Author Topic: Security/Malicious code filters?  (Read 5223 times)

JD5000

  • Full Member
  • ***
  • Posts: 241
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • http://home.satx.rr.com/jd5000/
    • Email
Security/Malicious code filters?
« on: July 13, 2002, 08:21:45 PM »
These are the ones I know about.. Which ones are still needed?

[HTTP headers]
In = FALSE
Out = TRUE
Key = "URL-Killer: Kill script URL exploits (Out)"
URL = "*<(script|object|applet)*"
Replace = "Script killedk"

In = TRUE
Out = FALSE
Key = "Content-Disposition: [IE Exploit] Reveal Attached Filename (in)"
Match = "*filename=$AV(1&(^*%00*))*"
Replace = "filename=1"

In = TRUE
Out = FALSE
Key = "Content-Type: [IE Exploit] Application/Force-Download (in)"
Match = "(*|(^?))&$IHDR(Content-Disposition:*filename=*)"
Replace = "application/force-download"

In = FALSE
Out = TRUE
Key = "Nimda Killer"
URL = "*readme.eml"
Replace = "k"

[Patterns]
Name = "IE5/Opera Exploit (IMG SRC)"
Active = TRUE
URL = "$TYPE(htm)"
Bounds = "<imgs*>"
Limit = 1200
Match = "*src="(file:|shell:|gopher:)*"

Name = "IE5 Exploit (FORM Big Size Input)"
Active = TRUE
URL = "$TYPE(htm)"
Limit = 1200
Match = "size="[1|2|3|4|5|6|7|8|9]+{3,*}"

Name = "Defuse "While-Loop" Browser Bombs"
Active = TRUE
Limit = 64
Match = "while ( true )"
Replace = "
<!-- PROX: Defused Potential While Loop Browser Bombs -->
"
          "if (true)"

Name = "Defuse "Form Action+" Browser MailBombs"
Active = TRUE
URL = "$TYPE(htm)"
Bounds = "<forms*>"
Limit = 512
Match = "<Form 1 action=("|)mailto:("|) + ("|)(w)3 4"
Replace = "
<!-- PROX: Defused a "Form Action+" Browser MailBomb -->
"
          "<Form 1 action="mailto:3 4"
         
Name = "Replace Internet Explorer Gopher links with warning of IE bug"
Active = TRUE
Bounds = "<a*>"
Limit = 256
Match = "<a*HREF=*gopher://*>"
Replace = "<font size=2 color=red>"
          "[Gopher link removed:<font><font size=1 color=red>"
          " Thanks to an Internet Explorer bug, this Gopher link may be"

--------
Infopros Joint :: Computer Related Links And Discussion

Jor

  • Sr. Member
  • ****
  • Posts: 421
    • ICQ Messenger - 10401286
    • AOL Instant Messenger - jor otf
    • Yahoo Instant Messenger - jor_otf
    • View Profile
    • http://members.outpost10f.com/~jor/
    • Email
Security/Malicious code filters?
« Reply #1 on: July 13, 2002, 11:16:45 PM »
Key = "URL-Killer: Kill script URL exploits (Out)"
Still needed (never fixed MSIE bug).

Key = "Content-Disposition: [IE Exploit] Reveal Attached Filename (in)"
Not needed: Supposed to be fixed in IE.

Key = "Content-Type: [IE Exploit] Application/Force-Download (in)"
Still needed: Bug still exists in IE.

Key = "Nimda Killer"
Not needed with current versions of MSOE.

Name = "IE5/Opera Exploit (IMG SRC)"
Fixed in Opera, not sure about MSIE.

Name = "IE5 Exploit (FORM Big Size Input)"
Still needed: Bug still exists.

Name = "Defuse "While-Loop" Browser Bombs"
Still needed: Bug exists as long as Javascript is active in browser -- no fix.

Name = "Defuse "Form Action+" Browser MailBombs"
Not sure: I never saw the need for this filter.
         
Name = "Replace Internet Explorer Gopher links with warning of IE bug"
Not needed: Supposed to be fixed in MSIE.

 
 

JD5000

  • Full Member
  • ***
  • Posts: 241
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • http://home.satx.rr.com/jd5000/
    • Email
Security/Malicious code filters?
« Reply #2 on: July 13, 2002, 11:37:42 PM »
Thx Jor!

BTW, do the fixes apply for those who still uses IE 5.5?

--------
Infopros Joint :: Computer Related Links And Discussion

Jor

  • Sr. Member
  • ****
  • Posts: 421
    • ICQ Messenger - 10401286
    • AOL Instant Messenger - jor otf
    • Yahoo Instant Messenger - jor_otf
    • View Profile
    • http://members.outpost10f.com/~jor/
    • Email
Security/Malicious code filters?
« Reply #3 on: July 14, 2002, 12:03:42 AM »
As long as you keep updating MSIe (use the patch here), yes.

However for security reasons I'd make sure to use at least MSIE 5.5 SP2, and preferably 6.0 or later (6.0 is also a lot more compliant, which may not be an issue yet but will soon be if AOL (and it's millions of customers) switches to a Mozilla based browser).

Do keep in mind there is still a number of critical errors remaining in MSIE (any version) which haven't been fixed in over a year.

 
 

JD5000

  • Full Member
  • ***
  • Posts: 241
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • http://home.satx.rr.com/jd5000/
    • Email
Security/Malicious code filters?
« Reply #4 on: July 14, 2002, 08:07:31 AM »

sidki3003

  • Sr. Member
  • ****
  • Posts: 476
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • http://
    • Email
Security/Malicious code filters?
« Reply #5 on: July 14, 2002, 08:25:09 PM »
There are some more. I collected a few links here:
http://asp.flaaten.dk/pforum/topic.asp?TOPIC_ID=396
(PostID=2899)

Edited by - sidki3003 on 15 Jul 2002  04:26:44
 

altosax

  • Sr. Member
  • ****
  • Posts: 328
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • http://
    • Email
Security/Malicious code filters?
« Reply #6 on: July 15, 2002, 05:59:00 PM »
hi jd,
i think the filters you provide here have to be increased in number, according to what i've just seen here: http://www.pivx.com/larholm/unpatched/
there are actually 19 unfixed security bug in internet explorer.

take a look,
altosax.

 
 

JD5000

  • Full Member
  • ***
  • Posts: 241
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • http://home.satx.rr.com/jd5000/
    • Email
Security/Malicious code filters?
« Reply #7 on: July 16, 2002, 09:21:56 AM »
Hiya Alto,

How 'bout we knock a few filters out? Then we can include them in our next config releases.

--------
Infopros Joint :: Computer Related Links And Discussion

Arne

  • Administrator
  • Hero Member
  • *****
  • Posts: 778
    • ICQ Messenger - 1448105
    • AOL Instant Messenger - aflaaten
    • Yahoo Instant Messenger - arneflaa
    • View Profile
    • http://
    • Email
Security/Malicious code filters?
« Reply #8 on: July 16, 2002, 09:45:22 AM »
I like this idea of yours to gather them all in one bundle. How about keeping them, and applying to them as such, and not integrating them into other default sets? I mean having a filterset with only filters like these. Security filterset? At least I like the idea LOL.

Best wishes
Arne
Imici username= Arne
Best wishes
Arne
Imici username= Arne

JD5000

  • Full Member
  • ***
  • Posts: 241
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • http://home.satx.rr.com/jd5000/
    • Email
Security/Malicious code filters?
« Reply #9 on: July 16, 2002, 09:51:43 AM »
Yeah, we can do that to.

OK, here's my first try.. Dunno, if somebody already has a filter for this... I also don't know how safe this filter is.

[Patterns]
Name = "IE Exploit - Cross Domain Scripting"
Active = TRUE
Limit = 64
Match = ".getElementById("*").object"
Replace = ".getElementById("Proxomitron").object"

Example: http://www.pivx.com/larholm/adv/TL003/

--------
Infopros Joint :: Computer Related Links And Discussion

Arne

  • Administrator
  • Hero Member
  • *****
  • Posts: 778
    • ICQ Messenger - 1448105
    • AOL Instant Messenger - aflaaten
    • Yahoo Instant Messenger - arneflaa
    • View Profile
    • http://
    • Email
Security/Malicious code filters?
« Reply #10 on: July 16, 2002, 10:24:26 AM »
Nice! Then you guys could make a filterset which onlye deals with the security thing and the exploits mentioned at http://www.pivx.com/larholm/unpatched/ I think such a filterset will be World Wide appreciated :-)


Best wishes
Arne
Imici username= Arne
Best wishes
Arne
Imici username= Arne

JD5000

  • Full Member
  • ***
  • Posts: 241
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • http://home.satx.rr.com/jd5000/
    • Email
Security/Malicious code filters?
« Reply #11 on: July 16, 2002, 10:37:56 AM »
quote:

Yeah, we can do that to.



Hehehe Ummmmm... No pressure Alto. LoL


BTW, everybody's welcome to submit filters.

--------
Infopros Joint :: Computer Related Links And Discussion

Edited by - JD5000 on 16 Jul 2002  11:38:24

Arne

  • Administrator
  • Hero Member
  • *****
  • Posts: 778
    • ICQ Messenger - 1448105
    • AOL Instant Messenger - aflaaten
    • Yahoo Instant Messenger - arneflaa
    • View Profile
    • http://
    • Email
Security/Malicious code filters?
« Reply #12 on: July 16, 2002, 11:36:56 AM »
Here is one to kill gopher links, although I suggest just putting 127.0.0.1 port 1 in the proxy settings in IE.

[Patterns]
Name = "Gopher kill"
Active = TRUE
Bounds = "<as*>"
Limit = 256
Match = "1gopher://2"
Replace = "1http://Local.ptron/killed.gif">"

Best wishes
Arne
Imici username= Arne
Best wishes
Arne
Imici username= Arne