[UNIX] WINE Information Disclosure

• Previous message: SecuriTeam: "[UNIX] Multiple Vulnerabilities in PHP (Information Discloser, File Access, Negative Reference, Integer Handeling Bug, Buffer Overflow, Directory Traversal, Arbitrary File Upload)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 22 Mar 2005 10:54:03 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  WINE Information Disclosure
------------------------------------------------------------------------

SUMMARY

 <http://winehq.org/> Wine is "an Open Source implementation of the
Windows API on top of X and UNIX".

WINE dumps a registry copy of a WIN32 program in the /tmp directory. Any
user in a multi user environment can read this file and learn sensitive
information about the user using the WINE environment.

DETAILS

Vulnerable Systems:
 * WINE build 20050310 and prior

When a Win32 application is launched by WINE, WINE makes a dump of the
Windows registry in /tmp with name regxxxxyyyy.tmp , where xxxxxx is the
pid in hexadecimal value of the current wine process and yyyy is an
integer value usually equal to zero.

regxxxxyyyy.tmp is created with 0644 ( -rw-r--r-- )permissions. This could
represent a security problem in a multi-user environment. Any local user
could access to windows registry's dump and get sensitive information,
like passwords and other private data.

Code Snipps:
The functions affected are _get_tmp_fn(FILE **) in
$winerelease/misc/registry.c and save_branch( struct key *key, const char
*path ) in $winerelease/server/registry.c

_get_tmp_fn(FILE **) @ $winerelease/misc/registry.c :
static LPSTR _get_tmp_fn(FILE **f)
{
LPSTR ret;
int tmp_fd,count;

ret = _xmalloc(50);
for (count = 0;;) {
sprintf(ret,"/tmp/reg%lx%04x.tmp",(long)getpid(),count++);

//here file regxxxyyyy.tmp is not created with secure permissions
if ((tmp_fd = open(ret,O_CREAT | O_EXCL | O_WRONLY,0666)) != -1) break;
if (errno != EEXIST) {
ERR("Unexpected error while open() call: %s\n",strerror(errno));
free(ret);
*f = NULL;
return NULL;
}
}

save_branch( struct key *,const char * ) @ $winerelease/server/registry.c:

static int save_branch( struct key *key, const char *path )
{
struct stat st;
char *p, *real, *tmp = NULL;
int fd, count = 0, ret = 0, by_symlink;
FILE *f;

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[UNIX] Multiple Vulnerabilities in PHP (Information Discloser, File Access, Negative Reference, Integer Handeling Bug, Buffer Overflow, Directory Traversal, Arbitrary File Upload)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]