Security bug in ShellExecuteEx()

Francois Gouget fgouget at codeweavers.com
Thu Apr 8 19:14:10 CDT 2004


Currently ShellExecuteEx() will try to execute files before it even 
knows what it's supposed to to with them. Here is an example. First copy 
'notepad.exe' (or some other real PE executable) to 'foo.pdf'. Then do a 
ShellExecute("foo.pdf"). Bingo, "notepad.exe" starts up!

Here is another more worrying exploit:
Upload your favorite 'trojan.exe' as 'http://mysite.com/super.wmv'. 
Invite your friends to run 'wine iexplore.exe 
http://mysite.com/super.wmv'. Bingo again.

Fortunately, until know invoking external applications did not work in 
IE. See my previous patch.


The reason why we get into trouble is because we call execfunc() way too 
early, i.e. before SHELL_FindExecutable(). Calling it there seems like 
nothing more than a bad optimisation. So I believe the simplest solution 
is to just remove that call. I tried that and things still work just 
fine because now we go through the normal steps.

Changelog:

  * dlls/shell32/shlexec.c

    Francois Gouget <fgouget at codeweavers.com>

    Do not try to execute files before we know how they should be 
handled. This fixes a security bug in ShellExecuteEx().


-- 
Francois Gouget
fgouget at codeweavers.com

-------------- next part --------------
Index: dlls/shell32/shlexec.c
===================================================================
RCS file: /var/cvs/wine/dlls/shell32/shlexec.c,v
retrieving revision 1.40
diff -u -r1.40 shlexec.c
--- a/dlls/shell32/shlexec.c	7 Apr 2004 03:49:51 -0000	1.40
+++ b/dlls/shell32/shlexec.c	8 Apr 2004 23:12:53 -0000
@@ -1114,10 +1126,6 @@
         strcatW(wszApplicationName, wszCommandline);
     }
 
-    retval = execfunc(wszApplicationName, NULL, FALSE, &sei_tmp, sei);
-    if (retval > 32)
-        return TRUE;
-
     /* Else, try to find the executable */
     wcmd[0] = '\0';
     retval = SHELL_FindExecutable(sei_tmp.lpDirectory, lpFile, sei_tmp.lpVerb, wcmd, 1024, lpstrProtocol, &env, sei_tmp.lpIDList, sei_tmp.lpParameters);


More information about the wine-patches mailing list