WINE Still Vulnerable to WMF Exploit

blast3r wrote to mention a ZDNet Blog posting by George Ou, stating that WINE is still vulnerable to the WMF flaw. From the article: "All applications launched inside Wine, Cedega, or Cross-Over Office are technically still exploitable. Wine runs on most x86 platforms, including Linux and the various BSDs. The surprising part about finding this flaw in Wine is that they implemented the entire Meta File API without realizing that this could be a security issue. Exploiting a Windows application running inside Wine depends on that application calling the vulnerable function with malicious data."

Transmeta Crusoe

[suso]

This reminds me of the initial press release on the Crusoe, one of the clueless reporters in the audience thought that the Crusoe would somehow avoid Windows crashing. One of the Transmeta people pointed out to him that if Windows crashes, the Crusoe will faithfully crash in the same way.

Re:I don't understand

[Anonymous Coward]

The flaw is in gdi32.dll; WINE implements gdi32.dll I'm not sure if WINE implements shimgvw.dll, but that is not where the flaw technically is; that just happens to be the easiest way to exploit the flaw.

Re:Not that insecure

[cnettel]

Well, if you run as the same user as your normal home directory, it can be devastating enough. It's not like you need to be root to send out a thousand mails with your "personal" pictures transformed into virus vectors.

Re:Make a copy?

[cnettel]

No, the Win32 version is (mostly) just calling down to the Win32K.sys file in the kernel. This isn't present in WINE. There are also other issues, but this single fact is the killer that makes it totally impossible to work. (aside from licensing issues :-)

Re:Kudos to WINE

[Fordiman]

It's an API simulation layer. An emulator does the WHOLE environment. Wine does not do this, or you'd be able to use it under ppc linux.

Meanwhile, this tells me one thing: Windows used an OSS vector graphics lib to implement WMF, as did wine. They're both exploitable under the same lib.

GDI DLL Exploit Method

[c0d3r]

Apparently the exploit method in the GDI DLL is SETABORT (vector 9).
http://blogs.securiteam.com/index.php/archives/184 [securiteam.com]
-c0d3r-

Re:Kudos to WINE

[AKAImBatman]

It is one piece of software that is designed to mimmick the behaviour of another piece of hardware or software in order to achieve the same functionality. That my boy, is an emulator.

Too bad that doesn't describe WINE. WINE is a run-time linker with a set of bundled libraries designed to be API compatible with the core Windows libraries. Absolutely NO emulation is happening.

Now there is a WINE for OS X project going on that uses QEmu (or was it bochs? I forget) to do actual emulation of the x86 instruction set, but that's a completely separate project from WINE. QED.

Re:Kudos to WINE

[Quantam]

What I want to know is whether Wine is vulnerable to this [uninformed.org] design flaw that allows hardware enforced data execution protection to be remotely disabled by a clever buffer overflow (one that injects no code of its own, so cannot be prevented by DEP). I should mention that I submitted this story to Slashdot, but it was rejected.

Cedega is not affected by this exploit

[gavriels]

Cedega is not affected by this exploit, as we don't support any META_ESCAPE commands in WMF playback at all.

And Marcus Messier's fix for WineHQ was checked in earlier today. 8-)

  -Gav

IT'S FIXED IN THE CVS

[Krach42]

Revision 1.12 / (download) - [select for diffs], Fri Jan 6 20:52:46 2006 UTC (111 minutes, 55 seconds ago) by julliard
Branch: MAIN
CVS Tags: HEAD
Changes since 1.11: +7 -0 lines
Diff to previous 1.11 (colored)

Marcus Meissner
gdi: Filter GETSCALINGFACTOR and SETABORTDOC proc in metafile
Escapes.

Which changed wine/dlls/gdi/metafile.c from:

case META_ESCAPE:
        Escape(hdc, mr->rdParm[0], mr->rdParm[1], (LPCSTR)&mr->rdParm[2], NULL);
        break;

To:

case META_ESCAPE:
        switch (mr->rdParm[0]) {
        case GETSCALINGFACTOR: /* get function ... would just NULL dereference */
            return FALSE;
        case SETABORTPROC:
            FIXME("Filtering Escape(SETABORTPROC), possible virus?\n");
            return FALSE;
        }
        Escape(hdc, mr->rdParm[0], mr->rdParm[1], (LPCSTR)&mr->rdParm[2], NULL);
        break;

This is first day response.

Re:I don't understand

[Tim Browse]

I very much suspect that WINE does implement the parsing/decoding of WMF files, and that is where the problem is. The WMF format allows the file to specify an error handler, which is the cause of the problem.

Don't get hung up on gdi32.dll or shimgvw.dll or whatever - it's the API itself that WINE implements, not specific DLLs and entry points (although it might provide shim for those for some apps) and that's where the problem is.

Re:Why its not really a BUG, and why WINE has it t

[XMilkProject]

To answer another question I keep seeing:

"Does anyone actually use WMF anyway?"

There are actually some common uses of WMF on windows, but becuase it is a metafile of GDI calls, its not very portable (although it is easy to convert).
Since displaying a WMF is nothing more than enumerating the list into a 'select case' statement (not a very long one either) it is very easy and VERY fast to display on Windows. (Really no processing is required). For this reason, microsoft uses WMF for all the MS Office clipart, and you'll find many other very-microsoft centric applications using it as well.

Clarification: Wine Is Not a (CPU) Emulator

[JBMesserly]

I'm pretty sure a more accurate expansion of WINE is: Wine Is Not a (CPU) Emulator. See the Wine FAQ [winehq.org]. As you correctly point out, Wine emulates (implements?) the Windows API, using the native CPU to execute code.

Re:Kudos to WINE

[Eideewt]

Ooh, you have dictionaries. Here's the thing: a regular dictionary isn't always a reliable source when you're defining technical terms.

Programming Issue? No way!

[Heembo]

Alan Paller at SANS keeps calling this a "programming error" which I think is a load of BS. This WINE article only proves it - this is poor design from management folks. The trick is, security needs to be a core part of system design from the initial phases of the software lifecycle, and then at every step of the software lifecycle. This is not something only for Programmers and pure-tech folks. Now your Project Managers, Analysts, and even your upper management needs to understand the COSTS AND ADDITIONAL TIME ASSOCIATED WITH HIGH-SECURITY PROGRAMMING.

Re:serious question

[innocent_white_lamb]

A small business that I do some consulting for has stacks (literally) of CD's containing clipart in WMF format. Based on that, I would say that WMF appears to be a common format for commercial-off-the-shelf clipart disks.

Re:Patching WINE?

[legalize.ganja.now.]

So all you have to do is run the WINE autoupdater? :-)

exactly. to run the "WINE autoupdater" open a console and type the following commands:

export CVSROOT=:pserver:cvs@cvs.winehq.org/home/wine
cvs login
the password is "cvs"
cvs -z 3 checkout wine
cd wine
./configure
make
su
enter root password
killall -s KILL wineserver
make uninstall
make install
exit
cd..
rm -rf wine
wineconfig

that's all! ;-) (the exploit is fixed in the cvs tree)
of course you can make this even more "auto-ish" if you put the above commands into a textfile, call "chmod +x" on that file and click on it ;-)

Re:serious question

[cnettel]

Nice story, but it's wrong. A Windows meta file is a spooled set of GDI commands, nothing more, nothing less. That said, some high-level picture libraries will look for several types of image headers in the files they're fed, no matter the extension. The LoadBitmap API in GDI will not. You can load a BMP, JPG or PNG that way in any recent Windows release.

Get your facts straight or stop feeding the trolls.

Re:Too bad that's wrong

[cnettel]

While technically right, it's more like "they allow access to most of GDI, including one devastating method that allows you to feed a pointer to a callback proc if rendering fails".

It's more complicated than WMF just being able to call anything inside GDI32.dll. This is demonstrated by the fact that SetAbortProc was never allowed, the way to do it in WMF was using the Escape function, which has an obsolete escape code for adding an abort proc in the context where it makes sense, for printer spooling.

So the oversight is that an escape code was included for setting an abort proc, and there were valid uses for escape codes in WMF. The explicit and current way to set an abort proc was never allowed.

Re:Why its not really a BUG, and why WINE has it t

[cnettel]

It is partly right, but this is a vulnerability just like being able to write a Javascript that alters files on your HD is a vulnerability. Javascript is even Turing complete (WMF isn't), but the important point is the domain you are executing in. There are plenty of GDI functions that you CAN'T call from a WMF, like setting an abort proc in another manner than the one used here, or getting a device context to draw in another window in the same session. In fact, I think you are not supposed, or allowed, to draw in another device context at all.

WMF is not supposed to be any kind of code affecting the display and certainly not arbitrary x86 code. Therefore, this is a bug, but the bug was caused by the format design omission to allow the specific escape code used.

Re:serious question

[jlarocco]

A WMF file is a very specific file format that contains a list of Windows GDI calls that describe how to draw an image. So obviously, most images on the interweb are not WMF files.

It is possible to make a WMF file that lists the GDI calls to display a GIF/JPG/whatever file, but that still doesn't make the GIF/JPG/whatever files themselves WMF files.

The "if your second wife doesn't scream" test

[MarkusQ]

"a set of bundled libraries designed to be API compatible"

"designed to mimmick the behaviour of another piece of hardware or software in order to achieve the same functionality"

What's the difference?

Aren't the libraries bundled with WINE written to mimmick the responses of the equivalent Windows APIs? Sounds like emulation to me.

I've always assumed that they were making the first wife / second wife distinction.

Your second wife may provide all the services that you first wife did ("Please pass the salt" gets the salt handed to you just as before) but that is only an implementation of the same API--it doesn't mean that your second wife is "emulating" your first wife.

If, on the other hand, your second wife discovers that your first wife used to have some bizarre behaviour (say, she would occasionally wake up screaming "Now Dasher! now, Dancer! now Prancer and Vixen! On, Comet! on, Cupid!" etc. in an overly excited voice even when it was nowhere near christmas) and your second wife decided to start doing it too solely because it's what your first wife did, that would be emulation.

To give a less whimsical example: a browser such as Opera isn't "emulating" Firefox just because they both render HTML, support javascript, etc. Only if the Opera folks were to add a "Firefox quirks mode" that also attempted to duplicate all the overt behaviour of Firefox would they be "emulating" it. (And to be "simulating" they would have to be duplicating the overt behaviour by virtue of having in some sense the "same" internal structure.)

-- MarkusQ

Re:Programming Issue? No way!

[zjbs14]

Yeah, that was a big concern back in the late 80's when WMF was developed for Windows 3.0 (AKA DOS but prettier). There was no elevated privleges, memory protection, or even networking to speak of. Heck, if you wanted to screw with something, all you had to do was write a TSR to hook into an interrupt.

I agree, it probably should have been taken care of in the interim, but I wouldn't classify it as poor design (for the times).

WMF Current Test Files Can Be Founc Here

[ZOverLord]

I have the latest test files created from version 1.17 both OFFLINE and ON-LINE as well as zip files for the last two prior releases 1.16 and 1.14 located here: http://www.dslreports.com/forum/remark,15188688#15 188722 [dslreports.com] They can be used for testing, also there is an patch NOT supported by Microsoft for those running Windows 98 here: http://www.nod32.ch/en/download/tools.php [nod32.ch] It should be noted that these files have been used for many days and are safe for testing.

Re:Kudos to WINE

[Anonymous Coward]

"Windows used an OSS vector graphics lib to implement WMF, as did wine"

Bullshit. No "vector graphics" lib is used to implement WMF let alone OSS. It's more like a list of "Draw a rectangle there", "Blit this surface to that" calls.