• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

0-day WMF exploit and ISA 2004?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> HTTP Filtering >> 0-day WMF exploit and ISA 2004? Page: [1]
Login
Message << Older Topic   Newer Topic >>
0-day WMF exploit and ISA 2004? - 4.Jan.2006 7:48:10 AM   
MJonkers

 

Posts: 63
Joined: 6.Jan.2004
Status: offline
Is it possible to block this exploit on the ISA 2004 server?

thx,

Marc
Post #: 1
RE: 0-day WMF exploit and ISA 2004? - 4.Jan.2006 3:34:41 PM   
ClintD

 

Posts: 1848
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
Only by blocking the filename extension WMF in your rules - it isn't fool-proof, but it's all there is currently.

What makes this one nasty is that there is a 'magic bytes' portion of the file that IE will look at and render the file even though the file is named .junk, .txt, etc...

(in reply to MJonkers)
Post #: 2
RE: 0-day WMF exploit and ISA 2004? - 5.Jan.2006 3:02:40 AM   
denli

 

Posts: 27
Joined: 15.Jul.2005
Status: offline
What about using binary signatures instead?
What does a metafile looks like?

That sholudn't be hard to configyure in ISA 2004

Besides, filtering on just the file extension doesn't seem to work very well.
I canšt make out exactly what Thomas is refering to in this article
http://www.isaserver.org/tutorials/The_Mystery_of_the_Zip_File_that_Wont_Block.html
but there are defintely some kind of problem.

< Message edited by denli -- 5.Jan.2006 3:06:32 AM >


_____________________________

/Dennis

(in reply to ClintD)
Post #: 3
RE: 0-day WMF exploit and ISA 2004? - 5.Jan.2006 3:32:43 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hey guys,

Check my blog for guidance on how to configure the HTTP security filter for the WMF exploit.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to denli)
Post #: 4

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> HTTP Filtering >> 0-day WMF exploit and ISA 2004? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts