[Bug 43023] New: Applications using Windows Script Host Shell Object crash due to added IProvideClassInfo support
wine-bugs at winehq.org
wine-bugs at winehq.org
Sat May 13 15:37:32 CDT 2017
https://bugs.winehq.org/show_bug.cgi?id=43023
Bug ID: 43023
Summary: Applications using Windows Script Host Shell Object
crash due to added IProvideClassInfo support
Product: Wine
Version: 2.8
Hardware: x86-64
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: wshom.ocx
Assignee: wine-bugs at winehq.org
Reporter: focht at gmx.net
Distribution: ---
Hello folks,
encountered this while checking out how well WannaCry / WannaDecrypt0r
ransomware / worm works with Wine.
I've noticed a crashing csript.exe process in trace log while executing a
simple vbscript.
--- snip ---
SET ow = WScript.CreateObject("WScript.Shell")
SET om = ow.CreateShortcut("Z:\home\wine\@WanaDecryptor at .exe.lnk")
om.TargetPath = "Z:\home\wine\@WanaDecryptor at .exe"
om.Save
--- snip ---
--- snip ---
...
0009:Call KERNEL32.CreateMutexA(00000000,00000001,1000d503
"MsWinZonesCacheCounterMutexA") ret=100046a0
0009:Ret KERNEL32.CreateMutexA() retval=00000010 ret=100046a0
...
0009:Call KERNEL32.CreateProcessA(00000000,0040f520 "attrib +h
.",00000000,00000000,00000000,08000000,00000000,00000000,0032f644,0032f688)
ret=004010ae
...
0009:Ret KERNEL32.CreateProcessA() retval=00000001 ret=004010ae
...
0009:Call KERNEL32.CreateProcessA(00000000,0040f4fc "icacls . /grant Everyone:F
/T /C
/Q",00000000,00000000,00000000,08000000,00000000,00000000,0032f638,0032f67c)
ret=004010ae
...
0009:Ret KERNEL32.CreateProcessA() retval=00000001 ret=004010ae
...
003b:Call KERNEL32.CreateProcessA(00000000,1000d7ac
"taskdl.exe",00000000,00000000,00000000,08000000,00000000,00000000,00e7e9c4,00e7e9b4)
ret=100010d9
...
003b:Ret KERNEL32.CreateProcessA() retval=00000001 ret=100010d9
...
0009:Call KERNEL32.CreateProcessA(00000000,0032e74c "@WanaDecryptor at .exe
fi",00000000,00000000,00000000,08000000,00000000,00000000,0032e6d4,0032e6c4)
ret=100010d9
0009:Ret KERNEL32.CreateProcessA() retval=00000000 ret=100010d9
...
0009:Call KERNEL32.CreateProcessA(00000000,0032df38
"192251494691850.bat",00000000,00000000,00000000,08000000,00000000,00000000,0032ded0,0032dec0)
ret=100010d9
...
0009:Ret KERNEL32.CreateProcessA() retval=00000001 ret=100010d9
...
0041:Call KERNEL32.CreateProcessW(00329a18
L"C:\\windows\\system32\\cscript.exe",0012cc00 L"cscript.exe //nologo
m.vbs",00000000,00000000,00000001,00000000,00000000,00000000,003299d4,00329ed8)
ret=7eed8a33
...
0043:Call KERNEL32.__wine_kernel_init() ret=7bc6a77e
...
0041:Ret KERNEL32.CreateProcessW() retval=00000001 ret=7eed8a33
...
0009:Call KERNEL32.CreateProcessA(00000000,0032e0d4 "attrib +h +s
Z:\\$RECYCLE",00000000,00000000,00000000,08000000,00000000,00000000,0032e068,0032e058)
ret=100010d9
...
0009:Ret KERNEL32.CreateProcessA() retval=00000001 ret=100010d9
...
0009:Call KERNEL32.CreateProcessA(00000000,0032e74c "@WanaDecryptor at .exe
co",00000000,00000000,00000000,08000000,00000000,00000000,0032e6c8,0032e6b8)
ret=100010d9
...
0009:Ret KERNEL32.CreateProcessA() retval=00000001 ret=100010d9
...
0009:Call KERNEL32.CreateProcessA(00000000,0032e74c "cmd.exe /c start /b
@WanaDecryptor at .exe
vs",00000000,00000000,00000000,08000000,00000000,00000000,0032e6c8,0032e6b8)
ret=100010d9
...
0009:Ret KERNEL32.CreateProcessA() retval=00000001 ret=100010d9
...
004b:Call KERNEL32.CreateProcessW(0033ae70
L"C:\\windows\\command\\start.exe",00120220 L"C:\\windows\\command\\start.exe
/b @WanaDecryptor at .exe
vs",00000000,00000000,00000001,00000000,00000000,00000000,0033ae2c,0033ae1c)
ret=7eee067a
...
004b:Ret KERNEL32.CreateProcessW() retval=00000001 ret=7eee067a
...
004d:Call KERNEL32.CreateProcessW(00000000,0033e934 L"\"@WanaDecryptor at .exe\"
vs",00000000,00000000,00000000,00000410,00000000,00000000,0033e410,0033e400)
ret=7eda895c
...
004d:Ret KERNEL32.CreateProcessW() retval=00000001 ret=7eda895c
...
0043:Call KERNEL32.lstrcmpiW(0013932c L"CreateShortcut",0013ca14
L"CreateShortcut") ret=7e85d788
0043:Ret KERNEL32.lstrcmpiW() retval=00000000 ret=7e85d788
...
0043:trace:seh:raise_exception code=c0000005 flags=0 addr=0x283e2d29
ip=283e2d29 tid=0043
0043:trace:seh:raise_exception info[0]=00000008
0043:trace:seh:raise_exception info[1]=283e2d29
0043:trace:seh:raise_exception eax=0033efa4 ebx=0033f020 ecx=00000000
edx=0000000c esi=00143c18 edi=0033ef5c
0043:trace:seh:raise_exception ebp=0033ef68 esp=0033ef4c cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00010206
0043:trace:seh:call_stack_handlers calling handler at 0x7bcae416 code=c0000005
flags=0
--- snip ---
Revisiting other WSH related bugs I've noticed them having regressed as well.
Another example scriptlet, causing crash now:
--- snip ---
set wshShell = Wscript.CreateObject("Wscript.Shell")
strPath = wshShell.SpecialFolders("Desktop")
--- snip ---
* bug 28605
* bug 29461
... potentially more
Regression testing/bisecting revealed:
--- snip ---
$ git bisect good
722c28cb5de076a4894a0a23500b160531a8b744 is the first bad commit
commit 722c28cb5de076a4894a0a23500b160531a8b744
Author: Nikolay Sivov <nsivov at codeweavers.com>
Date: Wed Jan 25 00:50:36 2017 +0300
wshom: Added IProvideClassInfo support for implemented interfaces.
Signed-off-by: Nikolay Sivov <nsivov at codeweavers.com>
Signed-off-by: Alexandre Julliard <julliard at winehq.org>
:040000 040000 bcf5f18298671fdc98e0fb37d4ef5adbd74b8d32
5b85d4ddacb4f824c07e40246e60d3324ddee2bc M dlls
--- snip ---
Reverting on top of current master HEAD (wine 2.8) makes the crash go away:
--- snip ---
$ git revert -n 722c28cb5de076a4894a0a23500b160531a8b744
--- snip ---
*************************************************************
A note of warning to Linux users trying to execute the malware/worm just out of
curiosity.
I'm not subscribed to mailing lists nor active in forums hence I write it here.
https://en.wikipedia.org/wiki/WannaCry_ransomware_attack
https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168
DO NOT TRY IT OUT UNLESS YOU KNOW WHAT YOU ARE DOING.
The Windows Script Host issue reported here is minor for that ransomware.
It doesn't prevent it from doing its work - it works pretty well.
If you store precious data/documents on your root filesystem/mountpoints,
subdirectories or any other user-writable locations, reachable through symlinks
- it will encrypt them if they match specific file extensions (see link for
file types affected).
I've used a Docker container with networking disabled, specific host->container
directory mappings to sandbox the app with Wine and capture/analyse its doings.
Removing drives from dosdevices is not secure unless one is sure that the app
has no Linux/Wine awareness.
Regards
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list