------------------
> >
> >
> > -----Original Message-----
> > From: John T (Lists) [mailto:johnlist@xxxxxxxxxxxxxxxxxxx]
> > Sent: Thursday, January 05, 2006 10:02
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: WMF Vulnerability
> >
> > http://www.ISAserver.org
> >
> > Andy Haigh
> >
> > And everyone has been ignoring it since.
> >
> > John T
> > eServices For You
> >
> >
> > > -----Original Message-----
> > > From: JosephK [mailto:josephk@xxxxxxxxx]
> > > Sent: Thursday, January 05, 2006 9:43 AM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] RE: WMF Vunrability
> > >
> > > http://www.ISAserver.org
> > >
> > > I've noticed that my spell checker stops at the subject
> > line of this
> > > thread.
> > > Who spelled Vunrability??? Damn you guys for making me
> hit cancel
> > > first
> > > :)
> > >
> > > Joseph
> > >
> > > -----Original Message-----
> > > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> > > Sent: Thursday, January 05, 2006 7:34 AM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] RE: WMF Vunrability
> > >
> > > http://www.ISAserver.org
> > >
> > > Hi Joseph,
> > >
> > > Keeping my eyes open for it.
> > >
> > > Tom
> > >
> > > Thomas W Shinder, M.D.
> > > Site: www.isaserver.org
> > > Blog: http://spaces.msn.com/members/drisa/
> > > Book: http://tinyurl.com/3xqb7
> > > MVP -- ISA Firewalls
> > > **Who is John Galt?**
> > >
> > >
> > >
> > > > -----Original Message-----
> > > > From: JosephK [mailto:josephk@xxxxxxxxx]
> > > > Sent: Thursday, January 05, 2006 12:52 AM
> > > > To: [ISAserver.org Discussion List]
> > > > Subject: [isalist] RE: WMF Vunrability
> > > >
> > > > http://www.ISAserver.org
> > > >
> > > > Hi Thomas,
> > > >
> > > > I here that the next round of this type of attack may indeed be
> > > > *.gif or some other variant.
> > > >
> > > > Joseph
> > > >
> > > > -----Original Message-----
> > > > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> > > > Sent: Wednesday, January 04, 2006 10:33 AM
> > > > To: [ISAserver.org Discussion List]
> > > > Subject: [isalist] RE: WMF Vunrability
> > > >
> > > > http://www.ISAserver.org
> > > >
> > > > Hi Joseph,
> > > >
> > > > Yes, I knew what .wmf meant, was just have some fun there :)
> > > >
> > > > You could change the application that opens the .wmf
> > file, but what
> > > > if they change the file extension to .doc or .xls or
> > .gif? I think
> > > > you still end up getting whacked.
> > > >
> > > > Tom
> > > >
> > > > Thomas W Shinder, M.D.
> > > > Site: www.isaserver.org
> > > > Blog: http://spaces.msn.com/members/drisa/
> > > > Book: http://tinyurl.com/3xqb7
> > > > MVP -- ISA Firewalls
> > > > **Who is John Galt?**
> > > >
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: JosephK [mailto:josephk@xxxxxxxxx]
> > > > > Sent: Wednesday, January 04, 2006 12:03 PM
> > > > > To: [ISAserver.org Discussion List]
> > > > > Subject: [isalist] RE: WMF Vunrability
> > > > >
> > > > > http://www.ISAserver.org
> > > > >
> > > > > Hi Thomas,
> > > > >
> > > > > WMF -- Um, this is a family list! But, I could also
> > think of a few
> > > > > more things. Google desktop indexing has a flaw...If some
> > > > > unsuspecting user sets it up incorrectly or some goof
> > uses it on a
> > > > > corporate network, then, the indexing process can show
> > up on the
> > > > > internet! Now that's why I don't use trash like that.
> > > > >
> > > > > I'm sure you knew that *.wmf was for windows meta file.
> > > > Changing the
> > > > > program that opens that to notepad actually works. At least
> > > > in my test
> > > > > environment.
> > > > >
> > > > > Thank you,
> > > > > Joseph
> > > > >
> > > > > -----Original Message-----
> > > > > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> > > > > Sent: Wednesday, January 04, 2006 10:03 AM
> > > > > To: [ISAserver.org Discussion List]
> > > > > Subject: [isalist] RE: WMF Vunrability
> > > > >
> > > > > http://www.ISAserver.org
> > > > >
> > > > > Hi Jospeh,
> > > > >
> > > > > I read that even if you use Google indexing service on your
> > > > > computer, it will whack you when the WMF is accessed.
> > > > >
> > > > > BTW, what does WMF stand for? I can think of a few
> things right
> > > > > now :))
> > > > >
> > > > > Tom
> > > > >
> > > > > Thomas W Shinder, M.D.
> > > > > Site: www.isaserver.org
> > > > > Blog: http://spaces.msn.com/members/drisa/
> > > > > Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls **Who is
> > > > > John Galt?**
> > > > >
> > > > >
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: JosephK [mailto:josephk@xxxxxxxxx]
> > > > > > Sent: Wednesday, January 04, 2006 11:53 AM
> > > > > > To: [ISAserver.org Discussion List]
> > > > > > Subject: [isalist] RE: WMF Vunrability
> > > > > >
> > > > > > http://www.ISAserver.org
> > > > > >
> > > > > > Another minor way to fix this from the desktop point
> > of view and
> > > > > > yes it is a pain in the ass. Change the program
> that opens up
> > > > > > *.wmf (fax
> > > > > > viewer) to use
> > > > > > notepad instead. Not very feasible though with a
> > real large shop.
> > > > > >
> > > > > > Joseph
> > > > > >
> > > > > >
> > > > > >
> > > > > > -----Original Message-----
> > > > > > From: Edgardo Balansay [mailto:balansay@xxxxxxxxx]
> > > > > > Sent: Wednesday, January 04, 2006 9:49 AM
> > > > > > To: [ISAserver.org Discussion List]
> > > > > > Subject: [isalist] RE: WMF Vunrability
> > > > > >
> > > > > > http://www.ISAserver.org
> > > > > > I have been thinking similar to "Thor" in that,
> "... have you
> > > > > > found the application/x-msmetafile mime block is all
> > you have to
> > > > > > do?"
> > > > > > As .wmf file type is listed as
> > > > > >
> http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/mim
> > > > > > etypes.msp
> > > > > > x
> > > > > >
> > > > > > However Jim Harrison, mentions, "...use pattern
> > matching in the
> > > > > > response stream. Request and response headers are ok
> > unless the
> > > > "bad place"
> > > > > > decides to spoof them."
> > > > > >
> > > > > > So application/x-msmetafile mime block does not
> > completely block
> > > > > > the wmf type of files? Is what Jim is saying is
> that the "bad
> > > > > place" may spoof
> > > > > > the headers, and Windows will continue to open the
> > file with the
> > > > > > vulnerable application/dll?
> > > > > >
> > > > > > But doesn't ISA Application Filter and therefore able
> > to block
> > > > > > the specific mime type for *.wmf regardless of
> headers? Much
> > > > > like how it
> > > > > > blocks executables regardless of extension?
> > > > > >
> > > > > > Just attempting to add to the discussion, thanks!
> > > > > > Edgardo
> > > > > >
> > > > > > (BTW: above quotes are taken from the "OT - texas hold em"
> > > > > > thread)
>
> All mail to and from this domain is GFI-scanned.
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
pcrisp@xxxxxxxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
Other related posts:
