[Bug 43023] New: Applications using Windows Script Host Shell Object crash due to added IProvideClassInfo support

wine-bugs at winehq.org wine-bugs at winehq.org
Sat May 13 15:37:32 CDT 2017 

https://bugs.winehq.org/show_bug.cgi?id=43023

            Bug ID: 43023
           Summary: Applications using Windows Script Host Shell Object
                    crash due to added IProvideClassInfo support
           Product: Wine
           Version: 2.8
          Hardware: x86-64
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: wshom.ocx
          Assignee: wine-bugs at winehq.org
          Reporter: focht at gmx.net
      Distribution: ---

Hello folks,

encountered this while checking out how well WannaCry / WannaDecrypt0r
ransomware / worm works with Wine.

I've noticed a crashing csript.exe process in trace log while executing a
simple vbscript.

--- snip ---
SET ow = WScript.CreateObject("WScript.Shell")
SET om = ow.CreateShortcut("Z:\home\wine\@WanaDecryptor at .exe.lnk")
om.TargetPath = "Z:\home\wine\@WanaDecryptor at .exe"
om.Save
--- snip ---

--- snip ---
...
0009:Call KERNEL32.CreateMutexA(00000000,00000001,1000d503
"MsWinZonesCacheCounterMutexA") ret=100046a0 
0009:Ret  KERNEL32.CreateMutexA() retval=00000010 ret=100046a0
...
0009:Call KERNEL32.CreateProcessA(00000000,0040f520 "attrib +h
.",00000000,00000000,00000000,08000000,00000000,00000000,0032f644,0032f688)
ret=004010ae 
...
0009:Ret  KERNEL32.CreateProcessA() retval=00000001 ret=004010ae
...
0009:Call KERNEL32.CreateProcessA(00000000,0040f4fc "icacls . /grant Everyone:F
/T /C
/Q",00000000,00000000,00000000,08000000,00000000,00000000,0032f638,0032f67c)
ret=004010ae 
...
0009:Ret  KERNEL32.CreateProcessA() retval=00000001 ret=004010ae 
...
003b:Call KERNEL32.CreateProcessA(00000000,1000d7ac
"taskdl.exe",00000000,00000000,00000000,08000000,00000000,00000000,00e7e9c4,00e7e9b4)
ret=100010d9 
...
003b:Ret  KERNEL32.CreateProcessA() retval=00000001 ret=100010d9 
...
0009:Call KERNEL32.CreateProcessA(00000000,0032e74c "@WanaDecryptor at .exe
fi",00000000,00000000,00000000,08000000,00000000,00000000,0032e6d4,0032e6c4)
ret=100010d9
0009:Ret  KERNEL32.CreateProcessA() retval=00000000 ret=100010d9
...
0009:Call KERNEL32.CreateProcessA(00000000,0032df38
"192251494691850.bat",00000000,00000000,00000000,08000000,00000000,00000000,0032ded0,0032dec0)
ret=100010d9 
...
0009:Ret  KERNEL32.CreateProcessA() retval=00000001 ret=100010d9 
...
0041:Call KERNEL32.CreateProcessW(00329a18
L"C:\\windows\\system32\\cscript.exe",0012cc00 L"cscript.exe //nologo
m.vbs",00000000,00000000,00000001,00000000,00000000,00000000,003299d4,00329ed8)
ret=7eed8a33 
...
0043:Call KERNEL32.__wine_kernel_init() ret=7bc6a77e 
...
0041:Ret  KERNEL32.CreateProcessW() retval=00000001 ret=7eed8a33 
...
0009:Call KERNEL32.CreateProcessA(00000000,0032e0d4 "attrib +h +s
Z:\\$RECYCLE",00000000,00000000,00000000,08000000,00000000,00000000,0032e068,0032e058)
ret=100010d9 
...
0009:Ret  KERNEL32.CreateProcessA() retval=00000001 ret=100010d9 
...
0009:Call KERNEL32.CreateProcessA(00000000,0032e74c "@WanaDecryptor at .exe
co",00000000,00000000,00000000,08000000,00000000,00000000,0032e6c8,0032e6b8)
ret=100010d9 
...
0009:Ret  KERNEL32.CreateProcessA() retval=00000001 ret=100010d9 
...
0009:Call KERNEL32.CreateProcessA(00000000,0032e74c "cmd.exe /c start /b
@WanaDecryptor at .exe
vs",00000000,00000000,00000000,08000000,00000000,00000000,0032e6c8,0032e6b8)
ret=100010d9 
...
0009:Ret  KERNEL32.CreateProcessA() retval=00000001 ret=100010d9 
...
004b:Call KERNEL32.CreateProcessW(0033ae70
L"C:\\windows\\command\\start.exe",00120220 L"C:\\windows\\command\\start.exe
/b @WanaDecryptor at .exe
vs",00000000,00000000,00000001,00000000,00000000,00000000,0033ae2c,0033ae1c)
ret=7eee067a 
...
004b:Ret  KERNEL32.CreateProcessW() retval=00000001 ret=7eee067a 
...
004d:Call KERNEL32.CreateProcessW(00000000,0033e934 L"\"@WanaDecryptor at .exe\" 
vs",00000000,00000000,00000000,00000410,00000000,00000000,0033e410,0033e400)
ret=7eda895c 
...
004d:Ret  KERNEL32.CreateProcessW() retval=00000001 ret=7eda895c 
...
0043:Call KERNEL32.lstrcmpiW(0013932c L"CreateShortcut",0013ca14
L"CreateShortcut") ret=7e85d788
0043:Ret  KERNEL32.lstrcmpiW() retval=00000000 ret=7e85d788
...
0043:trace:seh:raise_exception code=c0000005 flags=0 addr=0x283e2d29
ip=283e2d29 tid=0043
0043:trace:seh:raise_exception  info[0]=00000008
0043:trace:seh:raise_exception  info[1]=283e2d29
0043:trace:seh:raise_exception  eax=0033efa4 ebx=0033f020 ecx=00000000
edx=0000000c esi=00143c18 edi=0033ef5c
0043:trace:seh:raise_exception  ebp=0033ef68 esp=0033ef4c cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00010206
0043:trace:seh:call_stack_handlers calling handler at 0x7bcae416 code=c0000005
flags=0 
--- snip ---

Revisiting other WSH related bugs I've noticed them having regressed as well.
Another example scriptlet, causing crash now:

--- snip ---
set wshShell = Wscript.CreateObject("Wscript.Shell")
strPath = wshShell.SpecialFolders("Desktop")
--- snip ---

* bug 28605
* bug 29461

... potentially more

Regression testing/bisecting revealed:

--- snip ---
$ git bisect good
722c28cb5de076a4894a0a23500b160531a8b744 is the first bad commit
commit 722c28cb5de076a4894a0a23500b160531a8b744
Author: Nikolay Sivov <nsivov at codeweavers.com>
Date:   Wed Jan 25 00:50:36 2017 +0300

    wshom: Added IProvideClassInfo support for implemented interfaces.

    Signed-off-by: Nikolay Sivov <nsivov at codeweavers.com>
    Signed-off-by: Alexandre Julliard <julliard at winehq.org>

:040000 040000 bcf5f18298671fdc98e0fb37d4ef5adbd74b8d32
5b85d4ddacb4f824c07e40246e60d3324ddee2bc M    dlls
--- snip ---

Reverting on top of current master HEAD (wine 2.8) makes the crash go away:

--- snip ---
$ git revert -n 722c28cb5de076a4894a0a23500b160531a8b744
--- snip ---

*************************************************************

A note of warning to Linux users trying to execute the malware/worm just out of
curiosity.
I'm not subscribed to mailing lists nor active in forums hence I write it here.

https://en.wikipedia.org/wiki/WannaCry_ransomware_attack

https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168

DO NOT TRY IT OUT UNLESS YOU KNOW WHAT YOU ARE DOING.

The Windows Script Host issue reported here is minor for that ransomware.
It doesn't prevent it from doing its work - it works pretty well.

If you store precious data/documents on your root filesystem/mountpoints,
subdirectories or any other user-writable locations, reachable through symlinks
- it will encrypt them if they match specific file extensions (see link for
file types affected).

I've used a Docker container with networking disabled, specific host->container
directory mappings to sandbox the app with Wine and capture/analyse its doings.
Removing drives from dosdevices is not secure unless one is sure that the app
has no Linux/Wine awareness.

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list