WINE Still Vulnerable to WMF Exploit

blast3r wrote to mention a ZDNet Blog posting by George Ou, stating that WINE is still vulnerable to the WMF flaw. From the article: "All applications launched inside Wine, Cedega, or Cross-Over Office are technically still exploitable. Wine runs on most x86 platforms, including Linux and the various BSDs. The surprising part about finding this flaw in Wine is that they implemented the entire Meta File API without realizing that this could be a security issue. Exploiting a Windows application running inside Wine depends on that application calling the vulnerable function with malicious data."

Finally!

[A+beautiful+mind]

We can say now that Linux is truly ready for desktop because it catched up to Windows in these important features aswell!

I had no idea...

[MichaelSmith]

...that wine provided so much of the normal windows user experience. I must start recommending it to my friends

So...

[ImaLamer]

Should I be worried about my Fake Windows security or am I at no risk as long as I don't run "sol.exe" as root?

How far can someone get by working over WINE with this exploit?

Re:So...

[Craig+Davison]

You don't need to be root to send out 1000 spams/minute.

Uh, oh . . . somebody had better notify CERT.

[mmell]

So that they can add it to their already lengthy list of known LINUX exploits!

Re:Uh, oh . . . somebody had better notify CERT.

[Phillup]

Once for each version and vendor... (even tho it is one exploit)

Kudos to WINE

[DrXym]

For implementing Win32 so closely that you can actually be infected with Win32 exploits. I suspect that the effects wouldn't be as bad as the real thing though.

On a serious note, I wonder what this means for emulation projects. If you recognize an exploit in the original environment (as possibly someone did when writing a WMF parser for WINE), do you implement the exploit in your emulator or do you introduce a potential incompatibility?

Re:Kudos to WINE

[Afecks]

On a serious note, I wonder what this means for emulation projects. If you recognize an exploit in the original environment (as possibly someone did when writing a WMF parser for WINE), do you implement the exploit in your emulator or do you introduce a potential incompatibility?

WINE IS NOT AN EMULATOR!

Re:Kudos to WINE

[AKAImBatman]

It is one piece of software that is designed to mimmick the behaviour of another piece of hardware or software in order to achieve the same functionality. That my boy, is an emulator.

Too bad that doesn't describe WINE. WINE is a run-time linker with a set of bundled libraries designed to be API compatible with the core Windows libraries. Absolutely NO emulation is happening.

Now there is a WINE for OS X project going on that uses QEmu (or was it bochs? I forget) to do actual emulation of the x86 instruction set, but that's a completely separate project from WINE. QED.

Re:Kudos to WINE

[Quantam]

What I want to know is whether Wine is vulnerable to this design flaw that allows hardware enforced data execution protection to be remotely disabled by a clever buffer overflow (one that injects no code of its own, so cannot be prevented by DEP). I should mention that I submitted this story to Slashdot, but it was rejected.

Re:Kudos to WINE

[DavidTC]

That logic is crazy. That makes Perl on Windows a 'perl emulator', or Gnome libraries on Windows a 'Gnome emulator'.

An emulator is a replimentation, but it is not a mere reimplimentation of something. They are reimplimentations at different levels. Normally it's with parts of hardware mimicked by software.

Wine is at basically the same level as the original Windows...it's a bunch of libraries that have functions in them. These libraries do stuff, and sometimes talk to the OS. (And, in the case of Wine, X.)

There are a few parts of it where you could argue there is 'emulating' going on, where the software doesn't actually talk to any hardware, it just claims to, but wine is not itself an emulator, even if small parts are.

1) Whether there is anything beside that that could legitimately be called an emulator is an interesting question.

Re:Kudos to WINE

[truthsearch]

"a set of bundled libraries designed to be API compatible"

"designed to mimmick the behaviour of another piece of hardware or software in order to achieve the same functionality"

What's the difference?

Aren't the libraries bundled with WINE written to mimmick the responses of the equivalent Windows APIs? Sounds like emulation to me.

Re:Kudos to WINE

[IamTheRealMike]

FWIW I've spent several years as a Wine developer, and I definitely consider it to be emulation.

That said, this story is just a lot of scaremongering from ZDNet. Sure, you could be hacked through this if you run IE in Wine and use it as a general web browser (which I doubt anybody does), but the damage would be limited to the virtual Windows environment which can be blown away and reset in 20 seconds. It's not like the reinstall from scratch job a real Windows would require. Wine also ignores any startup entries software may install.

Still, it should be fixed, probably in the same way that MS did it. And in fact Marcus has already posted a patch that would do this, so I expect it'll be fixed soon enough.

Re:Kudos to WINE

[Eideewt]

Ooh, you have dictionaries. Here's the thing: a regular dictionary isn't always a reliable source when you're defining technical terms.

Re:Kudos to WINE

[Minna+Kirai]

a regular dictionary isn't always a reliable source when you're defining technical terms.

In the technical terminology of Computer Science, an emulator is some system which intentionally behaves like some other system. From a technical perspective, it doesn't matter at all if you are emulating hardware or software... conceptually, it's all the same thing.

The people who argue "Wine is not an emulator" are incorrectly using "emulator" as an abbreviation "hardware emulator", since that was the first place they heard of "emulator" programs.

That's similar to how some people act like "console" means a video-game machine, when really there are many other kinds of consoles.

Re:Kudos to WINE

[Mancat]

The WMF format has been around quite a while, since Windows 3.0 IIRC. I'm not saying it's not possible, but not too likely. I don't know how many open-source vector graphics libraries existed around 1990.

Make a copy?

[vandon]

Can't you just make a copy of the fixed gdi32.dll from a working windows machine?

Re:Make a copy?

[cnettel]

No, the Win32 version is (mostly) just calling down to the Win32K.sys file in the kernel. This isn't present in WINE. There are also other issues, but this single fact is the killer that makes it totally impossible to work. (aside from licensing issues :-)

That's just wrong...

[John3]

So in this situaion, Windows systems updated with the most recent patch are more secure than machines running WINE.

TGIF cause stuff like this makes my head hurt.

Re:That's just wrong...

[Fordiman]

Think statistics.

How many applications that pass WMFs (ie: email clients and browsers) do you use under linux that require Wine? Now how many do you use under windows that would be potentially exploited?

This is far less serious for Linux users than Windows users.

Transmeta Crusoe

[suso]

This reminds me of the initial press release on the Crusoe, one of the clueless reporters in the audience thought that the Crusoe would somehow avoid Windows crashing. One of the Transmeta people pointed out to him that if Windows crashes, the Crusoe will faithfully crash in the same way.

Isn't that the Goal?

[lordofthechia]

After all, from winehq.org: "Wine has always strived for "bug for bug" compatibility"

Perfect emulation

[miscz]

This shows how great Wine is. It even emulates exploits and being late with the patches! Hurray for Wine!

serious question

[js3]

does anyone use wmf files?

Re:serious question

[fred_sanford]

it doesn't have to be a wmf file to be effected. jpg, gif, bmp, that use wmf headers can still execute code.

Re:serious question

[innocent_white_lamb]

A small business that I do some consulting for has stacks (literally) of CD's containing clipart in WMF format. Based on that, I would say that WMF appears to be a common format for commercial-off-the-shelf clipart disks.

Re:serious question

[jlarocco]

A WMF file is a very specific file format that contains a list of Windows GDI calls that describe how to draw an image. So obviously, most images on the interweb are not WMF files.

It is possible to make a WMF file that lists the GDI calls to display a GIF/JPG/whatever file, but that still doesn't make the GIF/JPG/whatever files themselves WMF files.

I don't understand

[overshoot]

The WINE libraries don't even include an equivalent of the DLL that causes the problem for Microsoft.

How does WINE manage to duplicate a flaw in a function that WINE doesn't even implement?

Re:I don't understand

[makomk]

I expect it's like Windows 98 - you can't get infected by websites, but you can get infected by viewing a WMF using some program that uses the Windows API to display them. (For example, most Word clipart is WMFs, IIRC.)

Re:I don't understand

The flaw is in gdi32.dll; WINE implements gdi32.dll I'm not sure if WINE implements shimgvw.dll, but that is not where the flaw technically is; that just happens to be the easiest way to exploit the flaw.

Re:I don't understand

[A+beautiful+mind]

"/* Heavy wizardry */"

(If you know Perl, you'll understand)

Re:I don't understand

[cnettel]

The DLL in question is a common library used to load and view image files. The real WMF parsing is going on in GDI32 and Win32K.sys (GDI32 relies on Win32k, which is generally not called directly), though. So, you can't run explorer.exe from XP to get fancy thumbnails, but you CAN open an exploiting WMF file in several programs, and get the exploit all for free. As I noted in another comment, it's unlikely that a WMF effective on XP would also be effective on WINE, as it will probably be relying on the specific address space layout, though.

Re:I don't understand

[Tim+Browse]

I very much suspect that WINE does implement the parsing/decoding of WMF files, and that is where the problem is. The WMF format allows the file to specify an error handler, which is the cause of the problem.

Don't get hung up on gdi32.dll or shimgvw.dll or whatever - it's the API itself that WINE implements, not specific DLLs and entry points (although it might provide shim for those for some apps) and that's where the problem is.

Immitation is the sincerest form of flattery

[Schezar]

I suppose this speaks very highly of the WINE developers. After all, they're not out to make something better than Windows: they're out there to duplicate every broken, strange, or inexplicable behaviour Windows exhibits.

Wine is Not an Emulator, but it's purpose is to allow all of us in Linuxland to use software developed for Windows. That means that it must replicate even the broken parts.

Luckily, I assume two things:

1. The WINE devs will plug this as soon as they get around to it.

2. Anyone using WINE successfully is probably canny enough to make due until then without getting themselves compromised.

Not impressed

Until I can get my Linux box rootkitted by Sony DRM.

Why should they realize it's a problem?

[Weaselmancer]

The surprising part about finding this flaw in Wine is that they implemented the entire Meta File API without realizing that this could be a security issue.

Remember, the goal of WINE is to duplicate the API as exactly as possible. And up until a few days ago, that *was* part of the API.

WINE isn't supposed to be an improvement, just a duplication of the API so that win32 apps can run on x86 *nix. It should be no surprise to anyone that their implementation of the metafile API is exactly like the one in Windows. That's the point.

Re:Not that insecure

[cnettel]

Well, if you run as the same user as your normal home directory, it can be devastating enough. It's not like you need to be root to send out a thousand mails with your "personal" pictures transformed into virus vectors.

License?

[John3]

What is this license you speak of and why would I need one for software?

GDI DLL Exploit Method

[c0d3r]

Apparently the exploit method in the GDI DLL is SETABORT (vector 9).
http://blogs.securiteam.com/index.php/archives/184
-c0d3r-

Well, there you go...

[stinky+wizzleteats]

All applications launched inside Wine, Cedega, or Cross-Over Office are technically still exploitable

That's 3 Unix/Linux vulnerabilities to 1 for Windows. Windows is more secure.

The traditional "joke", with a twist?

[Jugalator]

For WINE users, here's a patch.

Wow, I could never imagine this time would come, after all those here's a patch jokes!

Cedega is not affected by this exploit

[gavriels]

Cedega is not affected by this exploit, as we don't support any META_ESCAPE commands in WMF playback at all.

And Marcus Messier's fix for WineHQ was checked in earlier today. 8-)

  -Gav

IT'S FIXED IN THE CVS

[Krach42]

Revision 1.12 / (download) - [select for diffs], Fri Jan 6 20:52:46 2006 UTC (111 minutes, 55 seconds ago) by julliard
Branch: MAIN
CVS Tags: HEAD
Changes since 1.11: +7 -0 lines
Diff to previous 1.11 (colored)

Marcus Meissner
gdi: Filter GETSCALINGFACTOR and SETABORTDOC proc in metafile
Escapes.

Which changed wine/dlls/gdi/metafile.c from:

case META_ESCAPE:
        Escape(hdc, mr->rdParm[0], mr->rdParm[1], (LPCSTR)&mr->rdParm[2], NULL);
        break;

To:

case META_ESCAPE:
        switch (mr->rdParm[0]) {
        case GETSCALINGFACTOR: /* get function ... would just NULL dereference */
            return FALSE;
        case SETABORTPROC:
            FIXME("Filtering Escape(SETABORTPROC), possible virus?\n");
            return FALSE;
        }
        Escape(hdc, mr->rdParm[0], mr->rdParm[1], (LPCSTR)&mr->rdParm[2], NULL);
        break;

This is first day response.

Why its not really a BUG, and why WINE has it too

[XMilkProject]

It's been a while since I've written any WMF software, but if I remember correctly, the problem here is with the general principle of a WMF, not a bug in any libraries, hence windows and wine both being vulnerable.

A wmf is not a graphics format in a traditional sense, but rather a list of API calls to the GDI libraries that when fired off one after another will recreate an image.

For this reason, saying that the WMF insecurity is a bug, is like saying that the fact that you can make a malicious EXE for windows is a bug also.

I'm not saying it shouldn't be fixed, becuase it is a vulnerability, I'm just trying to shine some light on why similar vulnerabilities exist in WINE.

If I have given an incorrect explanation of WMF, please feel free to comment.

My favorite review of this subject...

[jeremy_white]

...is on Newsforge.

Re:Why its not really a BUG, and why WINE has it t

[XMilkProject]

To answer another question I keep seeing:

"Does anyone actually use WMF anyway?"

There are actually some common uses of WMF on windows, but becuase it is a metafile of GDI calls, its not very portable (although it is easy to convert).
Since displaying a WMF is nothing more than enumerating the list into a 'select case' statement (not a very long one either) it is very easy and VERY fast to display on Windows. (Really no processing is required). For this reason, microsoft uses WMF for all the MS Office clipart, and you'll find many other very-microsoft centric applications using it as well.

How long should a fix take?

[MeBot]

Six days after m$ft learned of the vulnerability, we were all yelling that it shouldn't take that long for a fix and thank heavens that open source projects could always churn out fixes so much quicker. Well, the open source wine has now had 3 days. Does that mean that if wine takes another 3 days, then we've proven that open source isn't always faster with fixes?

Clarification: Wine Is Not a (CPU) Emulator

[JBMesserly]

I'm pretty sure a more accurate expansion of WINE is: Wine Is Not a (CPU) Emulator. See the Wine FAQ. As you correctly point out, Wine emulates (implements?) the Windows API, using the native CPU to execute code.

It's already fixed in CVS anyways

[Krach42]

Just: cvs update && make World && sudo make install

Patched, Fixed, Done.

If you RTFA, you'll even see that the very person to report that WINE was flawed the same as Windows submitted a patch to fix the problem along with his notice that it was broken.

THAT is how fast OSS is. The very vulnerability announcement says how to fix it.

Programming Issue? No way!

[Heembo]

Alan Paller at SANS keeps calling this a "programming error" which I think is a load of BS. This WINE article only proves it - this is poor design from management folks. The trick is, security needs to be a core part of system design from the initial phases of the software lifecycle, and then at every step of the software lifecycle. This is not something only for Programmers and pure-tech folks. Now your Project Managers, Analysts, and even your upper management needs to understand the COSTS AND ADDITIONAL TIME ASSOCIATED WITH HIGH-SECURITY PROGRAMMING.

Re:Programming Issue? No way!

Except that the WMF format was created, what, more than 15 years ago? Not many people had computers then. Or the Internet. Or the bandwidth to share pictures through BBS's. Even if someone had found the exploit, it wouldn't have spread over more than, say, two or three computers worldwide. High-security programming? WTF? There was no *NEED* for high-security programming back then.

WMF became obsolete soon, and was forgotten. It's perfectly normal to forget to review code that old, especially if the programmers who wrote it have probably been retired by then. Hell, many people have probably never seen a WMF file before.

Re:Programming Issue? No way!

[zjbs14]

Yeah, that was a big concern back in the late 80's when WMF was developed for Windows 3.0 (AKA DOS but prettier). There was no elevated privleges, memory protection, or even networking to speak of. Heck, if you wanted to screw with something, all you had to do was write a TSR to hook into an interrupt.

I agree, it probably should have been taken care of in the interim, but I wouldn't classify it as poor design (for the times).

Re:slashdot design ...

[6Yankee]

slashdot design looks strange today

You just want me to commit a felony by refreshing it to see if I see what you see, don't you?

Re:yeah right

[spitzak]

It's not really a bug. It is in fact the documented function of the WMF files, and nobody (neither at Microsoft or WINE) noticed that it was in fact a security hole. Since it is documented there was no trouble replicating it's behavior.

Re:Patching WINE?

[legalize.ganja.now.]

So all you have to do is run the WINE autoupdater? :-)

exactly. to run the "WINE autoupdater" open a console and type the following commands:

export CVSROOT=:pserver:cvs@cvs.winehq.org/home/wine
cvs login
the password is "cvs"
cvs -z 3 checkout wine
cd wine
./configure
make
su
enter root password
killall -s KILL wineserver
make uninstall
make install
exit
cd..
rm -rf wine
wineconfig

that's all! ;-) (the exploit is fixed in the cvs tree)
of course you can make this even more "auto-ish" if you put the above commands into a textfile, call "chmod +x" on that file and click on it ;-)

Re:Too bad that's wrong

[cnettel]

While technically right, it's more like "they allow access to most of GDI, including one devastating method that allows you to feed a pointer to a callback proc if rendering fails".

It's more complicated than WMF just being able to call anything inside GDI32.dll. This is demonstrated by the fact that SetAbortProc was never allowed, the way to do it in WMF was using the Escape function, which has an obsolete escape code for adding an abort proc in the context where it makes sense, for printer spooling.

So the oversight is that an escape code was included for setting an abort proc, and there were valid uses for escape codes in WMF. The explicit and current way to set an abort proc was never allowed.

Re:Why its not really a BUG, and why WINE has it t

[cnettel]

It is partly right, but this is a vulnerability just like being able to write a Javascript that alters files on your HD is a vulnerability. Javascript is even Turing complete (WMF isn't), but the important point is the domain you are executing in. There are plenty of GDI functions that you CAN'T call from a WMF, like setting an abort proc in another manner than the one used here, or getting a device context to draw in another window in the same session. In fact, I think you are not supposed, or allowed, to draw in another device context at all.

WMF is not supposed to be any kind of code affecting the display and certainly not arbitrary x86 code. Therefore, this is a bug, but the bug was caused by the format design omission to allow the specific escape code used.

The "if your second wife doesn't scream" test

[MarkusQ]

"a set of bundled libraries designed to be API compatible"

"designed to mimmick the behaviour of another piece of hardware or software in order to achieve the same functionality"

What's the difference?

Aren't the libraries bundled with WINE written to mimmick the responses of the equivalent Windows APIs? Sounds like emulation to me.

I've always assumed that they were making the first wife / second wife distinction.

Your second wife may provide all the services that you first wife did ("Please pass the salt" gets the salt handed to you just as before) but that is only an implementation of the same API--it doesn't mean that your second wife is "emulating" your first wife.

If, on the other hand, your second wife discovers that your first wife used to have some bizarre behaviour (say, she would occasionally wake up screaming "Now Dasher! now, Dancer! now Prancer and Vixen! On, Comet! on, Cupid!" etc. in an overly excited voice even when it was nowhere near christmas) and your second wife decided to start doing it too solely because it's what your first wife did, that would be emulation.

To give a less whimsical example: a browser such as Opera isn't "emulating" Firefox just because they both render HTML, support javascript, etc. Only if the Opera folks were to add a "Firefox quirks mode" that also attempted to duplicate all the overt behaviour of Firefox would they be "emulating" it. (And to be "simulating" they would have to be duplicating the overt behaviour by virtue of having in some sense the "same" internal structure.)

-- MarkusQ

The thing here is...

[williamyf]

... that when the WINE Coders were coding the Metafile APIs, they:

1.) Did not realize this was a design flaw (most likely).
        or
2.) Realized this was a security flaw and have been explioting it since years ago (highly unlikely).
          or
3.) Have been urging Microsoft to change the code since they realized (highly unlikely, as well).

          The point I am trying to make is that this design flaw was not spotted by the many eyes of the WINE project, showing that even the OSS development model is subject to mistakes.

          The intent of this comment is not to say which development model is better, just to point out the fact that ALL development models are subjet to failures, and that our analysis should not be so unidimensional and binary, a thought that seems to be quite lost in this particular thread.

          As an aside, if this atack was made public in 12/27/05, and confirmed by Microsoft in 12/28/05, shoudnt have the WINE comunity tested for the flaw, posted a preliminary patch ASAP and then post a definitive patch that mimics the efect off the Microsoft patch? Why to produce the patch just AFTER Microsoft posted theirs, late by the comon wisdom of /.?

          My other question our regard a Turing-Complete "Image File Format", Postscript. Given the complexity in Postcript, is it not possible (but most likely harder, since it can not touch Filesystems) to do exploits in it?

          Just my two cents

Peer review of "many eyes" should've caught this

[I'm+Don+Giovanni]

What's amusing about this is that many of you guys that blasted Microsoft for designing this flaw into the WMF api are now defending the Wine devs with, "Well, they had to implement the whole api, so it's not their fault!!"

But the facts are that the original design was made pre-Win3.0, long before the rise of the internet as we know it today. It's not surprising that the design flaw arose in that environment, and the design was used to deal with the hodge-podge of various printer behaviors from those days. And I don't particularly blame the actual handful of Wine devs that implemented the "whole API" and therefore inherited this design flaw.

But I do place blame on the OSS community.
Allow me to quote from Engaging with The Open Source Community:

Another piece of Open Source philosophy is characterized as "many eyes make all bugs shallow." The continual review process used by Open Source communities produces a "many eyes" effect of massively parallel peer review that has been demonstrated to produce very high quality oversight of the software development process and products. Constant, repetitive peer review, coupled with a release schedule tied to objective software quality rather than marketing deadlines, consistently results in Open Source software quality orders of magnitude higher than that of commercial releases of similar software.

This flaw was staring the OSS community right in the face for all this time, yet the OSS community failed to find it. Of course, I'm being too hard on the OSS community. I wouldn't expect that community to find this problem. But nor should you. The "many eyes" claim is a canard because in truth very few people not involved in the actual development of a particular piece of code actually examine that code for flaws, and even fewer can identify a flaw even if it's staring them in the face as clearly as this one.

Re:Peer review of "many eyes" should've caught thi

[NullProg]

But the facts are that the original design was made pre-Win3.0, long before the rise of the internet as we know it today. It's not surprising that the design flaw arose in that environment, and the design was used to deal with the hodge-podge of various printer behaviors from those days. And I don't particularly blame the actual handful of Wine devs that implemented the "whole API" and therefore inherited this design flaw.
Are you being smug or are you trolling on purpose? There was no pre-Win3.0 gdi32.dll. There was no hodge-podge of printer support. They all printed to LPT1 with thier own escape-codes that the software developers implemented. I print to my year old Samsung laser using my twenty year old AppleWorks. You do know that WINE can use its own built-in DLLs or Win32 native DLLs, don't you? I can switch Wine to use the Gdi32.dll that Microsoft just provided for free.

This flaw was staring the OSS community right in the face for all this time, yet the OSS community failed to find it.

I don't think the Wine Developers are looking for flaws. Most of us use Wine to play Windows Games. In what aspect is my WINE/Linux environment compromised by this Microsoft flaw? There is no kernel to infect. Are the rootkit trojans going to infect my Starcraft session and turn the Zerg into lemmings? Are you mentally challedged?

We appreciate that you like Windows, stay there. When your ready to switch to a environment that doesn't believe that you owe a fee every three years and that you own your own stuff, let us know.

Enjoy.

WMF Current Test Files Can Be Founc Here

[ZOverLord]

I have the latest test files created from version 1.17 both OFFLINE and ON-LINE as well as zip files for the last two prior releases 1.16 and 1.14 located here: http://www.dslreports.com/forum/remark,15188688#15 188722 They can be used for testing, also there is an patch NOT supported by Microsoft for those running Windows 98 here: http://www.nod32.ch/en/download/tools.php It should be noted that these files have been used for many days and are safe for testing.