RE: WMF Vulnerability

• From: "Troy Radtke" <TRadtke@xxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Thu, 5 Jan 2006 14:35:58 -0600

Spelling errors in some of the comments Jim, but otherwise keep up the
good fight!

'       - presents a final status to the user based on teh trreturn
value from DoArray()

'       1. accesses the ISA COM and validates the correct context fro
this script

-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] 
Sent: Thursday, January 05, 2006 1:27 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: WMF Vulnerability

http://www.ISAserver.org

Ok - found and fixed the bug - twere a logic error in publishing rules.
Also "hardened" the script in a few places.
http://isatools.org/block_wmf.zip 

Note that it only acts on the array policies for now.

-------------------------------------------------------
   Jim Harrison
   MCP(NT4, W2K), A+, Network+, PCG
   http://isaserver.org/Jim_Harrison/
   http://isatools.org
   Read the help / books / articles!
-------------------------------------------------------
 

-----Original Message-----
From: John T (Lists) [mailto:johnlist@xxxxxxxxxxxxxxxxxxx] 
Sent: Thursday, January 05, 2006 10:02
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: WMF Vulnerability

http://www.ISAserver.org

Andy Haigh

And everyone has been ignoring it since.

John T
eServices For You


> -----Original Message-----
> From: JosephK [mailto:josephk@xxxxxxxxx]
> Sent: Thursday, January 05, 2006 9:43 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: WMF Vunrability
> 
> http://www.ISAserver.org
> 
> I've noticed that my spell checker stops at the subject line of this 
> thread.
> Who spelled Vunrability???  Damn you guys for making me hit cancel 
> first
> :)
> 
> Joseph
> 
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> Sent: Thursday, January 05, 2006 7:34 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: WMF Vunrability
> 
> http://www.ISAserver.org
> 
> Hi Joseph,
> 
> Keeping my eyes open for it.
> 
> Tom
> 
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> **Who is John Galt?**
> 
> 
> 
> > -----Original Message-----
> > From: JosephK [mailto:josephk@xxxxxxxxx]
> > Sent: Thursday, January 05, 2006 12:52 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: WMF Vunrability
> >
> > http://www.ISAserver.org
> >
> > Hi Thomas,
> >
> > I here that the next round of this type of attack may indeed be 
> > *.gif or some other variant.
> >
> > Joseph
> >
> > -----Original Message-----
> > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> > Sent: Wednesday, January 04, 2006 10:33 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: WMF Vunrability
> >
> > http://www.ISAserver.org
> >
> > Hi Joseph,
> >
> > Yes, I knew what .wmf meant, was just have some fun there :)
> >
> > You could change the application that opens the .wmf file, but what 
> > if they change the file extension to .doc or .xls or .gif? I think 
> > you still end up getting whacked.
> >
> > Tom
> >
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org
> > Blog: http://spaces.msn.com/members/drisa/
> > Book: http://tinyurl.com/3xqb7
> > MVP -- ISA Firewalls
> > **Who is John Galt?**
> >
> >
> >
> > > -----Original Message-----
> > > From: JosephK [mailto:josephk@xxxxxxxxx]
> > > Sent: Wednesday, January 04, 2006 12:03 PM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] RE: WMF Vunrability
> > >
> > > http://www.ISAserver.org
> > >
> > > Hi Thomas,
> > >
> > > WMF -- Um, this is a family list! But, I could also think of a few

> > > more things.  Google desktop indexing has a flaw...If some 
> > > unsuspecting user sets it up incorrectly or some goof uses it on a

> > > corporate network, then, the indexing process can show up on the 
> > > internet!  Now that's why I don't use trash like that.
> > >
> > > I'm sure you knew that *.wmf was for windows meta file.
> > Changing the
> > > program that opens that to notepad actually works. At least
> > in my test
> > > environment.
> > >
> > > Thank you,
> > > Joseph
> > >
> > > -----Original Message-----
> > > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> > > Sent: Wednesday, January 04, 2006 10:03 AM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] RE: WMF Vunrability
> > >
> > > http://www.ISAserver.org
> > >
> > > Hi Jospeh,
> > >
> > > I read that even if you use Google indexing service on your 
> > > computer, it will whack you when the WMF is accessed.
> > >
> > > BTW, what does WMF stand for? I can think of a few things right 
> > > now :))
> > >
> > > Tom
> > >
> > > Thomas W Shinder, M.D.
> > > Site: www.isaserver.org
> > > Blog: http://spaces.msn.com/members/drisa/
> > > Book: http://tinyurl.com/3xqb7
> > > MVP -- ISA Firewalls
> > > **Who is John Galt?**
> > >
> > >
> > >
> > > > -----Original Message-----
> > > > From: JosephK [mailto:josephk@xxxxxxxxx]
> > > > Sent: Wednesday, January 04, 2006 11:53 AM
> > > > To: [ISAserver.org Discussion List]
> > > > Subject: [isalist] RE: WMF Vunrability
> > > >
> > > > http://www.ISAserver.org
> > > >
> > > > Another minor way to fix this from the desktop point of view and

> > > > yes it is a pain in the ass. Change the program that opens up 
> > > > *.wmf (fax
> > > > viewer) to use
> > > > notepad instead.  Not very feasible though with a real large
shop.
> > > >
> > > > Joseph
> > > >
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: Edgardo Balansay [mailto:balansay@xxxxxxxxx]
> > > > Sent: Wednesday, January 04, 2006 9:49 AM
> > > > To: [ISAserver.org Discussion List]
> > > > Subject: [isalist] RE: WMF Vunrability
> > > >
> > > > http://www.ISAserver.org
> > > > I have been thinking similar to "Thor" in that, "... have you 
> > > > found the application/x-msmetafile mime block is all you have to

> > > > do?"
> > > > As .wmf file type is listed as
> > > > http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/mim
> > > > etypes.msp
> > > > x
> > > >
> > > > However Jim Harrison, mentions, "...use pattern matching in the 
> > > > response stream.  Request and response headers are ok unless the
> > "bad place"
> > > > decides to spoof them."
> > > >
> > > > So application/x-msmetafile mime block does not completely block

> > > > the wmf type of files? Is what Jim is saying is that the "bad
> > > place" may spoof
> > > > the headers, and Windows will continue to open the file with the

> > > > vulnerable application/dll?
> > > >
> > > > But doesn't ISA Application Filter and therefore able to block 
> > > > the specific mime type for *.wmf regardless of headers?  Much
> > > like how it
> > > > blocks executables regardless of extension?
> > > >
> > > > Just attempting to add to the discussion, thanks!
> > > > Edgardo
> > > >
> > > > (BTW: above quotes are taken from the "OT - texas hold em" 
> > > > thread)
> > > > ------------------------------------------------------ List
> > > Archives:
> > > > http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server
> > > > Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server
> > > > FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > > ------------------------------------------------------ Visit 
> > > > TechGenix.com for more information about our other sites:
> > > > http://www.techgenix.com
> > > > ------------------------------------------------------ You are 
> > > > currently subscribed to this ISAserver.org Discussion List as:
> > > josephk@xxxxxxxxx
> > > > To unsubscribe visit
> > > > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > > Report abuse to listadmin@xxxxxxxxxxxxx
> > > >
> > > >
> > > > ------------------------------------------------------
> > > > List Archives: 
> > > > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > > ISA Server Newsletter:
> > http://www.isaserver.org/pages/newsletter.asp
> > > > ISA Server FAQ:
> > http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > > ------------------------------------------------------
> > > > Visit TechGenix.com for more information about our other sites:
> > > > http://www.techgenix.com
> > > > ------------------------------------------------------
> > > > You are currently subscribed to this ISAserver.org Discussion 
> > > > List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit 
> > > > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > > Report abuse to listadmin@xxxxxxxxxxxxx
> > > >
> > > >
> > >
> > > ------------------------------------------------------
> > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter: 
> > > http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ: 
> > > http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Visit TechGenix.com for more information about our other sites:
> > > http://www.techgenix.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org
> > Discussion List as:
> > > josephk@xxxxxxxxx
> > > To unsubscribe visit
> > > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > >
> > >
> > >
> > > ------------------------------------------------------
> > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter: 
> > > http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ: 
> > > http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Visit TechGenix.com for more information about our other sites:
> > > http://www.techgenix.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org Discussion List

> > > as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit 
> > > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > >
> > >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List
as:
> > josephk@xxxxxxxxx
> > To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List 
> > as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit 
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> josephk@xxxxxxxxx
> To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> johnlist@xxxxxxxxxxxxxxxxxxx
> To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

All mail to and from this domain is GFI-scanned.


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tradtke@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

Other related posts:

• » RE: WMF Vulnerability
• » RE: WMF Vulnerability
• » RE: WMF Vulnerability
• » RE: WMF Vulnerability
• » RE: WMF Vulnerability
• » RE: WMF Vulnerability
• » RE: WMF Vulnerability
• » RE: WMF Vulnerability
• » RE: WMF Vulnerability
• » RE: WMF Vulnerability
• » RE: WMF Vulnerability
• » RE: WMF Vulnerability
• » RE: WMF Vulnerability
• » RE: WMF Vulnerability
• » RE: WMF Vulnerability
• » RE: WMF Vulnerability
• » RE: WMF Vulnerability
• » RE: WMF Vulnerability
• » RE: WMF Vulnerability
• » RE: WMF Vulnerability
• » RE: WMF Vulnerability
• » RE: WMF Vulnerability
• » RE: WMF Vulnerability
• » RE: WMF Vulnerability
• » RE: WMF Vulnerability
• » RE: WMF Vulnerability
• » RE: WMF Vulnerability
• » RE: WMF Vulnerability
• » RE: WMF Vulnerability
• » RE: WMF Vulnerability
• » RE: WMF Vulnerability
• » RE: WMF Vulnerability
• » RE: WMF Vulnerability
• » RE: WMF Vulnerability
• » RE: WMF Vulnerability

1. Home
2. isalist
3. Archive
4. 01-2006

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---