RE: WMF Vunrability
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 4 Jan 2006 20:39:14 -0600
Hi Tim,
You can export the HTTP Security Filter config with a script and then
import it to each allow rule that includes the HTTP protocol.
Check out:
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/httpfiltering
.mspx
Go toward the end of the article to see the details on how to use the
httpfilterconfig.vbs script
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**
> -----Original Message-----
> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
> Sent: Wednesday, January 04, 2006 8:32 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: WMF Vunrability
>
> http://www.ISAserver.org
>
> So we have to configure this for every HTTP rule individually?
>
> t
> -----
> "I may disapprove of what you say,
> but I will defend to the death your
> right to say it."
>
>
> ----- Original Message -----
> From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Wednesday, January 04, 2006 5:57 PM
> Subject: [isalist] RE: WMF Vunrability
>
>
> http://www.ISAserver.org
>
> Updated:
>
> HTTP filter settings (you all know how to get there).
>
> 1. Extensions:
> <choice>
> Set "block specified"
> Add .emf
> Description="application/x-msmetafile"
> Add .wmf
> Description="application/x-msmetafile"
> </choice>
> <choice>
> Set "allow specified"
> Remove .emf
> Remove .wmf
> </choice>
> <notachoice>
> Set "allow all"
> </notachoice>
>
> 2. Signatures:
> Name=WMF-1
> Description="request file type trigger"
> Type="Request URL"
> Signature=".emf"
>
> Name=WMF-2
> Description="request file type trigger"
> Type="Request URL"
> Signature=".wmf"
>
> Name=WMF-3
> Description="response headers trigger"
> Type="Response Headers"
> HTTP Header="content-type"
> Signature="msmetafile"
>
> Name=WMF-4
> Description="response body file type trigger"
> Type="Response Body"
> Signature=".emf"
>
> Name=WMF-5
> Description="response body file type trigger"
> Type="Response Body"
> Signature=".wmf"
>
> Name=WMF-6
> Description="response body file header trigger"
> Type="Response Body"
> Signature="184Gmg"
>
> WMF-6 is the kewl one because all binary files are base-64
> encoded when
> transferred over HTTP and FTP.
> WMF files usually incorporate a predefined header value that
> resolves to the
> Base-64 signature in this definition.
> It's probably the same technique as the GFI filter, except
> not as smart.
>
>
>
> -------------------------------------------------------
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://isaserver.org/Jim_Harrison/
> http://isatools.org
> Read the help / books / articles!
> -------------------------------------------------------
>
>
> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> Sent: Wednesday, January 04, 2006 16:03
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: WMF Vunrability
>
> http://www.ISAserver.org
>
> HTTP filter settings (you all know how to get there).
>
> 1. Extensions:
> <choice>
> Set "block specified"
> Add .emf
> Description="application/x-msmetafile"
> Add .wmf
> Description="application/x-msmetafile"
> </choice>
> <choice>
> Set "allow specified"
> Remove .emf
> Remove .wmf
> </choice>
> <notachoice>
> Set "allow all"
> </notachoice>
>
> 2. Signatures:
> Name=WMF-1
> Description="request file type trigger"
> Type="Request URL"
> Signature=".emf"
>
> Name=WMF-2
> Description="request file type trigger"
> Type="Request URL"
> Signature=".wmf"
>
> Name=WMF-3
> Description="response headers trigger"
> Type="Response Headers"
> HTTP Header="content-type"
> Signature="msmetafile"
>
> Name=WMF-4
> Description="response body file type trigger"
> Type="Response Body"
> Signature=".emf"
>
> Name=WMF-5
> Description="response body file type trigger"
> Type="Response Body"
> Signature=".wmf"
>
> Name=WMF-6
> Description="response body file header trigger"
> Type="Response Body"
> Signature="184Gmg"
>
> WMF-6 is the kewl one because all binary files are base-64
> encoded when
> transferred over HTTP and FTP.
> WMF files usually incorporate a predefined header value that
> resolves to the
> Base-64 signature in this definition.
> It's probably the same technique as the GFI filter, except
> not as smart.
>
> -------------------------------------------------------
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://isaserver.org/Jim_Harrison/
> http://isatools.org
> Read the help / books / articles!
> -------------------------------------------------------
>
>
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> Sent: Wednesday, January 04, 2006 15:27
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: WMF Vunrability
>
> http://www.ISAserver.org
>
> Hey Jim,
>
> Forget about the automation, just let us know what to do :)
>
> Thanks!
> Tom
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
>
>
>
> > -----Original Message-----
> > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> > Sent: Wednesday, January 04, 2006 2:18 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: WMF Vunrability
> >
> > http://www.ISAserver.org
> >
> > Sorry - I haven't.
> > I'm working with MSRC to narrow down the definitions and automation
> > for the ISA 2004 blocker.
> >
> >
> > -------------------------------------------------------
> > Jim Harrison
> > MCP(NT4, W2K), A+, Network+, PCG
> > http://isaserver.org/Jim_Harrison/
> > http://isatools.org
> > Read the help / books / articles!
> > -------------------------------------------------------
> >
> >
> > -----Original Message-----
> > From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
> > Sent: Wednesday, January 04, 2006 11:45
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: WMF Vunrability
> >
> > http://www.ISAserver.org
> >
> > Jim, did you read this? I'm wondering if the method described to
> > "block extensions" is correct or not. Rather than using "Configure
> > HTTP" and setting allowable extensions, I though one should
> explicitly
> > create a deny rule specifying both the .wmf extension *as well* as
> > application/x-msmetafile as the MIME type. Incoming HTTP file
> > associations are handled by MIME type, not file extension.
> Only when
> > there is no MIME type handed down by the server is a file extension
> > used (or when you do an actual file transfer, like with FTP.)
> >
> > Comments on that?
> >
> > t
> >
> >
> >
> > -----
> > "I may disapprove of what you say,
> > but I will defend to the death your
> > right to say it."
> >
> >
> > ----- Original Message -----
> > From: "Stefaan Pouseele" <stefaan.pouseele@xxxxxxxxx>
> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> > Sent: Wednesday, January 04, 2006 11:24 AM
> > Subject: [isalist] RE: WMF Vunrability
> >
> >
> > > http://www.ISAserver.org
> > >
> > > Hey guys,
> > >
> > > Check out
> > >
> > http://blogs.technet.com/jesper_johansson/archive/2006/01/02/4
> > 16762.aspx
> > > too
> > > ;-)
> > >
> > > HTH,
> > > Stefaan
> > >
> > > -----Original Message-----
> > > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> > > Sent: woensdag 4 januari 2006 20:16
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] RE: WMF Vunrability
> > >
> > > http://www.ISAserver.org
> > >
> > > Hi Tim,
> > >
> > > I agree. There seems to be than the ususal amount of FUD
> > associated with
> > > this problem. :(
> > >
> > > Tom
> > >
> > > Thomas W Shinder, M.D.
> > > Site: www.isaserver.org
> > > Blog: http://spaces.msn.com/members/drisa/
> > > Book: http://tinyurl.com/3xqb7
> > > MVP -- ISA Firewalls
> > > **Who is John Galt?**
> > >
> > >
> > >
> > >> -----Original Message-----
> > >> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
> > >> Sent: Wednesday, January 04, 2006 1:01 PM
> > >> To: [ISAserver.org Discussion List]
> > >> Subject: [isalist] RE: WMF Vunrability
> > >>
> > >> http://www.ISAserver.org
> > >>
> > >> I wouldn't call it "program like behavior." They just
> contain both
> > >> metadata and rendering data in the same file (as I
> understand it.)
> > >>
> > >> Renaming the file to something like ".gif" or ".jpg" could
> > still cause
> > >> execution if loaded from a file, but only if the Picture and Fax
> > >> Viewer was the default program for those file types. From
> > a browser,
> > >> for WP&FV to open it and parse the data, it has to be that
> > MIME type
> > >> (again, as I understand
> > >> it.)
> > >>
> > >> While I've read here that the "way to do it" is how GFI
> > does it, I've
> > >> still not seen any information on why simple content
> > filtering won't
> > >> work. But then again, I read where Jim is working with
> > MSRC to come
> > >> up with a "workable" filter. It would be nice to get some
> > >> authoritative, detailed information on why MIME and file type
> > >> filtering *won't* work.
> > >>
> > >> t
> > >>
> > >>
> > >> -----
> > >> "I may disapprove of what you say,
> > >> but I will defend to the death your right to say it."
> > >>
> > >>
> > >> ----- Original Message -----
> > >> From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
> > >> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> > >> Sent: Wednesday, January 04, 2006 10:31 AM
> > >> Subject: [isalist] RE: WMF Vunrability
> > >>
> > >>
> > >> http://www.ISAserver.org
> > >>
> > >> Hi Tim,
> > >>
> > >> Don't know about that, but it's a good question. But I
> > have to wonder
> > >> about other apps that open the WMF files. FWIU, WMF files
> > have some
> > >> program like behavior that allow it to call other programs if
> > >> something doesn't work.
> > >>
> > >> How's that as a erudite description for a process? :)
> > >>
> > >> Tom
> > >>
> > >> Thomas W Shinder, M.D.
> > >> Site: www.isaserver.org
> > >> Blog: http://spaces.msn.com/members/drisa/
> > >> Book: http://tinyurl.com/3xqb7
> > >> MVP -- ISA Firewalls
> > >> **Who is John Galt?**
> > >>
> > >>
> > >>
> > >> > -----Original Message-----
> > >> > From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
> > >> > Sent: Wednesday, January 04, 2006 12:13 PM
> > >> > To: [ISAserver.org Discussion List]
> > >> > Subject: [isalist] RE: WMF Vunrability
> > >> >
> > >> > http://www.ISAserver.org
> > >> >
> > >> > But if he sets a differnt mime type, Fax Viewer won't open the
> > >> > program, right?
> > >> >
> > >> > t
> > >> > -----
> > >> > "I may disapprove of what you say, but I will defend
> to the death
> > >> > your right to say it."
> > >> >
> > >> >
> > >> > ----- Original Message -----
> > >> > From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
> > >> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> > >> > Sent: Wednesday, January 04, 2006 9:32 AM
> > >> > Subject: [isalist] RE: WMF Vunrability
> > >> >
> > >> >
> > >> > http://www.ISAserver.org
> > >> >
> > >> > Hi Jonathon,
> > >> >
> > >> > That won't work, because the scumbag can use any file
> > name he wants.
> > >> > Same goes with the MIME type. The MIME type is set at the Web
> > >> > server, so the scumbag can associate any MIME type he wants.
> > >> >
> > >> > Tom
> > >> >
> > >> > Thomas W Shinder, M.D.
> > >> > Site: www.isaserver.org
> > >> > Blog: http://spaces.msn.com/members/drisa/
> > >> > Book: http://tinyurl.com/3xqb7
> > >> > MVP -- ISA Firewalls
> > >> > **Who is John Galt?**
> > >> >
> > >> >
> > >> >
> > >> > > -----Original Message-----
> > >> > > From: Jonathon J. Howey [mailto:Jonathon@xxxxxxx]
> > >> > > Sent: Wednesday, January 04, 2006 11:25 AM
> > >> > > To: [ISAserver.org Discussion List]
> > >> > > Subject: [isalist] RE: WMF Vunrability
> > >> > >
> > >> > > http://www.ISAserver.org
> > >> > >
> > >> > > What I did to block it was:
> > >> > >
> > >> > > Internet Access Policy -> Protocols tab -> Filtering ->
> > >> > Configure HTTP
> > >> > > -> Extensions tab. Should be self explanatory from there.
> > >> > >
> > >> > >
> > >> > >
> > >> > > Jonathon J. Howey
> > >> > > KPSA Compliance Management Inc.
> > >> > > P 780.409.5620
> > >> > > F 780.409.5621
> > >> > > D 780.409.5628
> > >> > > C 780.965.8363
> > >> > > Jonathon@xxxxxxx
> > >> > >
> > >> > > Guiding the Future of Transportation www.KPSA.ca
> > >> > >
> > >> > >
> > >> > >
> > >> > > -----Original Message-----
> > >> > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> > >> > > Sent: January 4, 2006 10:12 AM
> > >> > > To: [ISAserver.org Discussion List]
> > >> > > Subject: [isalist] RE: WMF Vunrability
> > >> > >
> > >> > > http://www.ISAserver.org
> > >> > >
> > >> > > He never stated what his "block" was.
> > >> > >
> > >> > >
> > >> > > -------------------------------------------------------
> > >> > > Jim Harrison
> > >> > > MCP(NT4, W2K), A+, Network+, PCG
> > >> > > http://isaserver.org/Jim_Harrison/
> > >> > > http://isatools.org
> > >> > > Read the help / books / articles!
> > >> > > -------------------------------------------------------
> > >> > >
> > >> > >
> > >> > > -----Original Message-----
> > >> > > From: Brian Boyes [mailto:BrianB@xxxxxxxxx]
> > >> > > Sent: Wednesday, January 04, 2006 09:02
> > >> > > To: [ISAserver.org Discussion List]
> > >> > > Subject: [isalist] RE: WMF Vunrability
> > >> > >
> > >> > > http://www.ISAserver.org
> > >> > >
> > >> > > > I have installed the "wmf" block to my ISA 2004 clients but
> > >> > > I not sure
> > >> > >
> > >> > > > how to set this up for ISA 2000.
> > >> > > > Could someone provide advice of the best way to do this.
> > >> > >
> > >> > > Did anyone ever post an answer? I'm curious about this
> > >> "wmf block".
> > >> > >
> > >> > > Brian
> > >> > >
> > >
> > >
> > > ------------------------------------------------------
> > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ:
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Visit TechGenix.com for more information about our other sites:
> > > http://www.techgenix.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org
> > Discussion List as:
> > > thor@xxxxxxxxxxxxxxx
> > > To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > >
> > >
> >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org
> Discussion List as:
> > jim@xxxxxxxxxxxx To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> > All mail to and from this domain is GFI-scanned.
> >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org
> Discussion List as:
> > tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as:
> jim@xxxxxxxxxxxx To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> All mail to and from this domain is GFI-scanned.
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as:
> jim@xxxxxxxxxxxx To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> All mail to and from this domain is GFI-scanned.
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as:
> thor@xxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
Other related posts:
