RE: WMF Vunrability
- From: "JosephK" <josephk@xxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 5 Jan 2006 09:33:48 -0800
I added that content type the other day for a test and it actually
works.
Joseph
-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Thursday, January 05, 2006 6:42 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: WMF Vunrability
http://www.ISAserver.org
That's interesting reading.
The content-type I derived was from IIS and Apache.
When they send a .wmf file, they both send an application/x-msmetafile
header.
It's might just be worth adding that content-type to the list just to
"play the odds".
--------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
--------------------------------------------
-----Original Message-----
From: David Farinic [mailto:davidfa@xxxxxxx]
Sent: Thursday, January 05, 2006 5:35 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: WMF Vunrability
http://www.ISAserver.org
IE makes decision based on 3 things (in reality 4 but 4th one is not
that important for guarding gateways):
-Extension (taken from URL before parameters separator
(character='?')...
-Http header Content-Type (decided/served/misjudged by Web server and is
usually good only for major file types .jpg .Gif .html but that's all
IMHO)
-Getting file type based on signature checking from first bytes of
file/payload itself
None of the above is the ABSOLUTE way to identify all possible
file-types.
Real file type identifying process often differs for different file
types.
It means it can give above 3 file type information sources different
importance/consideration for each file-type.
Unfortunately it also varies with different windows version, browser
version, applied service packs etc...
SP2 tried to narrow this down but there is still not one definitive
information field/source/(api call) which would tell you definitely how
that file will be treated by system (and then there might be still 3rd
party app which will open it differently !)
Regarding mentioned application/x-msmetafile:
Let me add more confusion by telling you that what you believed is .wmf
file's content-type: application/x-msmetafile
is in reality resolved by Windows XP (SP2) API call FindMimeFromData as
content type:
image/x-wmf
Exploit we found in wild used however placeable metafile header and
windows returned Application/octet-stream for it :)
In fact this might and have been reported to affect different handling
behavior in IE for different wmf files (with different usage of wmf
defined headers).
So if you are testing your blocking/rendering of wmf images (which you
can find in windows) results might be completely different with other
wmf files with different headers type layout.
Conclusion is that there are so many combinations and possible handling
of different file types that, if possible, trust only signatures
checking.
Content-type and URL based extension are too unreliable (but I admit it
can filter out some small percentage of threats).
If signature checking is not available or not trusted too much for
certain file-types (because of too wild data structure
definitions/standard)
Best practice is to mimic behavior of OS and Browser decision making
from above 3 sources of file type information.
My answer to question:
>method described to "block extensions" is correct or not
Would be:
Yes, if it is your only way.
If you have file type blocking based on signature, use it instead. You
will be protected much more.
With Kind Regards DavidFA
P.S.: If you want to go deeper and more mad;), read following:
http://ppewww.ph.gla.ac.uk/~flavell/www/content-type.html
http://msdn.microsoft.com/library/default.asp?url=/workshop/networking/m
oniker/overview/appendix_a.asp
-----Original Message-----
From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
Sent: Wednesday, January 04, 2006 8:45 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: WMF Vunrability
http://www.ISAserver.org
Jim, did you read this? I'm wondering if the method described to "block
extensions" is correct or not. Rather than using "Configure HTTP" and
setting allowable extensions, I though one should explicitly create a
deny
rule specifying both the .wmf extension *as well* as
application/x-msmetafile as the MIME type. Incoming HTTP file
associations
are handled by MIME type, not file extension. Only when there is no
MIME
type handed down by the server is a file extension used (or when you do
an
actual file transfer, like with FTP.)
Comments on that?
t
-----
"I may disapprove of what you say,
but I will defend to the death your
right to say it."
----- Original Message -----
From: "Stefaan Pouseele" <stefaan.pouseele@xxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Wednesday, January 04, 2006 11:24 AM
Subject: [isalist] RE: WMF Vunrability
> http://www.ISAserver.org
>
> Hey guys,
>
> Check out
>
http://blogs.technet.com/jesper_johansson/archive/2006/01/02/416762.aspx
> too
> ;-)
>
> HTH,
> Stefaan
>
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> Sent: woensdag 4 januari 2006 20:16
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: WMF Vunrability
>
> http://www.ISAserver.org
>
> Hi Tim,
>
> I agree. There seems to be than the ususal amount of FUD associated
with
> this problem. :(
>
> Tom
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> **Who is John Galt?**
>
>
>
>> -----Original Message-----
>> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
>> Sent: Wednesday, January 04, 2006 1:01 PM
>> To: [ISAserver.org Discussion List]
>> Subject: [isalist] RE: WMF Vunrability
>>
>> http://www.ISAserver.org
>>
>> I wouldn't call it "program like behavior." They just contain both
>> metadata and rendering data in the same file (as I understand it.)
>>
>> Renaming the file to something like ".gif" or ".jpg" could still
cause
>> execution if loaded from a file, but only if the Picture and Fax
>> Viewer was the default program for those file types. From a browser,
>> for WP&FV to open it and parse the data, it has to be that MIME type
>> (again, as I understand
>> it.)
>>
>> While I've read here that the "way to do it" is how GFI does it, I've
>> still not seen any information on why simple content filtering won't
>> work. But then again, I read where Jim is working with MSRC to come
>> up with a "workable" filter. It would be nice to get some
>> authoritative, detailed information on why MIME and file type
>> filtering *won't* work.
>>
>> t
>>
>>
>> -----
>> "I may disapprove of what you say,
>> but I will defend to the death your
>> right to say it."
>>
>>
>> ----- Original Message -----
>> From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
>> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
>> Sent: Wednesday, January 04, 2006 10:31 AM
>> Subject: [isalist] RE: WMF Vunrability
>>
>>
>> http://www.ISAserver.org
>>
>> Hi Tim,
>>
>> Don't know about that, but it's a good question. But I have to wonder
>> about other apps that open the WMF files. FWIU, WMF files have some
>> program like behavior that allow it to call other programs if
>> something doesn't work.
>>
>> How's that as a erudite description for a process? :)
>>
>> Tom
>>
>> Thomas W Shinder, M.D.
>> Site: www.isaserver.org
>> Blog: http://spaces.msn.com/members/drisa/
>> Book: http://tinyurl.com/3xqb7
>> MVP -- ISA Firewalls
>> **Who is John Galt?**
>>
>>
>>
>> > -----Original Message-----
>> > From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
>> > Sent: Wednesday, January 04, 2006 12:13 PM
>> > To: [ISAserver.org Discussion List]
>> > Subject: [isalist] RE: WMF Vunrability
>> >
>> > http://www.ISAserver.org
>> >
>> > But if he sets a differnt mime type, Fax Viewer won't open the
>> > program, right?
>> >
>> > t
>> > -----
>> > "I may disapprove of what you say,
>> > but I will defend to the death your
>> > right to say it."
>> >
>> >
>> > ----- Original Message -----
>> > From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
>> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
>> > Sent: Wednesday, January 04, 2006 9:32 AM
>> > Subject: [isalist] RE: WMF Vunrability
>> >
>> >
>> > http://www.ISAserver.org
>> >
>> > Hi Jonathon,
>> >
>> > That won't work, because the scumbag can use any file name he
wants.
>> > Same goes with the MIME type. The MIME type is set at the Web
>> > server, so the scumbag can associate any MIME type he wants.
>> >
>> > Tom
>> >
>> > Thomas W Shinder, M.D.
>> > Site: www.isaserver.org
>> > Blog: http://spaces.msn.com/members/drisa/
>> > Book: http://tinyurl.com/3xqb7
>> > MVP -- ISA Firewalls
>> > **Who is John Galt?**
>> >
>> >
>> >
>> > > -----Original Message-----
>> > > From: Jonathon J. Howey [mailto:Jonathon@xxxxxxx]
>> > > Sent: Wednesday, January 04, 2006 11:25 AM
>> > > To: [ISAserver.org Discussion List]
>> > > Subject: [isalist] RE: WMF Vunrability
>> > >
>> > > http://www.ISAserver.org
>> > >
>> > > What I did to block it was:
>> > >
>> > > Internet Access Policy -> Protocols tab -> Filtering ->
>> > Configure HTTP
>> > > -> Extensions tab. Should be self explanatory from there.
>> > >
>> > >
>> > >
>> > > Jonathon J. Howey
>> > > KPSA Compliance Management Inc.
>> > > P 780.409.5620
>> > > F 780.409.5621
>> > > D 780.409.5628
>> > > C 780.965.8363
>> > > Jonathon@xxxxxxx
>> > >
>> > > Guiding the Future of Transportation www.KPSA.ca
>> > >
>> > >
>> > >
>> > > -----Original Message-----
>> > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
>> > > Sent: January 4, 2006 10:12 AM
>> > > To: [ISAserver.org Discussion List]
>> > > Subject: [isalist] RE: WMF Vunrability
>> > >
>> > > http://www.ISAserver.org
>> > >
>> > > He never stated what his "block" was.
>> > >
>> > >
>> > > -------------------------------------------------------
>> > > Jim Harrison
>> > > MCP(NT4, W2K), A+, Network+, PCG
>> > > http://isaserver.org/Jim_Harrison/
>> > > http://isatools.org
>> > > Read the help / books / articles!
>> > > -------------------------------------------------------
>> > >
>> > >
>> > > -----Original Message-----
>> > > From: Brian Boyes [mailto:BrianB@xxxxxxxxx]
>> > > Sent: Wednesday, January 04, 2006 09:02
>> > > To: [ISAserver.org Discussion List]
>> > > Subject: [isalist] RE: WMF Vunrability
>> > >
>> > > http://www.ISAserver.org
>> > >
>> > > > I have installed the "wmf" block to my ISA 2004 clients but
>> > > I not sure
>> > >
>> > > > how to set this up for ISA 2000.
>> > > > Could someone provide advice of the best way to do this.
>> > >
>> > > Did anyone ever post an answer? I'm curious about this
>> "wmf block".
>> > >
>> > > Brian
>> > >
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> thor@xxxxxxxxxxxxxxx
> To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
davidfa@xxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
This mail was checked for viruses by GFI MailSecurity.
GFI also develops anti-spam software (GFI MailEssentials), a fax server
(GFI FAXmaker), and network security and management software (GFI
LANguard) - www.gfi.com
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
josephk@xxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
