On mySimon: Backyard Safari Underground Time Capsule
BNET Business Network:
BNET
TechRepublic
ZDNet

January 5th, 2006

Linux/BSD still exposed to WMF exploit through WINE!

Posted by George Ou @ 3:03 pm

Categories: Security

Tags:

While news of Microsoft’s official patch for the WMF exploit reaches the web, I just received an email from H D Moore (founder of the metasploit project and creator of the original proof-of-concept WMF exploit code) that WINE was still vulnerable to the WMF exploit.  He was kind enough to even include a sample of the updated proof-of-concept and had this to say:

H D Moore:
All applications launched inside Wine, Cedega, or Cross-Over Office are technically still exploitable. Wine runs on most x86 platforms, including Linux and the various BSDs.  The surprising part about finding this flaw in Wine is that they implemented the entire Meta File API without realizing that this could be a security issue. Exploiting a Windows application running inside Wine depends on that application calling the vulnerable function with malicious data. The most feasible way this could happen is via a malicious WMF file embedded into a Word document, opened in Microsoft Office and running under Cross-Over Office.

Marcus Meissner (meissner@suse.de) contacted the Wine development team and sent them a patch to fix this flaw.

More from H D Moore:
Successful exploitation could result in either Windows or "native" shellcode executing on the system. The nice thing about the Wine environment is that most Metasploit Framework payloads will execute just fine under it. This isn’t the first time that a Windows flaw was directly applicable to the Wine environment, but this may be the first time that the flaw was in the operating system itself.

Windows 2000, XP and 2003 users should immediately install the official patch from Microsoft.  While it isn’t absolutely necessary, it is recommended that you uninstall the unofficial patch first.  Note that the unofficial patch required a system restart during installation and un-installation.  [Updated 1/6/2006 9:28 AM:  Windows XP does require a reboot with the official Microsoft patch.  It just didn't require me to reboot because I already had the leaked patch from Microsoft installed] The official patch from Microsoft conveniently does not require a reboot as far as I can tell on Windows XP SP2.  Windows 2000 seems to require a reboot after the installation.

George Ou is Technical Director of ZDNet. See his full profile and disclosure of his industry affiliations.

  • Talkback
  • Most Recent of 82 Talkback(s)
Absolutely! Well said
Well made point. (Read the rest)
Posted by: IAHawkeye Posted on: 01/18/06 You are currently: a Guest | | Terms of Use
Accuracy  Yagotta B. Kidding | 01/05/06
So this isn't a WINE problem?  george_ou | 01/05/06
Define "problem."  Yagotta B. Kidding | 01/05/06
Problem? No not really  uno@... | 01/05/06
Better than surf with ie under WINE  psychoslave | 01/07/06
Not very common  uno@... | 01/09/06
You need to read beffore commenting  stephen0838_z | 01/09/06
Oh Noooooooooooooooooo!  D. T. Schmitz | 01/05/06
The Microsoft Patch Requires Reboots  PMC-CON | 01/05/06
Reboots for Win2K AND XP Pro for me  ericha8 | 01/05/06
Windows 2003 server needs to reboot also  gtdavies33@... | 01/05/06
Ok, I'll correct  george_ou | 01/05/06
Could you correct it?  quantumstate | 01/06/06
Fortunately I don't use wine  Michael Kelly | 01/05/06
I don't  D. T. Schmitz | 01/05/06
I don't do Linux wine  palmwarrior | 01/05/06
No Wine Here  Edward Meyers | 01/06/06
I don't use wine  tracy anne | 01/06/06
Don't  D. T. Schmitz | 01/07/06
No wine  xyz10_z | 01/07/06
I do!  doh123 | 01/09/06
I do...  Twey | 01/09/06
I do  maldain | 01/09/06
Skeptical  Yen_z | 01/05/06
Exploit info please!  Still Lynn | 01/06/06
Doh!  Still Lynn | 01/06/06
OK  tombalablomba | 01/06/06
Please explain...  Anti_Zealot | 01/06/06
Please note...  zkiwi | 01/07/06
English Please!  TheBoyBailey | 01/06/06
Whine  Roger Ramjet | 01/06/06
Sun Tzu  horusfalcon | 01/06/06
You're right!  Roger Ramjet | 01/06/06
One exception...  techboy_z | 01/06/06
You still need a copy of Windoze  Roger Ramjet | 01/06/06
Nope  Yagotta B. Kidding | 01/06/06
Whine  Gregory.J.Bradley@... | 01/09/06
not really, you used to  doh123 | 01/09/06
VMware cannot do what i do with Cadega  doh123 | 01/09/06
clamav, the premier linux AV, is in the 100% detection list for WMF exploit  ~doolittle~ | 01/06/06
Exposed how...???  Someguy2 | 01/06/06
George Ou & ZDNet desperation  zdnet_reader | 01/06/06
Holy Socks!!!  Cayble | 01/09/06
wine code already fixed  ~doolittle~ | 01/06/06
Beautious  D. T. Schmitz | 01/07/06
Mr. Ou, could you please update for this information, please?  Anti_Zealot | 01/08/06
I'm checking with Mr. Moore  george_ou | 01/08/06
Thank you  Anti_Zealot | 01/08/06
just check out the cvs code...  ~doolittle~ | 01/08/06
and on with building the latest code from the cvs source  ~doolittle~ | 01/08/06
fixed in cross over also  timeofmind | 01/10/06
Linux more vulnerable than Windows  gafisher@... | 01/09/06
Reaching! Anything to get the eyes of MS!  graphx | 01/09/06
sadly, little know that many distros have it installed on default  doh123 | 01/09/06
not on RedHat, Fedora, Centos, Ubuntu or Debian  ~doolittle~ | 01/09/06
Does it run by default?  Still Lynn | 01/09/06
No, never  bladehawke | 01/09/06
not accurate  Scott W | 01/12/06
Who cares.  John Zern | 01/09/06
Firefox  Marcus Lycus | 01/09/06
George, req another update - Cedega is not affected by this exploit  ~doolittle~ | 01/09/06
seriously, wine?  jefmud | 01/09/06
Proof of Linux vulnerability  golowenow | 01/09/06
Proof of Linux security  ~doolittle~ | 01/09/06
Proof of user vulnerability  gafisher@... | 01/09/06
It's a WINDOWS vulnerability!!!  mdsmedia | 01/09/06
swish  Scott W | 01/12/06
Mike?  Scott W | 01/12/06
rofl  Network Support | 01/09/06
Too stupid for words  shis-ka-bob | 01/09/06
WINE and LINUX  Marcus Lycus | 01/09/06
WMF exploit through WINE  Tombo_z | 01/09/06
was patched in less than a day.  ~doolittle~ | 01/09/06
And yet....  Anti_Zealot | 01/10/06
Hey George guess what???  tombalablomba | 01/09/06
LIKE SAYING SONY'S ROOTKIT IS A WINDOWS PROBLEM  daver_z | 01/10/06
yay!  linuxoverwindows | 01/10/06
Emulation must be flattery surely?  GetReal-mac.com | 01/10/06
on that day...  Scott W | 01/12/06
I thought the Secunia/Red Hat article was moronic  IAHawkeye | 01/13/06
More to it than that  mobrien_12@... | 01/15/06
Absolutely! Well said  IAHawkeye | 01/18/06

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

Click Here
advertisement

Recent Entries

Top Rated

    advertisement

    Archives

    ZDNet Blogs

    White Papers, Webcasts, and Downloads

    SmartPlanet

    • Thought-provoking progressive ideas on diverse topics that intersect with technology, business, and life, and matter to the world at large. Visit SmartPlanet
    • More from IBM
    • Innovate your business' process model, play against the market, compete against others on our scoreboards and WIN! Try INNOV8 2.0: A BPM Simulator
    • Enabling Real-World Business Transformation through IBM Service Management Read the EMA Analyst Report
    Click Here