Security Basics mailing list archives
Re: Blocking WMF Files via Squid
From: "Gaddis, Jeremy L." <jeremy () linuxwiz net>
Date: Tue, 03 Jan 2006 18:55:53 -0500
Gaddis, Jeremy L. wrote:
In response to the new 0-day WMF exploit, the educational institution for which I work recently took two steps to mitigate a possible infection.
[snip text about filtering via squid]Thanks for the comments, everyone. While I understand that blocking .wmf via squid isn't exactly 100% effective, it has already stopped at least one box from getting hit. Filtering .wmf seemed better than nothing. It seems, also, that my ACLs are 100% effective, mainly because their based on: 1) file extension (.wmf), and 2) MIME types.
In the description of what I did to implement this (detailed at http://www.jeremygaddis.com/2005/12/29/blocking-wmf-at-the-perimeter/), one step describes adding the following two lines in an ACL:
acl blockedtyperep rep_mime_type -i ^application/x-msmetafile$ acl blockedtyperep rep_mime_type -i application/x-msmetafileAs "Sven" pointed out in a comment, it works to stop absolute URLs which end in .wmf, but will not stop others. For example, it does not stop
http://www.heise.de/security/dienste/browsercheck/demos/ie/wmfexp2.php. Sven recommended adding the following:
http_reply_access deny blockedtyperep http_reply_access allow all However, even this did not work because... --- GET /security/dienste/browsercheck/demos/ie/wmfexp2.php HTTP/1.1 Host: www.heise.deUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive HTTP/1.1 200 OK Date: Tue, 03 Jan 2006 23:18:27 GMT Server: Apache/1.3.34 Vary: Accept-Encoding Content-Disposition: inline; filename=browsercheck.wmf Content-Length: 15734 Connection: close Content-Type: binary/octet-stream ---...the content type returned is binary/octet-stream, which isn't something I can apply an ACL to in order to stop. Is anyone aware of modifications that I could make to help mitigate the risk (see note above about the far from 100% effectiveness of this solution). <Insert obligatory statement about having up-to-date AV on the desktops here>.
Thanks, -j -- Jeremy L. Gaddis, GCWN, Linux+, Network+ http://www.jeremygaddis.com/ --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINEThe Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations.
http://www.msia.norwich.edu/secfocus ----------------------------------------------------------------------------
Current thread:
- Blocking WMF Files via Squid Gaddis, Jeremy L. (Jan 03)
- Re: Blocking WMF Files via Squid bugtraq (Jan 04)
- Re: Blocking WMF Files via Squid Gaddis, Jeremy L. (Jan 04)
- Re: Blocking WMF Files via Squid Robert J. Stull (Jan 04)
- Re: Blocking WMF Files via Squid Gyenyami InvestinLoss (Jan 05)
- Re: Blocking WMF Files via Squid bo . berlas (Jan 06)
- Re: Blocking WMF Files via Squid Gyenyami InvestinLoss (Jan 05)
- <Possible follow-ups>
- RE: Blocking WMF Files via Squid Jason Burzenski (Jan 04)