mailing list archives
Re: Blocking WMF Files via Squid
From: "Gaddis, Jeremy L." <jeremy () linuxwiz net>
Date: Tue, 03 Jan 2006 18:55:53 -0500
Gaddis, Jeremy L. wrote:
In response to the new 0-day WMF exploit, the educational institution
for which I work recently took two steps to mitigate a possible infection.
[snip text about filtering via squid]
Thanks for the comments, everyone. While I understand that blocking
.wmf via squid isn't exactly 100% effective, it has already stopped at
least one box from getting hit. Filtering .wmf seemed better than
nothing. It seems, also, that my ACLs are 100% effective, mainly
because their based on: 1) file extension (.wmf), and 2) MIME types.
In the description of what I did to implement this (detailed at
one step describes adding the following two lines in an ACL:
acl blockedtyperep rep_mime_type -i ^application/x-msmetafile$
acl blockedtyperep rep_mime_type -i application/x-msmetafile
As "Sven" pointed out in a comment, it works to stop absolute URLs which
end in .wmf, but will not stop others. For example, it does not stop
Sven recommended adding the following:
http_reply_access deny blockedtyperep
http_reply_access allow all
However, even this did not work because...
GET /security/dienste/browsercheck/demos/ie/wmfexp2.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8)
HTTP/1.1 200 OK
Date: Tue, 03 Jan 2006 23:18:27 GMT
Content-Disposition: inline; filename=”browsercheck.wmf”
...the content type returned is binary/octet-stream, which isn't
something I can apply an ACL to in order to stop. Is anyone aware of
modifications that I could make to help mitigate the risk (see note
above about the far from 100% effectiveness of this solution). <Insert
obligatory statement about having up-to-date AV on the desktops here>.
Jeremy L. Gaddis, GCWN, Linux+, Network+
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- Re: Blocking WMF Files via Squid Gaddis, Jeremy L. (Jan 03)