'

Linux/BSD still exposed to WMF exploit through WINE!

I just received an email from the creator of the original proof-of-concept WMF exploit code that WINE was still vulnerable to the WMF exploit.

While news of Microsoft's official patch for the WMF exploit reaches the web, I just received an email from H D Moore (founder of the metasploit project and creator of the original proof-of-concept WMF exploit code) that WINE was still vulnerable to the WMF exploit.  He was kind enough to even include a sample of the updated proof-of-concept and had this to say:

H D Moore:
All applications launched inside Wine, Cedega, or Cross-Over Office are technically still exploitable. Wine runs on most x86 platforms, including Linux and the various BSDs.  The surprising part about finding this flaw in Wine is that they implemented the entire Meta File API without realizing that this could be a security issue. Exploiting a Windows application running inside Wine depends on that application calling the vulnerable function with malicious data. The most feasible way this could happen is via a malicious WMF file embedded into a Word document, opened in Microsoft Office and running under Cross-Over Office.

Marcus Meissner (meissner@suse.de) contacted the Wine development team and sent them a patch to fix this flaw.

More from H D Moore:
Successful exploitation could result in either Windows or "native" shellcode executing on the system. The nice thing about the Wine environment is that most Metasploit Framework payloads will execute just fine under it. This isn't the first time that a Windows flaw was directly applicable to the Wine environment, but this may be the first time that the flaw was in the operating system itself.

Windows 2000, XP and 2003 users should immediately install the official patch from Microsoft.  While it isn't absolutely necessary, it is recommended that you uninstall the unofficial patch first.  Note that the unofficial patch required a system restart during installation and un-installation.  [Updated 1/6/2006 9:28 AM:  Windows XP does require a reboot with the official Microsoft patch.  It just didn't require me to reboot because I already had the leaked patch from Microsoft installed] The official patch from Microsoft conveniently does not require a reboot as far as I can tell on Windows XP SP2.  Windows 2000 seems to require a reboot after the installation.