Slashdot Mirror
Can WINE Compromise Unix?
gbulmash asks: "As API's like WINE and Crossover Office gradually make it easier to run Windows binaries on Unix, will the system inherit some of Windows' vulnerabilities? For example, has anyone tried to get Outlook up and running under Wine, then deliberately tried to infect themselves with a Windows virus to see if it could raid the Outlook address book and start mailing itself out? It just seems to stand to reason that the better these systems get at running Windows binaries, the easier it will become to infect them with Windows viruses. Or am I just totally off base here?"
Who in their right mind would even consider ATTEMPTING to run outlook under linux?
I would expect such blatant racism on Fark, but on Slashdot? Mods please ban this asshole.
I think the greater risk involved in widespread availability of WINE is the possibility that developers will feel even less need to code natively for linux - a necessary evil, I suppose. Also, wine doesn't require you to run as root (IIRC). Of course, non-privilege elevation exploits like outlook virus email spam will be possibilities - why do you even have cause to think differently? You can use mozilla instead of outlook, or implement filtering at your mail server. Just don't execute attachments, apply the MS patches and so on.
"The slave who knows his master's will and does not get ready...will be be beaten with many blows."Luke 12:47-48
You are totally on-base here.
That's why I don't run WINE and have absolutely no appreciation for the WINE project. At all. The effort would be better spent writing software for Linux that at least has some measure of security built in the the OS.
If you run proprietary software, then you have proprietary bugs and security holes. WINE is a lot of work, just to provide a crutch for people who want to say they run Linux, but are afraid of learning a different way to get their stuff done.
...
someone did this, with one of the outlook viruses, I think it was KLEZ, and I remember it made slashdot
basically it's programmed to look for an SMTP on localhost if it doesn't find a default one in the registry, and it started sending viruses out
so um
yeah
Buttsex.
WINE is very commonly used to run ONE key application among Linux applications, under one users permissions. If the key application communicates with the network, the network may be compromised but the Linux server itself will not.
This is much like running Win95 in vmware or bochs and infecting it with a virus. Another seperate win95 session in bochs or vmware will not be affected, nor Linux's other mail/X/services be affected.
I'm sure there are enough Outlook lookalikes for Linux, and rather than stretching yourself for outstanding feats of engineering in Linux, try training users a little. It works.
"Give orange me give eat orange me eat orange give me eat orange give me you." -Nim Chimpsky
Being blindly dismissive is one attribute of Linux zealots that turns many people - people who would otherwise be interested in learning more about Linux - off.
This is a very strange use of the term "zealot." In most non-warped contexts, a zealot is someone who passionately cares about some topic, and generally insists that others share their view. To call someone a zealot specifically because they are dismissivly indifferent to what other people think or do is odd enough, but the capping irony is warning them off of their attitude because it might "turn people off".
I think there is a deep and prevelent misunderstanding of what was once a very common attitude, summed up in phrases like "to each his own" and "live and let live"--so many people today can't seem to grasp the idea that people might say something blindly dismissive, not as a marketing ploy for some product or a public relations posture for some company, but as an honest statement of an individual who isn't trying to sell anything.
-- MarkusQ
P.S. I can just hear all the people asking themselves "What an odd comment to make; I wonder what his angle is?"
The big advantage to something like wine (or to a lesser extent, dosemu, mars, etc.) is that you can insert shims at pretty much any level to catch / filter / stop / watch this sort of thing. I find it amazingly useful to be able to instrument & monitor pretty much any level I want (with the usual cavets about making sure you don't break things by inapropriate logging, etc.). It shouldn't be too hard to put a rubber-room/internal firewall around whatever infection prone software you felt like running, and stopping these things dead in their tracks. (e.g., by default, cap the rate at which network trafic can flow out of applications running under wine, lower the boom if they try to send out too much e-mail too quickly, etc).
-- MarkusQ
Applying MS patchs to Wine is like swallowing the spider. what the hell for. You cannot screw up root with wine so why worry, if your home dir gets screwed, save the good files and off it. rpm-e wine... and the windows fake Cdrive then reinstall it. The beauty is there are scripts to do Linux backups of your wine install so there is no problem running multiple sessions of wine with different fake C drives, in different users home dirs. Try that with Windows software!
OH THE SHAME I fell off the wagon and use sigs again!
pretty sane choice by me :)
Remember just like networking software has levels also. In the case of windows and viruses It would seem that there are 4 levels you need worry about. The bottom most lasyer is of course the core of the OS the kernel, layer 1 would be the OS interoperability layer, layer 2 the api and layer 3 the application itself. ( yes you could break them down into finer layers but for this argument 4 is fine.) Running wine layers 0 and 1 are replaced completely. Layer 2 is a functional and structural equivalent. Any virus based on its concepts should in effect still work, however most at that level are specific code exploits. Most importantly you have the application layer (3) since this code is teh same any virus designed to run exclusively in this layer should by all means be fully functional. Fortunately this is going to be in user space and should not affect he rest of teh system outside of the specific application.
Bad Panda! No Bamboo for you! In matters of importance ACs will not be responded to. Want to say something critical,OK
The more complex a system is, the less predictable it is. That's why there is a KISS principle.
The latest Slashdot meme.
Sure, with windows, you use vmware for something similar.
When you want to test software, start up the relevant test virtual machine you want, run the stuff. If anything goes wrong, extract the information you need, then click "revert". And you revert to the pristine snapshot.
No need to restore. You can make copies of the pristine snapshot just to be sure.
Heck you could even run your email software in one virtual machine, and browse in another. If you download something funny in your email and stuff goes wrong, click "revert". Make sure you have "leave mail on server for X days", that way you can redownload mail after you revert or if you revert by mistake.
Wine was an essential tool.
There are some applications that you just can't get converted to Linux easily, and Wine is a good solution.
In our case we are primarily using OpenOffice.org, Evolution and Mozilla Firebird as Linux apps, but the essential application that shows the users a nice map of our country with legal boundaries accurately marked is not (yet) available under Linux.
Should we delay our Linux rollout for this? No. The app does everything it needs to under Wine, and we are rolling those desktops out on time.
Once we have 140 PCs out there running Linux, however, the pressure will come on the supplier to provide us a native Linux version next time.
That all seems to me to be a perfect example both of why it is needed, and also of why it is a damn good idead.
Thanks for the project, guys - it's getting to be useful :-)
Generally, I try to set things up so the Windows instance doesn't have any ports open to the world, and if at all possible, its "filesystem" is within a file in the real filesystem, so it can't trash anything but itself. :)
sure, this can happen. you can get infected and start spewing out email and whatnot. but if you configure wine correctly, it's pretty brainless to fix. i run wine with no access to network drives or my home directory. it just has access to /tmp and it's own fake_windows/ directory under .wine/
purge fake_windows and you just took care of the problem. granted this isn't such a great solution if you want to keep persistant data around, but it works great for 1-time applications where you just want to fuddle with it and never see it again.
Its actually very odd, but I found sub7 runs in wine perfectly.. but it doesn't run in normal user. Oddly enough, that could make it more a hazard, because if someone recieves a exe from someone else and it doesn't run on wine, then they might su and try it in root.. The major security problems can be avoided by locking the drives in wine though to only the fake windows directory and cdrom. Overall, its not really plausible to find exploits in the wine code and use them
I have yet to actually find a true Virus in quite some time. I feel like rambling tonight! WOO HOO!.
.VBS file attached.. DUH! HELLO!?!?). 3) They are not native code, rather just scripts.
So, to save time: WINE+Outlook=YES. Outlook is COM based. The worms that Script Kiddies cut-and-paste together use COM to access the Outlook DB to pick addresses, and then most use COM (or Winsock which is interfaced to the Linux Socket environment) to send the e-mails outbound containing their script-kiddie payload. BUT, THESE ARE NOT VIRUSES! 1) They require other applications to be running. 2) They are not self-infecting. They require the second hand user to do something (click the
Back in the old days, we had true viruses on computers. These would make themselves TSR's (Terminate and Stay Resident for you Windows only script kiddies). They would them append the EXE their own startup code. Finally, they modify an EXE's header so that their startup code would execute them, and then execute the program.
Part of the virii's startup code was to "infect" all other EXE's on the computer. This meant that if you ran the program, everytime you had a INT21 executed (in the MSDOS/PCDOS days, this was a file access system interrupt), it would search for other EXE's to attach to, or possibly execute it's code.
This is where the term Virus came from. It could "spread" from one host to another. And each time, it could inflict more damage until it killed the host computer.
Now days, we have worms. Worms are the dreams of script kiddies (yes, you little @$#@# dorks who sit at home thinking your stuff is 31337). They use the underlying applications failures to infect something, rather than being native code that does the job. (For us techies, 8086 Assember vs. VB Script that the kiddies cut-and-paste today from newsgroups)
If your WINE implementation has the nessesary GUID's expose for COM/DCOM/ActiveX/.NET/your buzzword of the day, then, to answer your question... YES WINE IS HACKABLE. By implementing the Windows OS, it inherics the COM system, which all Microsoft products use heavilly.
Enough history lesson. I'm going to go script myself a web browser that isn't IE... it just uses Microsoft's IE Active X component for browsing.. I shall call it, Iesm... And it shall be grand...
I find it funny to find a this virus listed in the compatibility database. It's a testament to the success of wine!
http://slashdot.org/articles/02/10/23/1853219.shtm l
...which is all I need. It amuses people to see me running the Windows and native Linux versions of PuTTY side by side.
However, my wife would like to to run stuff like Dorling Kindersley entertainment software, and on most of them it doesn't even come close. Mind you, the, er, geniuses who wrote a lot of this stuff only tested it in a very limited range of situations, and used all kinds of bizarre special features, so a lot of them run poorly (crash, misdisplay, lose features) on Windows 2000 and XP (haven't tried on 2003).
I guess I'll have to set aside some time to become a WINE developer for a few weeks if that's ever to come to pass, and if I'm going to that much trouble, why not just write something de novo instead?
Got time? Spend some of it coding or testing
Hmm, let me dig out the link...r oducts _article-6009.html
;-)
ah, here you are:
http://linuxsecurity.com/articles/vendors_p
The more funny part of that is that there are
actually DAUs as worse as the usual WinDAU.
This is why I don't think people not capable of
handling Unix correctly should be forced to use
it (unless they aren't root on their own PCs, of
course - that makes for new jobs
My Karma isn't excellent, damn it! (And
So you want to run outlook on Linux (you must have your reasons, I wouldn't)...
Wine can use any directory in Linux as a drive, so you simply create an outlook directory, run it in its own environment which means that the only problems you will see are those brought about by the application. As even a virus in Wine will happily run in a contained environment.
When you want to send an attachment from another app, you simply copy or make a symlink using your favorite Linux tools.
As far as bugs in Outlook, if you have problem with those, then maybe you should rethink your choice in e-mail clients.
The only way for a Windoze virus to compromise a Linux system would be to exploit a vulnerability in Wine...and since you should be running apps as an unprivleged user, no problems...not to menton that any exploit in Wine would probably simply result in a crash of the app.
Markus, you said P.S. I can just hear all the people asking themselves "What an odd comment to make; I wonder what his angle is?"
You are thinking more deeply and carefully than is normal for Slashdot commenters. That is unusual.
It is humorous to that the grandparent commenter told "zealots" that they should stop being so intense because they might "turn people off".
Using the Google define: modifier gives this result for zealot: Zealot - "a member of an ancient Jewish sect in Judea in the first century who fought to the death against the Romans and who killed or persecuted Jews who collaborated with the Romans" and "a fervent and even militant proponent of something". The original Zealots were people who did a lot more than "turn people off". They killed them! That's what made them Zealots!
It would, however, be good if technically oriented people were more careful about communicating.
I once worked for a research institution that did research in Physics. Like all research organizations, we had people from other disciplines come and give talks. Once a social scientist gave a talk about her research. She said that many technically oriented people chose technical fields because they wanted to escape from some crazy, illogical social situation in their lives. Usually that situation was having uncaring parents. In response, technically oriented people chose a field that is strictly dominated by logic.
It would be good if more technically oriented people re-joined the world. The world would then become more logical. That would be an excellent revolution.
When Code Red first came out, my work computer was a Linux box which ran VMWare so that I could run Outlook (required by the company) and occasionally test under Windows. Because 99% of the time I was just using my virtual PC as an Outlook client, I completely forgot that it was running IIS and all the other M$ junk.
Needless to say, I was surprised to find that my Linux box was one of the machines that got hit by Code Red. The sysadmins probably had to tell me three times before I'd believe it.
The version of Outlook Web Access included with Exchange 2000 works fine with Mozilla. Don't know about other versions, though.
I'm proud of my Northern Tibetian Heritage
Markus, I'm not talking about you or anyone you know, apparently. I'm talking about the people you don't know, because they are not social.
I'm postulating a virus that is aware that it is running on WINE, which shouldn't be all that hard to figure out, even from VBScript. What's to stop such a virus on cxoffice today from escaping the fake_windows root and causing mischief among all my MP3^H^H^Himportant work files?
What's to stop Lex Luther from taking over your system and using it to defeat Superman? The fact that they are fictional and you are not. They don't really exist; everything they appear to do or say is really a contrived effect brough about by cleverly arranged bits of things that do exist.
The same is true of software. A virus can't scratch the paint on your car because you haven't given your computer a means to "reach out" and do things like that. The virus exists at a different level than your car.
Likewise, if the virus isn't running on your real computer but instead is running on a "virtual machine" that your real computer is simulating, it can only do things that you give it a means to do. If the "home directory" you show it is a sand box that contains nothing of interest, then it will have to live with that.
Detecting that you are running under wine only helps if there are exploitable holes in wine. Even if he realizes that he's fictional, Lex Luther won't be able to do anything he couldn't otherwise do.
-- MarkusQ
In the case of Slack pico the wine/X crash log first just so you see how silly the code that was run really was. Since using Slack for the past year I have not had one single X crash and very few freezes that I didn't deserve! I think I will reinstall Wine so I can feel the happiness of being a crash tester again. I miss the adventure of running shitty windows binaries and dlls under Linux. Although MANY GNUbies can /. few know how to ./
OH THE SHAME I fell off the wagon and use sigs again!
Why in the name of all that is sane and decent, would anyone, anywhere, ever choose to pay out a heap of money equivalent to a living wage for an inferior product - and, as a side effect, be beholden to some proprietary software company, who can demand more money off you at any time on pain of bringing your company's email system to its knees - when almost the whole of the rest of the world is using a free, standards-compliant product with no chance that anyone, anywhere could ever hold you to ransom over it?
For crying out loud, get a chuffing clue! If they won't show you the source code, why the chuff not? Because they have something to hide. Something they don't want you to know. Some dirty little secret that they want to hide from the people that pay their wages. Do you really want to give your money - and trust the security of your company - to people like that? For chuff's sake! Bosses, you spy on your workers who are physically incapable of harming your organisation; yet some convicted-felon corporation to whom you pay more money than you do one of your lowliest minions gets to play around with your internal private email under such a cloak of secrecy that they won't even tell you exactly what they are doing?
Let me put that another way. If you are using Exchange Server, Microsoft have the power to read every email you send within your organisation, even encrypted ones. Microsoft have the power to read every email that comes into or out of your company, including some encrypted ones. Microsoft have the power to delete or alter your emails before they get read. Microsoft have the power to demand more money from you at any time, otherwise they will cut off your email. And you are paying Microsoft all this money because, essentially, you trust a convicted felon with a slick corporate brochure more than you do some ordinary person who lays all their cards face-up on the table, and proves to you beyond all reasonable doubt that they have none of those powers. We know for certain because we can read the source code with our own eyes.
For a small to medium sized office intranet, exim is fine, otherwise go with sendmail. You will need to set up SMTP auth, but it really isn't that hard. You'll also need a POP3 server, but they're all pretty similar anyway - just the fact that you get different defaults with different distros is evidence of that. The same machine that is running your mail server can also be used for an apache server, and once you couple that with MySQL / PostgreSQL and Perl / PHP / Python, there's your contact and calendar management taken care of. {Remember that although LAMP is GPL, your in-house-written gizmos are only GPL if they leave the building. If you're anti-social enough to want to keep the code to yourself, then you can. But if you want to share it with your capitalist buddies, then you have to share it with everyone else too. Which bit of that do you think is unfair exactly?}
Je fume. Tu fumes. Nous fûmes!
Vmware is useful, yes. But then you have to buy Vmware and a license for every copy of Windows.
#!/
Nasty crashes in Wine have a tendency to cause X crashes. Somehow I doubt that logging you out of X (probably same as CTRL+ALT+BackSpace) was the intended effect. The reason this happens (just a WAG) is that Wine is integrated with X to an extent that a crash in Wine can cause problems in X. The fix for this would be to simply back off on the integration with X, but then the apps wouldn't be as responsive as they are now...
Thanks for the info.. I thought that was the reason! Windows code using wierd calls seemed like a more sensible answer. It is a hoot to watch anyway. I guess a more productive thing would be to log it and send the messages to Wine users groups. I don't run wine anymore but it would be fun to track lame .exe's like Gator binaries with it just for the hell of it. I wonder if the new activeX bullshit will work? I hear some of the most nasty new script garbage is really out there with activeX controls leading the way. My brother in law gets nailed regularly, he has a habit of clicking on everything and always runs XP Pro as admin, the goof. I think he is a bit of a masochist. He has had to off everything atleast 10 times in the last two years. He always blames something else other than Windows... He might be right!
OH THE SHAME I fell off the wagon and use sigs again!