Ubuntu
wine package

Security - single click trojan risk

Bug #85338 reported by Badger47
260
Affects Status Importance Assigned to Milestone
wine (Ubuntu)
Fix Released
High
Kees Cook

Bug Description

Binary package hint: nautilus

Nautilus can facilitates trojans in conjunction with wine.

Scenario.

User eg newbie to linux attracted by ease of use of ubuntu, decides to use wine for some favoured Windows tm programs discovers need to use cli for installing programs can be avoided using the nautilus "Open with ...wine" feature.

Some time later user receives the following from a very familiar contact in gaim ....

(21:51:12) taggs: lol someone has put a pic of u online :P http://kaikau.ka.funpic.org/index.php?pic2038.jpg

As it turns out the "jpg" file is a windows excutable trojan (easily recrafted crafted for an ubuntu user) and when user clicks on the file instead of seeing it in Eye of Gnome what in fact happens is a malware intrusion.

Nautilus should be patched to disallow wine to feature in an "Open with ..." rule.

Reasoning:
Normally, in linux, to be "social-engineered" you have to save a file, convert it to executable and then run it. As outlined, in the above actual incident, this key usability security is ineffective in an increasingly possible scenario.

In many ways it make this form of social engineering easier in linux configured this way because the file does not even need an exe/bin or similar suffix.

Nautilus (in conjunction with wine) as things stand becomes a key part of negating the standard linux "executable bit" security measures.

Prominent warnings are not in place (in the ubuntu wine wiki) advising avoidance of this practice either. https://help.ubuntu.com/community/Wine.

Revision history for this message
Sebastien Bacher (seb128) wrote :

Thank you for your bug. That's a wine problem, either it should not claim the MimeType from its .desktop to not be listed by nautilus "open with" or it should verify the permissions of the .exe before trying to run it

Revision history for this message
Martin Pitt (pitti) wrote :

This is absolutely right. Wine should not ship a desktop file that claims the MIME type, since then files can be run through wine which are not executable.

The proper way to do this is to register a binfmt_misc interpreter for .exe files and execute them directly.

Changed in wine:
importance: Undecided → High
status: Unconfirmed → Confirmed
Revision history for this message
Kees Cook (kees) wrote :

Seb, what do you think the right approach for feisty is?

I suspect that patching wine to require the execute bit is doomed to failure, since frequently the already-installed applications have no exec bit, sometimes due to the way the filesystem was mounted, etc. This could break many pre-existing installs.

The .desktop change, I think, is the quickest approach, and breaks the least number of things. Should I put together a patch for this?

Martin, do you think the wine postinst should add the binfmt_misc? Seems sensible to include that if the MIME type is removed from the package.

Revision history for this message
Martin Pitt (pitti) wrote : Re: [Bug 85338] Re: Security - single click trojan risk

Hi Kees,

Kees Cook [2007-02-15 16:52 -0000]:
> The .desktop change, I think, is the quickest approach, and breaks the
> least number of things. Should I put together a patch for this?

If it is possible to restrict this to files with the executable bit
set, this would work fine, but AFAICS it has the very same
transitional problem. But I think for a distro update this is ok (not
for a security update, though).

> Martin, do you think the wine postinst should add the binfmt_misc?
> Seems sensible to include that if the MIME type is removed from the
> package.

Would be quite nice IMHO, this makes the files useful on the command
line as well.

Martin

Revision history for this message
Sebastien Bacher (seb128) wrote :

making nautilus not start exe with wine is easy, just make the wine package stop shipping wine.desktop, that's going to be a step back for usuability though, no?

Revision history for this message
Kees Cook (kees) wrote :

On Thu, Feb 15, 2007 at 09:22:40PM -0000, Sebastien Bacher wrote:
> making nautilus not start exe with wine is easy, just make the wine
> package stop shipping wine.desktop, that's going to be a step back for
> usuability though, no?

Yeah, I'm less interested in this being a security update than a "going
forward" thing for Feisty and beyond. If the .desktop is dropped, but
the binfmt_misc is added, then as long as the problem is executable, it
will still be double-clickable from the desktop.

How does that sound for feisty?

--
Kees Cook @outflux.net

Revision history for this message
Sebastien Bacher (seb128) wrote :

that looks fine to me!

Revision history for this message
Kees Cook (kees) wrote :

I've removed the desktop file and added the binfmt-support bits, based on Debian's package.

Changed in wine:
assignee: nobody → keescook
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.