CERT mentioned a 3rd magic byte string
http://www.kb.cert.org/vuls/id/181038
-----------
Please be aware we have confirmed that filtering based just on the WMF
file extensions or MIME type application/x-msMetafile will not block all
known attack vectors for this vulnerability. Filter mechanisms should be
looking for any file that Microsoft Windows recognizes as a Windows
Metafile by virtue of its file header. Please check with your network
vendor for updated signatures. WMF files can begin with various byte
sequences such as:
01 00 09 00 ...
02 00 09 00 ...
D7 CD C6 9A ...
-------
I added the 3rd string to the patch for the file 4.10 version of magic
below. If you have a different version of file(1), it's easy to manually
insert. Just open the magic file in a text editor, and search for WMF.
Then add :
0 string \327\315\306\232 ms-windows metafont .wmf
0 string \001\000\011\000 ms-windows metafont .wmf
0 string \002\000\011\000 ms-windows metafont .wmf
Then generate a new mgc file with: file -C -m magic
I'll send an update if I discover others.
The internet storm center makes a good point:
http://isc.sans.org/diary.php?storyid=994
-----
* Should I just block all .WMF images?
This may help, but it is not sufficient. WMF files are recognized by a
special header and the extension is not needed. The files could arrive
using any extension, or embeded in Word or other documents.
-----
If the .wmf is embedded as an image in a .doc, for example, amavisd
and file(1) will see it as .doc.
So blocking .wmf at the perimiter based on the magic bytes is useful, but
not bullet proof.
...Eric
-------------------------------------------------------
# cat patch
*** magic Sun Jan 1 11:51:42 2006
--- magic.new Sun Jan 1 11:52:49 2006
***************
*** 1300,1306 ****
>15 string 1.0\ --\ HyperTerminal\ data\ file MS-windows
Hyperterminal
# Windows Metafont .WMF
! 0 string \327\315\306\232\000\000\000\000\000\000 ms-windows
metafont .wmf
#tz3 files whatever that is (MS Works files)
0 string \003\001\001\004\070\001\000\000 tz3 ms-works file
--- 1300,1309 ----
>15 string 1.0\ --\ HyperTerminal\ data\ file MS-windows
Hyperterminal
# Windows Metafont .WMF
! 0 string \327\315\306\232 ms-windows metafont .wmf
! 0 string \001\000\011\000 ms-windows metafont .wmf
! 0 string \002\000\011\000 ms-windows metafont .wmf
!
#tz3 files whatever that is (MS Works files)
0 string \003\001\001\004\070\001\000\000 tz3 ms-works file
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
AMaViS-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
