Home page logo

basics logo Security Basics mailing list archives

Re: Blocking WMF Files via Squid
From: "Gaddis, Jeremy L." <jeremy () linuxwiz net>
Date: Tue, 03 Jan 2006 18:55:53 -0500

Gaddis, Jeremy L. wrote:
In response to the new 0-day WMF exploit, the educational institution for which I work recently took two steps to mitigate a possible infection.

[snip text about filtering via squid]

Thanks for the comments, everyone. While I understand that blocking .wmf via squid isn't exactly 100% effective, it has already stopped at least one box from getting hit. Filtering .wmf seemed better than nothing. It seems, also, that my ACLs are 100% effective, mainly because their based on: 1) file extension (.wmf), and 2) MIME types.

In the description of what I did to implement this (detailed at http://www.jeremygaddis.com/2005/12/29/blocking-wmf-at-the-perimeter/), one step describes adding the following two lines in an ACL:

acl blockedtyperep rep_mime_type -i ^application/x-msmetafile$
acl blockedtyperep rep_mime_type -i application/x-msmetafile

As "Sven" pointed out in a comment, it works to stop absolute URLs which end in .wmf, but will not stop others. For example, it does not stop

http://www.heise.de/security/dienste/browsercheck/demos/ie/wmfexp2.php. Sven recommended adding the following:

http_reply_access deny blockedtyperep
http_reply_access allow all

However, even this did not work because...

GET /security/dienste/browsercheck/demos/ie/wmfexp2.php HTTP/1.1
Host: www.heise.de
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive

HTTP/1.1 200 OK
Date: Tue, 03 Jan 2006 23:18:27 GMT
Server: Apache/1.3.34
Vary: Accept-Encoding
Content-Disposition: inline; filename=browsercheck.wmf
Content-Length: 15734
Connection: close
Content-Type: binary/octet-stream

...the content type returned is binary/octet-stream, which isn't something I can apply an ACL to in order to stop. Is anyone aware of modifications that I could make to help mitigate the risk (see note above about the far from 100% effectiveness of this solution). <Insert obligatory statement about having up-to-date AV on the desktops here>.


Jeremy L. Gaddis, GCWN, Linux+, Network+

The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]