WMF Exploit
Rodney Green
rgreen at TRAYERPRODUCTS.COM
Thu Dec 29 16:03:28 GMT 2005
[ The following text is in the "ISO-8859-1" character set. ]
[ Your display is set for the "US-ASCII" character set. ]
[ Some characters may be displayed incorrectly. ]
shuttlebox wrote:
> On 12/29/05, *Rodney Green* <rgreen at trayerproducts.com
> <mailto:rgreen at trayerproducts.com>> wrote:
>
> With the WMF Zero-day exploit on the loose does MailScanner have
> the ability to detect WMF files - other than by extension - using
> the filetype.rules.conf file?
>
>
> Try the file command on a wmf-file, if you're lucky it's detected as
> something unique and you can use that in the filetype.rules.conf-file
> but if it's something like "data" or other generic type you can always
> roll your own magic signature, look in /etc/magic.
>
> I just blocked it in filename.rules.conf myself.
>
I did block it in filename.rules.conf. However, I just read the
following at http://isc.sans.org
"Update 23:19 UTC: Not that we didn't have enough "good" news already,
but if you are relying on perimeter filters to block files with WMF
extension from reaching your browser, you might have a surprise waiting
for you. Windows XP will detect and process a WMF file based on its
content ("magic bytes") and not rely on the extension alone, which means
that a WMF sailing in disguise with a different extension might still be
able to get you."
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
Support MailScanner development - buy the book off the website!
More information about the MailScanner
mailing list