Using ISA Server 2004 Firewalls to Protect Against Ject
Ject traffic is carried in a standard HTTP response header, and uses TCP port 80 (the default HTTP port) for its attack vector. Because everyone needs access to HTTP, you can’t just block this port, so your PIX firewall isn’t going to help you. However, if you have a stateful filtering and stateful application layer inspection firewall like ISA Server 2004, you’ll be able to protect yourself against Ject.
Internal hosts are vulnerable to Ject if:
- The internal host does not have the MS04-013 (http://www.microsoft.com/technet/security/bulletin/MS04-013.mspx) patch applied
- ISA Server 2004 is not configured to block Ject-formatted HTTP response headers
The default configuration of ISA Server 2004 do not include the an HTTP Security Filter definition required to block Ject. However, you can create your own to get the required protection.
To help prevent Ject traffic through ISA Server 2004:
- First, backup of your current Firewall Policies before making changes to your firewall policy. This will allow you to restore your current configuration just in case you run into problems related to the configuration used to protect against Ject.
- Create an HTTP Security Filter Signature that includes definitions described below for each access rule using the HTTP protocol.
You also need to protect the ISA Server 2004 firewall itself from the Ject worm. A computer with ISA Server 2004 installed is vulnerable to internal attack by the Ject worm if it has not had the MS04-013 patch applied.
Because the ISA 2004 firewall itself makes use of System Policy for Internet access and System policies cannot use HTTP Filters, you cannot apply the same filter settings to system rules. For this reason, and many more, you should never browse the Internet from the firewall.
If you are using an "all open" outbound access policy, you only need to apply the HTTP Security Filter changes to your "Allow all" rule. If you have multiple rules controlling HTTP access, then you will need to apply the HTTP Filter settings to any Access Rule that includes the ISA firewall’s built in HTTP protocol definition.
You may also obtain a script from www.isatools.org that will automate the following steps. You can download it at http://isatools.org/block_ject.vbs. This script creates the same policy rule changes as described below and will also create a backup of your current firewall policies.
You should only add HTTP Filter settings to rules that:
1. Are Access Rules (not Web Publishing Rules)
2. Are Allow Rules
3. Have HTTP included in the Protocols column
Also, you should be aware that Deny rules, even those that specify All Except HTTP, cannot use HTTP Security Filter settings (the HTTP filter automatically denies connections meeting the parameters included in the HTTP Security Filter).
To block Ject response traffic:
- In Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name in the left pane of the console and click the Firewall Policy node.
- Click on the first rule that represents an Allow rule that includes the HTTP protocol.
- Right-click the Access Rule and click the Configure HTTP command.
- In the Configure HTTP policy for rule dialog box, click on the Signatures tab and click Add.
- In the Signature dialog box, enter Download.Ject In the Name text box.
- In the Description text box, enter Blocks Malicious Location headers that attempt to exploit MS04-013.
- In the Search In drop-down list, select the Response headers option.
- In the HTTP Header text box, enter Location.
- In the Signature field, enter C:\ then click OK.
- Click Apply and then click OK in the Configure HTTP policy for rule dialog box.
- Repeat steps 3 through 10 for each Access Rule representing an Allow rule that includes the HTTP protocol in it
- Click Apply in the Microsoft Internet Security and Acceleration Server 2004 management console to save the changes to the firewall policy
- Click OK in the Apply New Configuration dialog box
For More Information
- What You Should Know About Ject (http://www.microsoft.com/presspass/press/2004/jun04/0625download-jectstatement.asp)
- Microsoft Security Bulletin MS04-013 (http://www.microsoft.com/technet/security/bulletin/MS04-013.mspx)