Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[UNIX] WINE Information Disclosure

from [SecuriTeam] Network Security [Permanent Link]
Subject: [UNIX] WINE Information Disclosure
Date: 22 Mar 2005 10:54:03 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  WINE Information Disclosure
------------------------------------------------------------------------


SUMMARY

 <http://winehq.org/> Wine is "an Open Source implementation of the 
Windows API on top of X and UNIX".

WINE dumps a registry copy of a WIN32 program in the /tmp directory. Any 
user in a multi user environment can read this file and learn sensitive 
information about the user using the WINE environment.

DETAILS

Vulnerable Systems:
 * WINE build 20050310 and prior

When a Win32 application is launched by WINE, WINE makes a dump of the 
Windows registry in /tmp with name regxxxxyyyy.tmp , where xxxxxx is the 
pid in hexadecimal value of the current wine process and yyyy is an 
integer value usually equal to zero.

regxxxxyyyy.tmp is created with 0644 ( -rw-r--r-- )permissions. This could 
represent a security problem in a multi-user environment. Any local user 
could access to windows registry's dump and get sensitive information, 
like passwords and other private data.

Code Snipps:
The functions affected are _get_tmp_fn(FILE **) in 
$winerelease/misc/registry.c and save_branch( struct key *key, const char 
*path ) in $winerelease/server/registry.c

_get_tmp_fn(FILE **) @ $winerelease/misc/registry.c :
static LPSTR _get_tmp_fn(FILE **f)
{
LPSTR ret;
int tmp_fd,count;

ret = _xmalloc(50);
for (count = 0;;) {
sprintf(ret,"/tmp/reg%lx%04x.tmp",(long)getpid(),count++);

//here file regxxxyyyy.tmp is not created with secure permissions
if ((tmp_fd = open(ret,O_CREAT | O_EXCL | O_WRONLY,0666)) != -1) break;
if (errno != EEXIST) {
ERR("Unexpected error while open() call: %s\n",strerror(errno));
free(ret);
*f = NULL;
return NULL;
}
}

save_branch( struct key *,const char * ) @ $winerelease/server/registry.c:

static int save_branch( struct key *key, const char *path )
{
struct stat st;
char *p, *real, *tmp = NULL;
int fd, count = 0, ret = 0, by_symlink;
FILE *f;


======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [UNIX] WINE Information Disclosure, SecuriTeam <=
Previous by Date:  [UNIX] Multiple Vulnerabilities in PHP (Information Discloser, File Access, Negative Reference, Integer Handeling Bug, Buffer Overflow, Directory Traversal, Arbitrary File Upload), SecuriTeam
Next by Date:  [NEWS] Java Web Start Argument Injection Vulnerability (property), SecuriTeam
Previous by Thread:  [UNIX] Multiple Vulnerabilities in PHP (Information Discloser, File Access, Negative Reference, Integer Handeling Bug, Buffer Overflow, Directory Traversal, Arbitrary File Upload), SecuriTeam
Next by Thread:  [NEWS] Java Web Start Argument Injection Vulnerability (property), SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]