WINE Still Vulnerable to WMF Exploit 240
blast3r wrote to mention a ZDNet Blog posting by George Ou, stating that WINE is still vulnerable to the WMF flaw. From the article: "All applications launched inside Wine, Cedega, or Cross-Over Office are technically still exploitable. Wine runs on most x86 platforms, including Linux and the various BSDs. The surprising part about finding this flaw in Wine is that they implemented the entire Meta File API without realizing that this could be a security issue. Exploiting a Windows application running inside Wine depends on that application calling the vulnerable function with malicious data."
Transmeta Crusoe (Score:5, Informative)
Re:I don't understand (Score:2, Informative)
Re:Not that insecure (Score:4, Informative)
Re:Make a copy? (Score:5, Informative)
Re:Kudos to WINE (Score:1, Informative)
Meanwhile, this tells me one thing: Windows used an OSS vector graphics lib to implement WMF, as did wine. They're both exploitable under the same lib.
GDI DLL Exploit Method (Score:2, Informative)
http://blogs.securiteam.com/index.php/archives/18
-c0d3r-
Re:Kudos to WINE (Score:3, Informative)
Too bad that doesn't describe WINE. WINE is a run-time linker with a set of bundled libraries designed to be API compatible with the core Windows libraries. Absolutely NO emulation is happening.
Now there is a WINE for OS X project going on that uses QEmu (or was it bochs? I forget) to do actual emulation of the x86 instruction set, but that's a completely separate project from WINE. QED.
Re:Kudos to WINE (Score:2, Informative)
Cedega is not affected by this exploit (Score:5, Informative)
And Marcus Messier's fix for WineHQ was checked in earlier today. 8-)
-Gav
IT'S FIXED IN THE CVS (Score:5, Informative)
Which changed wine/dlls/gdi/metafile.c from: To: This is first day response.
Re:I don't understand (Score:3, Informative)
Don't get hung up on gdi32.dll or shimgvw.dll or whatever - it's the API itself that WINE implements, not specific DLLs and entry points (although it might provide shim for those for some apps) and that's where the problem is.
Re:Why its not really a BUG, and why WINE has it t (Score:2, Informative)
"Does anyone actually use WMF anyway?"
There are actually some common uses of WMF on windows, but becuase it is a metafile of GDI calls, its not very portable (although it is easy to convert).
Since displaying a WMF is nothing more than enumerating the list into a 'select case' statement (not a very long one either) it is very easy and VERY fast to display on Windows. (Really no processing is required). For this reason, microsoft uses WMF for all the MS Office clipart, and you'll find many other very-microsoft centric applications using it as well.
Clarification: Wine Is Not a (CPU) Emulator (Score:2, Informative)
I'm pretty sure a more accurate expansion of WINE is: Wine Is Not a (CPU) Emulator. See the Wine FAQ [winehq.org]. As you correctly point out, Wine emulates (implements?) the Windows API, using the native CPU to execute code.
Re:Kudos to WINE (Score:3, Informative)
Programming Issue? No way! (Score:3, Informative)
Re:serious question (Score:2, Informative)
Re:Patching WINE? (Score:2, Informative)
exactly. to run the "WINE autoupdater" open a console and type the following commands:
export CVSROOT=:pserver:cvs@cvs.winehq.org/home/wine
cvs login
the password is "cvs"
cvs -z 3 checkout wine
cd wine
./configure
make
su
enter root password
killall -s KILL wineserver
make uninstall
make install
exit
cd..
rm -rf wine
wineconfig
that's all! ;-) (the exploit is fixed in the cvs tree)
;-)
of course you can make this even more "auto-ish" if you put the above commands into a textfile, call "chmod +x" on that file and click on it
Re:serious question (Score:2, Informative)
Get your facts straight or stop feeding the trolls.
Re:Too bad that's wrong (Score:3, Informative)
It's more complicated than WMF just being able to call anything inside GDI32.dll. This is demonstrated by the fact that SetAbortProc was never allowed, the way to do it in WMF was using the Escape function, which has an obsolete escape code for adding an abort proc in the context where it makes sense, for printer spooling.
So the oversight is that an escape code was included for setting an abort proc, and there were valid uses for escape codes in WMF. The explicit and current way to set an abort proc was never allowed.
Re:Why its not really a BUG, and why WINE has it t (Score:3, Informative)
WMF is not supposed to be any kind of code affecting the display and certainly not arbitrary x86 code. Therefore, this is a bug, but the bug was caused by the format design omission to allow the specific escape code used.
Re:serious question (Score:2, Informative)
A WMF file is a very specific file format that contains a list of Windows GDI calls that describe how to draw an image. So obviously, most images on the interweb are not WMF files.
It is possible to make a WMF file that lists the GDI calls to display a GIF/JPG/whatever file, but that still doesn't make the GIF/JPG/whatever files themselves WMF files.
The "if your second wife doesn't scream" test (Score:5, Informative)
I've always assumed that they were making the first wife / second wife distinction.
Your second wife may provide all the services that you first wife did ("Please pass the salt" gets the salt handed to you just as before) but that is only an implementation of the same API--it doesn't mean that your second wife is "emulating" your first wife.
If, on the other hand, your second wife discovers that your first wife used to have some bizarre behaviour (say, she would occasionally wake up screaming "Now Dasher! now, Dancer! now Prancer and Vixen! On, Comet! on, Cupid!" etc. in an overly excited voice even when it was nowhere near christmas) and your second wife decided to start doing it too solely because it's what your first wife did, that would be emulation.
To give a less whimsical example: a browser such as Opera isn't "emulating" Firefox just because they both render HTML, support javascript, etc. Only if the Opera folks were to add a "Firefox quirks mode" that also attempted to duplicate all the overt behaviour of Firefox would they be "emulating" it. (And to be "simulating" they would have to be duplicating the overt behaviour by virtue of having in some sense the "same" internal structure.)
-- MarkusQ
Re:Programming Issue? No way! (Score:3, Informative)
I agree, it probably should have been taken care of in the interim, but I wouldn't classify it as poor design (for the times).
WMF Current Test Files Can Be Founc Here (Score:2, Informative)
Re:Kudos to WINE (Score:1, Informative)
Bullshit. No "vector graphics" lib is used to implement WMF let alone OSS. It's more like a list of "Draw a rectangle there", "Blit this surface to that" calls.