Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Wine + IE Transversal File
Posted by: beford
Date: August 12, 2007 07:36PM

So I was bored the other day without internet access started messing around Gnome VFS and noticed that some apps (like fspot) where urldecoding the names of the files that you 'drag&drop'ed to them. This is what I got after a while.

http://beford.org/wineie.jpg

I think that its more like a wine issue because I couldn't reproduce the problem on Windows, however not all Windows Apps on Wine have this problem. The file on the desktop its an image, not a copy of my passwd file :P



Edited 1 time(s). Last edit at 08/12/2007 07:42PM by beford.

Options: ReplyQuote
Re: Wine + IE Transversal File
Posted by: bsoric
Date: August 13, 2007 01:00AM

Yeah, it's definitely a Wine issue. Luckily enough for Linux users, most people don't run IE in Wine, as root, so it's not going to be able to access or upload the shadow file anywhere (/etc/passwd doesn't include hashes anymore).

Interesting find though.

Options: ReplyQuote
Re: Wine + IE Transversal File
Posted by: Anonymous User
Date: August 13, 2007 03:34AM

Ahm... in case I don't get it: this is pretty normal in Linux your just browse the file like any other, and there isn't a \etc\ dir on Windows so that would never work on a Windows machine.

Or am I missing the point?

Options: ReplyQuote
Re: Wine + IE Transversal File
Posted by: beford
Date: August 13, 2007 07:56AM

Ronald Wrote:
-------------------------------------------------------
> Ahm... in case I don't get it: this is pretty
> normal in Linux your just browse the file like any
> other, and there isn't a \etc\ dir on Windows so
> that would never work on a Windows machine.
>
> Or am I missing the point?

The point is that it should not display my /etc/passwd, It should instead open and show me the file on my Desktop folder called 'foobar%2F..%2F..%2F..%2Fetc%2Fpasswd' oh and I tried it on windows with a file called 'foobar%2F..%2F..%2F..%2Fboot.ini'

Options: ReplyQuote
Re: Wine + IE Transversal File
Posted by: Anonymous User
Date: August 13, 2007 07:56AM

@Ronald: Yep - many developers working with *NIX use the IE4Lin tool: http://www.tatanka.com.br/ies4linux/page/Main_Page

So this issue isn't a widespread but still severe issue since there should be should be restrictions on which files are allowed to accessed.

@beford: nice find!

Options: ReplyQuote
Re: Wine + IE Transversal File
Posted by: Anonymous User
Date: August 13, 2007 08:51AM

Yeah okay, I run Wine myself sorry I just woke up.

But, the next question is: this file is shadowed, can you read the shadow file also?

Options: ReplyQuote
Re: Wine + IE Transversal File
Posted by: id
Date: August 13, 2007 09:40AM

shadow will be readable if you are root, it's just another file, but should only be readable by root...

-id

Options: ReplyQuote
Re: Wine + IE Traversal File
Posted by: Anonymous User
Date: August 13, 2007 09:53AM

It doesn't work for the shadowed passwd - but the traversal works fine for me with just
z:\etc\passwd
- or am I getting something wrong?



Edited 1 time(s). Last edit at 08/13/2007 09:53AM by .mario.

Options: ReplyQuote
Re: Wine + IE Transversal File
Posted by: beford
Date: August 13, 2007 10:17AM

z:\ is just a symlink to / so if you open z:\etc\passwd its opening /etc/passwd, you need to check the address bar on the screenshot, not the window title. I'm opening 'z:\home\beford\Desktop\foobar%2F..%2F..%2F..%2Fetc%2Fpasswd' not 'z:\etc\passwd'.

Options: ReplyQuote
Re: Wine + IE Transversal File
Posted by: hackathology
Date: August 20, 2007 09:43PM

nice find!!!!!!!

http://hackathology.blogspot.com

Options: ReplyQuote
Re: Wine + IE Transversal File
Posted by: Kyo
Date: August 21, 2008 08:36PM

nice find indeed! Too bad it's useless...

edit:
ARGH! Damn it, I thought this was from 2 days ago, and not a year and two days ago. Stupid google



Edited 1 time(s). Last edit at 08/21/2008 08:37PM by Kyo.

Options: ReplyQuote


Sorry, only registered users may post in this forum.