RE: WMF Vunrability
- From: "Ara Avvali" <ara.avvali@xxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Fri, 6 Jan 2006 23:13:19 -0800
With wsus patched all systems with recently released update, is it still
necessary to keep this filter?
-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Wednesday, January 04, 2006 5:57 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: WMF Vunrability
http://www.ISAserver.org
Updated:
HTTP filter settings (you all know how to get there).
1. Extensions:
<choice>
Set "block specified"
Add .emf
Description="application/x-msmetafile"
Add .wmf
Description="application/x-msmetafile"
</choice>
<choice>
Set "allow specified"
Remove .emf
Remove .wmf
</choice>
<notachoice>
Set "allow all"
</notachoice>
2. Signatures:
Name=WMF-1
Description="request file type trigger"
Type="Request URL"
Signature=".emf"
Name=WMF-2
Description="request file type trigger"
Type="Request URL"
Signature=".wmf"
Name=WMF-3
Description="response headers trigger"
Type="Response Headers"
HTTP Header="content-type"
Signature="msmetafile"
Name=WMF-4
Description="response body file type trigger"
Type="Response Body"
Signature=".emf"
Name=WMF-5
Description="response body file type trigger"
Type="Response Body"
Signature=".wmf"
Name=WMF-6
Description="response body file header trigger"
Type="Response Body"
Signature="184Gmg"
WMF-6 is the kewl one because all binary files are base-64 encoded when
transferred over HTTP and FTP.
WMF files usually incorporate a predefined header value that resolves to
the Base-64 signature in this definition.
It's probably the same technique as the GFI filter, except not as smart.
-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-------------------------------------------------------
-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Wednesday, January 04, 2006 16:03
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: WMF Vunrability
http://www.ISAserver.org
HTTP filter settings (you all know how to get there).
1. Extensions:
<choice>
Set "block specified"
Add .emf
Description="application/x-msmetafile"
Add .wmf
Description="application/x-msmetafile"
</choice>
<choice>
Set "allow specified"
Remove .emf
Remove .wmf
</choice>
<notachoice>
Set "allow all"
</notachoice>
2. Signatures:
Name=WMF-1
Description="request file type trigger"
Type="Request URL"
Signature=".emf"
Name=WMF-2
Description="request file type trigger"
Type="Request URL"
Signature=".wmf"
Name=WMF-3
Description="response headers trigger"
Type="Response Headers"
HTTP Header="content-type"
Signature="msmetafile"
Name=WMF-4
Description="response body file type trigger"
Type="Response Body"
Signature=".emf"
Name=WMF-5
Description="response body file type trigger"
Type="Response Body"
Signature=".wmf"
Name=WMF-6
Description="response body file header trigger"
Type="Response Body"
Signature="184Gmg"
WMF-6 is the kewl one because all binary files are base-64 encoded when
transferred over HTTP and FTP.
WMF files usually incorporate a predefined header value that resolves to
the Base-64 signature in this definition.
It's probably the same technique as the GFI filter, except not as smart.
-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-------------------------------------------------------
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Wednesday, January 04, 2006 15:27
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: WMF Vunrability
http://www.ISAserver.org
Hey Jim,
Forget about the automation, just let us know what to do :)
Thanks!
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> Sent: Wednesday, January 04, 2006 2:18 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: WMF Vunrability
>
> http://www.ISAserver.org
>
> Sorry - I haven't.
> I'm working with MSRC to narrow down the definitions and automation
> for the ISA 2004 blocker.
>
>
> -------------------------------------------------------
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://isaserver.org/Jim_Harrison/
> http://isatools.org
> Read the help / books / articles!
> -------------------------------------------------------
>
>
> -----Original Message-----
> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
> Sent: Wednesday, January 04, 2006 11:45
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: WMF Vunrability
>
> http://www.ISAserver.org
>
> Jim, did you read this? I'm wondering if the method described to
> "block extensions" is correct or not. Rather than using "Configure
> HTTP" and setting allowable extensions, I though one should explicitly
> create a deny rule specifying both the .wmf extension *as well* as
> application/x-msmetafile as the MIME type. Incoming HTTP file
> associations are handled by MIME type, not file extension. Only when
> there is no MIME type handed down by the server is a file extension
> used (or when you do an actual file transfer, like with FTP.)
>
> Comments on that?
>
> t
>
>
>
> -----
> "I may disapprove of what you say,
> but I will defend to the death your
> right to say it."
>
>
> ----- Original Message -----
> From: "Stefaan Pouseele" <stefaan.pouseele@xxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Wednesday, January 04, 2006 11:24 AM
> Subject: [isalist] RE: WMF Vunrability
>
>
> > http://www.ISAserver.org
> >
> > Hey guys,
> >
> > Check out
> >
> http://blogs.technet.com/jesper_johansson/archive/2006/01/02/4
> 16762.aspx
> > too
> > ;-)
> >
> > HTH,
> > Stefaan
> >
> > -----Original Message-----
> > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> > Sent: woensdag 4 januari 2006 20:16
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: WMF Vunrability
> >
> > http://www.ISAserver.org
> >
> > Hi Tim,
> >
> > I agree. There seems to be than the ususal amount of FUD
> associated with
> > this problem. :(
> >
> > Tom
> >
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org
> > Blog: http://spaces.msn.com/members/drisa/
> > Book: http://tinyurl.com/3xqb7
> > MVP -- ISA Firewalls
> > **Who is John Galt?**
> >
> >
> >
> >> -----Original Message-----
> >> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
> >> Sent: Wednesday, January 04, 2006 1:01 PM
> >> To: [ISAserver.org Discussion List]
> >> Subject: [isalist] RE: WMF Vunrability
> >>
> >> http://www.ISAserver.org
> >>
> >> I wouldn't call it "program like behavior." They just contain both
> >> metadata and rendering data in the same file (as I understand it.)
> >>
> >> Renaming the file to something like ".gif" or ".jpg" could
> still cause
> >> execution if loaded from a file, but only if the Picture and Fax
> >> Viewer was the default program for those file types. From
> a browser,
> >> for WP&FV to open it and parse the data, it has to be that
> MIME type
> >> (again, as I understand
> >> it.)
> >>
> >> While I've read here that the "way to do it" is how GFI
> does it, I've
> >> still not seen any information on why simple content
> filtering won't
> >> work. But then again, I read where Jim is working with
> MSRC to come
> >> up with a "workable" filter. It would be nice to get some
> >> authoritative, detailed information on why MIME and file type
> >> filtering *won't* work.
> >>
> >> t
> >>
> >>
> >> -----
> >> "I may disapprove of what you say,
> >> but I will defend to the death your right to say it."
> >>
> >>
> >> ----- Original Message -----
> >> From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
> >> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> >> Sent: Wednesday, January 04, 2006 10:31 AM
> >> Subject: [isalist] RE: WMF Vunrability
> >>
> >>
> >> http://www.ISAserver.org
> >>
> >> Hi Tim,
> >>
> >> Don't know about that, but it's a good question. But I
> have to wonder
> >> about other apps that open the WMF files. FWIU, WMF files
> have some
> >> program like behavior that allow it to call other programs if
> >> something doesn't work.
> >>
> >> How's that as a erudite description for a process? :)
> >>
> >> Tom
> >>
> >> Thomas W Shinder, M.D.
> >> Site: www.isaserver.org
> >> Blog: http://spaces.msn.com/members/drisa/
> >> Book: http://tinyurl.com/3xqb7
> >> MVP -- ISA Firewalls
> >> **Who is John Galt?**
> >>
> >>
> >>
> >> > -----Original Message-----
> >> > From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
> >> > Sent: Wednesday, January 04, 2006 12:13 PM
> >> > To: [ISAserver.org Discussion List]
> >> > Subject: [isalist] RE: WMF Vunrability
> >> >
> >> > http://www.ISAserver.org
> >> >
> >> > But if he sets a differnt mime type, Fax Viewer won't open the
> >> > program, right?
> >> >
> >> > t
> >> > -----
> >> > "I may disapprove of what you say, but I will defend to the death
> >> > your right to say it."
> >> >
> >> >
> >> > ----- Original Message -----
> >> > From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
> >> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> >> > Sent: Wednesday, January 04, 2006 9:32 AM
> >> > Subject: [isalist] RE: WMF Vunrability
> >> >
> >> >
> >> > http://www.ISAserver.org
> >> >
> >> > Hi Jonathon,
> >> >
> >> > That won't work, because the scumbag can use any file
> name he wants.
> >> > Same goes with the MIME type. The MIME type is set at the Web
> >> > server, so the scumbag can associate any MIME type he wants.
> >> >
> >> > Tom
> >> >
> >> > Thomas W Shinder, M.D.
> >> > Site: www.isaserver.org
> >> > Blog: http://spaces.msn.com/members/drisa/
> >> > Book: http://tinyurl.com/3xqb7
> >> > MVP -- ISA Firewalls
> >> > **Who is John Galt?**
> >> >
> >> >
> >> >
> >> > > -----Original Message-----
> >> > > From: Jonathon J. Howey [mailto:Jonathon@xxxxxxx]
> >> > > Sent: Wednesday, January 04, 2006 11:25 AM
> >> > > To: [ISAserver.org Discussion List]
> >> > > Subject: [isalist] RE: WMF Vunrability
> >> > >
> >> > > http://www.ISAserver.org
> >> > >
> >> > > What I did to block it was:
> >> > >
> >> > > Internet Access Policy -> Protocols tab -> Filtering ->
> >> > Configure HTTP
> >> > > -> Extensions tab. Should be self explanatory from there.
> >> > >
> >> > >
> >> > >
> >> > > Jonathon J. Howey
> >> > > KPSA Compliance Management Inc.
> >> > > P 780.409.5620
> >> > > F 780.409.5621
> >> > > D 780.409.5628
> >> > > C 780.965.8363
> >> > > Jonathon@xxxxxxx
> >> > >
> >> > > Guiding the Future of Transportation www.KPSA.ca
> >> > >
> >> > >
> >> > >
> >> > > -----Original Message-----
> >> > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> >> > > Sent: January 4, 2006 10:12 AM
> >> > > To: [ISAserver.org Discussion List]
> >> > > Subject: [isalist] RE: WMF Vunrability
> >> > >
> >> > > http://www.ISAserver.org
> >> > >
> >> > > He never stated what his "block" was.
> >> > >
> >> > >
> >> > > -------------------------------------------------------
> >> > > Jim Harrison
> >> > > MCP(NT4, W2K), A+, Network+, PCG
> >> > > http://isaserver.org/Jim_Harrison/
> >> > > http://isatools.org
> >> > > Read the help / books / articles!
> >> > > -------------------------------------------------------
> >> > >
> >> > >
> >> > > -----Original Message-----
> >> > > From: Brian Boyes [mailto:BrianB@xxxxxxxxx]
> >> > > Sent: Wednesday, January 04, 2006 09:02
> >> > > To: [ISAserver.org Discussion List]
> >> > > Subject: [isalist] RE: WMF Vunrability
> >> > >
> >> > > http://www.ISAserver.org
> >> > >
> >> > > > I have installed the "wmf" block to my ISA 2004 clients but
> >> > > I not sure
> >> > >
> >> > > > how to set this up for ISA 2000.
> >> > > > Could someone provide advice of the best way to do this.
> >> > >
> >> > > Did anyone ever post an answer? I'm curious about this
> >> "wmf block".
> >> > >
> >> > > Brian
> >> > >
> >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org
> Discussion List as:
> > thor@xxxxxxxxxxxxxxx
> > To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> All mail to and from this domain is GFI-scanned.
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
ara.avvali@xxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts: