[Bug 2715] New: Insecure file creation of "regxxxxxxx.tmp" in /tmp

Wine Bugs wine-bugs at winehq.org
Sat Feb 12 10:19:45 CST 2005 

http://bugs.winehq.org/show_bug.cgi?id=2715

           Summary: Insecure file creation of "regxxxxxxx.tmp" in /tmp
           Product: Wine
           Version: 20041201
          Platform: PC
        OS/Version: Linux
            Status: UNCONFIRMED
          Severity: major
          Priority: P2
         Component: wine-files
        AssignedTo: wine-bugs at winehq.org
        ReportedBy: badpenguin79 at hotmail.com


When an application is runned, wine makes a dump of windows registry in /tmp
with name regxxxxxxx.tmp .

regxxxxxxx.tmp is created with -rw-r--r-- permissions.

This could represent a security problem in a multi-user environment.

Indeed, any local user could access to windows registry's dump and get sensitive 
information, like passwords or other private data.

A local attacker could use a script to check every X seconds the presence of a 
regxxxxxxx.tmp and copy it in his home directory for a successive analysis.

I have made some tests to reproduce this bug, running several applications and i 
noted that it's been possibile get information in

HKEY_CURRENT_USER\Software\Microsoft\Protected Storage System Provider 

and
-------------------------------------------------------------------------------
[Software\\Microsoft\\Internet Account Manager\\Accounts\\00000008]
"Account Name"="libero.it"
"Connection Type"=dword:00000003
"POP3 Server"="pop3.libero.it"
"POP3 User Name"="xxxxxxx"
"POP3 Password2"=hex:xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,\
  xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,\
  xx,xx,xx,xx,xx,xx,xx,xx,xx,xx
"POP3 Prompt for Password"=dword:00000000
"SMTP Server"="mail.libero.it"
"SMTP Display Name"="xxxxxx"
"SMTP Email Address"="xxxxxx at libero.it"
"POP3 Skip Account"=dword:00000000
"POP3 Port"=dword:0000006e
"SMTP User Name"=""
"SMTP Password2"=hex:xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,\
  xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,\
  xx,xx,xx,xx,xx,xx,xx,xx,xx,xx
"SMTP Use Sicily"=dword:00000000
"SMTP Prompt for Password"=dword:00000000

-------------------------------------------------------------------------------

where there were outlook's passwords encrypted.

Note that also if they are encrypted, they could be imported on the windows 
registry system of the attacker and so gain illegal access to victim's account.

I think that regxxxxxxx.tmp should be created with 0600 permissions.


Best regards,

Giovanni Delvecchio

-- 
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the wine-bugs mailing list