[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Re: Blocking WMF Files via Squid

To: security-basics mailing list <security-basics@xxxxxxxxxxxxxxxxx>, full-disclosure mailing list <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: [Full-disclosure] Re: Blocking WMF Files via Squid
From: "Gaddis, Jeremy L." <jeremy@xxxxxxxxxxxx>
Date: Tue, 03 Jan 2006 18:55:53 -0500

Gaddis, Jeremy L. wrote:

In response to the new 0-day WMF exploit, the educational institution for which I work recently took two steps to mitigate a possible infection.


[snip text about filtering via squid]

Thanks for the comments, everyone. While I understand that blocking .wmf via squid isn't exactly 100% effective, it has already stopped at least one box from getting hit. Filtering .wmf seemed better than nothing. It seems, also, that my ACLs are 100% effective, mainly because their based on: 1) file extension (.wmf), and 2) MIME types.

In the description of what I did to implement this (detailed at http://www.jeremygaddis.com/2005/12/29/blocking-wmf-at-the-perimeter/), one step describes adding the following two lines in an ACL:

acl blockedtyperep rep_mime_type -i ^application/x-msmetafile$
acl blockedtyperep rep_mime_type -i application/x-msmetafile

As "Sven" pointed out in a comment, it works to stop absolute URLs which end in .wmf, but will not stop others. For example, it does not stop

http://www.heise.de/security/dienste/browsercheck/demos/ie/wmfexp2.php. Sven recommended adding the following:

http_reply_access deny blockedtyperep
http_reply_access allow all

However, even this did not work because...

--- GET /security/dienste/browsercheck/demos/ie/wmfexp2.php HTTP/1.1 Host: www.heise.de User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive

HTTP/1.1 200 OK
Date: Tue, 03 Jan 2006 23:18:27 GMT
Server: Apache/1.3.34
Vary: Accept-Encoding
Content-Disposition: inline; filename=”browsercheck.wmf”
Content-Length: 15734
Connection: close
Content-Type: binary/octet-stream
---

...the content type returned is binary/octet-stream, which isn't something I can apply an ACL to in order to stop. Is anyone aware of modifications that I could make to help mitigate the risk (see note above about the far from 100% effectiveness of this solution). <Insert obligatory statement about having up-to-date AV on the desktops here>.

Thanks,
-j

--
Jeremy L. Gaddis, GCWN, Linux+, Network+
http://www.jeremygaddis.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Re: Blocking WMF Files via Squid
  - From: fmargeli

Prev by Date: Re: [Full-disclosure] Does this unofficial WMF patch cause printing problems?
Next by Date: e: [funsec] RE: [Full-disclosure] WMF round-up, updates and de-mystification]
Previous by thread: Re: [Full-disclosure] Does this unofficial WMF patch cause printing problems?
Next by thread: Re: [Full-disclosure] Re: Blocking WMF Files via Squid
Index(es):
- Date
- Thread