WMF Exploit

Rodney Green rgreen at TRAYERPRODUCTS.COM
Thu Dec 29 16:03:28 GMT 2005

    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

shuttlebox wrote:
> On 12/29/05, *Rodney Green* <rgreen at trayerproducts.com 
> <mailto:rgreen at trayerproducts.com>> wrote:
>     With the WMF Zero-day exploit on the loose does MailScanner have
>     the ability to detect WMF files - other than by extension - using
>     the filetype.rules.conf file?
> Try the file command on a wmf-file, if you're lucky it's detected as 
> something unique and you can use that in the filetype.rules.conf-file 
> but if it's something like "data" or other generic type you can always 
> roll your own magic signature, look in /etc/magic.
> I just blocked it in filename.rules.conf myself.

I did block it in filename.rules.conf. However, I just read the 
following at http://isc.sans.org

"Update 23:19 UTC: Not that we didn't have enough "good" news already, 
but if you are relying on perimeter filters to block files with WMF 
extension from reaching your browser, you might have a surprise waiting 
for you. Windows XP will detect and process a WMF file based on its 
content ("magic bytes") and not rely on the extension alone, which means 
that a WMF sailing in disguise with a different extension might still be 
able to get you."

This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list