funsec mailing list archives

Previous By Date Next
Previous By Thread Next

Patch available for Windows, Wine is still exploitable.

From: H D Moore <hdm () metasploit com>
Date: Thu, 5 Jan 2006 17:22:21 -0600
Windows users now have a patch, but anyone using Wine, Cross-Over Office, 
or Cedega is still exploitable. The most practical exploit is to convince 
a Cross-Over Office user to load a Word document with an embedded WMF 
file (either with the bare header or the CLP header). 

Most "remote shell" payloads in the Metasploit Framework will execute just 
fine under the Wine environment, but you could easily swap this out with 
OS-detecting native code (Linux, BSD, etc).
 
Marcus Meissner (meissner[at]suse.de) has sent a patch in to the Wine 
development team, but end-users of the commercial derivatives may be out 
of luck for a while.

The funniest part about this is that the Wine developers who wrote the 
Meta File processing code didn't realize that it might be a security 
issue. Then again, neither did anyone with acces to the Wine source code 
since it was written :-)

-HD


---
wine-20050930/dlls/gdi/driver.c
---

/**************************************************************             
Escape  [GDI32.@]
*/
INT WINAPI Escape( HDC hdc, INT escape, INT in_count, LPCSTR in_data, 
LPVOID out_data )
{
    INT ret;
    POINT *pt;

    switch (escape)
    {
    case ABORTDOC:
        return AbortDoc( hdc );
[ snip ]
    case SETABORTPROC:
        return SetAbortProc( hdc, (ABORTPROC)in_data );
[ snip ]

---
wine-20050930/dlls/gdi/printdrv.c
---

/**********************************************************
 *           call_abort_proc16
 */
static BOOL CALLBACK call_abort_proc16( HDC hdc, INT code )
{
    ABORTPROC16 proc16;
    DC *dc = DC_GetDCPtr( hdc );

    if (!dc) return FALSE;
    proc16 = dc->pAbortProc16;
    GDI_ReleaseObj( hdc );
    if (proc16)
    {
        WORD args[2];
        DWORD ret;

        args[1] = HDC_16(hdc);
        args[0] = code;
        WOWCallback16Ex( (DWORD)proc16, WCB16_PASCAL, sizeof(args), args, 
&ret );
        return LOWORD(ret);
    }
    return TRUE;
}


/******************************************************
 *           SetAbortProc   (GDI32.@)
 *
 */
INT WINAPI SetAbortProc(HDC hdc, ABORTPROC abrtprc)
{
    DC *dc = DC_GetDCPtr( hdc );

    if (!dc) return FALSE;
    dc->pAbortProc = abrtprc;
    GDI_ReleaseObj( hdc );
    return TRUE;
}


---
wine-20050930/dlls/gdi/printdrv.c
---

/******************************************************************
 *                  EndPage  [GDI32.@]
 *
 */
INT WINAPI EndPage(HDC hdc)
{
    ABORTPROC abort_proc;
    INT ret = 0;
    DC *dc = DC_GetDCPtr( hdc );
    if(!dc) return SP_ERROR;

    if (dc->funcs->pEndPage) ret = dc->funcs->pEndPage( dc->physDev );
    abort_proc = dc->pAbortProc;
    GDI_ReleaseObj( hdc );
    if (abort_proc && !abort_proc( hdc, 0 ))
    {
        EndDoc( hdc );
        ret = 0;
    }
    return ret;
}

-HD
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: