funsec mailing list archives
Patch available for Windows, Wine is still exploitable.
From: H D Moore <hdm () metasploit com>
Date: Thu, 5 Jan 2006 17:22:21 -0600
Windows users now have a patch, but anyone using Wine, Cross-Over Office, or Cedega is still exploitable. The most practical exploit is to convince a Cross-Over Office user to load a Word document with an embedded WMF file (either with the bare header or the CLP header). Most "remote shell" payloads in the Metasploit Framework will execute just fine under the Wine environment, but you could easily swap this out with OS-detecting native code (Linux, BSD, etc). Marcus Meissner (meissner[at]suse.de) has sent a patch in to the Wine development team, but end-users of the commercial derivatives may be out of luck for a while. The funniest part about this is that the Wine developers who wrote the Meta File processing code didn't realize that it might be a security issue. Then again, neither did anyone with acces to the Wine source code since it was written :-) -HD --- wine-20050930/dlls/gdi/driver.c --- /************************************************************** Escape [GDI32.@] */ INT WINAPI Escape( HDC hdc, INT escape, INT in_count, LPCSTR in_data, LPVOID out_data ) { INT ret; POINT *pt; switch (escape) { case ABORTDOC: return AbortDoc( hdc ); [ snip ] case SETABORTPROC: return SetAbortProc( hdc, (ABORTPROC)in_data ); [ snip ] --- wine-20050930/dlls/gdi/printdrv.c --- /********************************************************** * call_abort_proc16 */ static BOOL CALLBACK call_abort_proc16( HDC hdc, INT code ) { ABORTPROC16 proc16; DC *dc = DC_GetDCPtr( hdc ); if (!dc) return FALSE; proc16 = dc->pAbortProc16; GDI_ReleaseObj( hdc ); if (proc16) { WORD args[2]; DWORD ret; args[1] = HDC_16(hdc); args[0] = code; WOWCallback16Ex( (DWORD)proc16, WCB16_PASCAL, sizeof(args), args, &ret ); return LOWORD(ret); } return TRUE; } /****************************************************** * SetAbortProc (GDI32.@) * */ INT WINAPI SetAbortProc(HDC hdc, ABORTPROC abrtprc) { DC *dc = DC_GetDCPtr( hdc ); if (!dc) return FALSE; dc->pAbortProc = abrtprc; GDI_ReleaseObj( hdc ); return TRUE; } --- wine-20050930/dlls/gdi/printdrv.c --- /****************************************************************** * EndPage [GDI32.@] * */ INT WINAPI EndPage(HDC hdc) { ABORTPROC abort_proc; INT ret = 0; DC *dc = DC_GetDCPtr( hdc ); if(!dc) return SP_ERROR; if (dc->funcs->pEndPage) ret = dc->funcs->pEndPage( dc->physDev ); abort_proc = dc->pAbortProc; GDI_ReleaseObj( hdc ); if (abort_proc && !abort_proc( hdc, 0 )) { EndDoc( hdc ); ret = 0; } return ret; } -HD _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Patch available for Windows, Wine is still exploitable. H D Moore (Jan 05)