RE: WMF Vulnerability Script Fix - Attn Jim
- From: "Greg Mulholland" <greg@xxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Tue, 10 Jan 2006 17:04:51 +1100
Thanks Jim good work
Greg Mulholland
________________________________
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Tue 10/01/2006 5:00 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: WMF Vulnerability Script Fix - Attn Jim
http://www.ISAserver.org
Ok - thanx to all who reported.
V1.2 is on http://isatools.org/block_wmf.zip.
I've changed the WMF-4 and -5 signatures to use "content-disposition"
instead of "blank". This is what was causing the crashes in the HTTP
Filter. Not to worry; this has been fixed in SP2, which coincidentally
is why I didn't see it.
Also, you should manually remove these filters (yes, all of them) from
any web publishing rule that is servicing RPC/HTTP traffic. It seems
that *any* filter definitions cause ISA to trash this traffic (*really*
secure, huh?).
Also, since some folks have had crashing problems, I've created a script
to get you out of trouble faster. Unblock_wmf.vbs is your panic button
and is included in the package. It completely reverts the changes
wrought by block_wmf.vbs.
Updated actions:
1. backs up your current config
2. examines Enterprise (EE) and all arrays
3. within each Enterprise policy and array, it examines all rules. If
the rule is:
- "allow"
- not "default"
- includes the Web Proxy filter
..it updates the HTTP Filter settings as:
Extensions:
If "block specified"
Add .emf
Add .wmf
If "allow specified"
Remove .emf
Remove .wmf
Signatures:
Name=WMF-1
Description=" request url '.emf' file type trigger"
Type="Request URL"
Signature=".emf"
Name=WMF-2
Description=" request url '.wmf' file type trigger"
Type="Request URL"
Signature=".wmf"
Name=WMF-3
Description=" response headers content-type trigger"
Type="Response Headers"
HTTP Header="content-type"
Signature="msmetafile"
Name=WMF-4
Description=" response header '.emf' file type trigger"
Type="Response Headers"
HTTP Header=" content-disposition "
Signature=".emf"
Name=WMF-5
Desctiption=" response header '.wmf' file type trigger"
Type="Response Headers"
HTTP Header="content-disposition"
Signature=".wmf"
Name=WMF-6
Description=" response body '.emf' file type trigger "
Type="Response Body"
Signature=".emf"
Name=WMF-7
Description=" response body '.wmf' file type trigger "
Type="Response Body"
Signature=".wmf"
Name=WMF-8
Description=" response body base-64 file header trigger "
Type="Response Body"
Signature="184Gmg"
--------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
--------------------------------------------
-----Original Message-----
From: Paul Noble [mailto:pnoble@xxxxxxxxxxxxxxxxxxxxxxxxxx]
Sent: Monday, January 09, 2006 7:53 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: WMF Vulnerability Script Fix - Attn Jim
http://www.ISAserver.org
WMF-4 'response header '.emf' file type
WMF-5 'response header '.wmf' file type
-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Monday, January 09, 2006 2:37 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: WMF Vulnerability Script Fix - Attn Jim
http://www.ISAserver.org
Which ones?
--------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
--------------------------------------------
-----Original Message-----
From: Paul Noble [mailto:pnoble@xxxxxxxxxxxxxxxxxxxxxxxxxx]
Sent: Monday, January 09, 2006 5:25 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: WMF Vulnerability Script Fix - Attn Jim
http://www.ISAserver.org
This is the same issue Joe and myself ran into, but I found on my server
it
seemed to just be the additional header entries on 1.1 that caused it to
bum
out, cleared the ticks on that and 1.1 is working fine.
-----Original Message-----
From: Paul Crisp [mailto:pcrisp@xxxxxxxxxxxxxxxxx]
Sent: Monday, January 09, 2006 10:53 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] WMF Vulnerability Script Fix - Attn Jim
http://www.ISAserver.org
Hi Jim
Ok, i confirmed to you on Friday 6th that your new script was working
with
my firewalls without a problem. I then noticed that a newer version was
posted so updated my firewalls this morning, now after 10mins the
Microsoft
Firewall service crashes with the following two messages in the event
log:
The Firewall service stopped because an application filter module
C:\Program
Files\Microsoft ISA Server\HttpFilter.dll generated an exception code
C0000005 in address 60FF647F when function CompleteAsyncIO was called.
To
resolve this error, remove recently installed application filters and
restart the service.
Faulting application wspsrv.exe, version 4.0.2163.213, stamp 420bdbd0,
faulting module httpfilter.dll, version 4.0.2163.213, stamp 420bdb2f,
debug?
0, fault address 0x0001647f.
I have now removed the filters from both my firewalls and all appears to
be
working before ever installing the script
Any clues?
Regards
Paul Crisp
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
greg@xxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
