https://bugs.winehq.org/show_bug.cgi?id=43023
Bug ID: 43023 Summary: Applications using Windows Script Host Shell Object crash due to added IProvideClassInfo support Product: Wine Version: 2.8 Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: wshom.ocx Assignee: wine-bugs@winehq.org Reporter: focht@gmx.net Distribution: ---
Hello folks,
encountered this while checking out how well WannaCry / WannaDecrypt0r ransomware / worm works with Wine.
I've noticed a crashing csript.exe process in trace log while executing a simple vbscript.
--- snip --- SET ow = WScript.CreateObject("WScript.Shell") SET om = ow.CreateShortcut("Z:\home\wine@WanaDecryptor@.exe.lnk") om.TargetPath = "Z:\home\wine@WanaDecryptor@.exe" om.Save --- snip ---
--- snip --- ... 0009:Call KERNEL32.CreateMutexA(00000000,00000001,1000d503 "MsWinZonesCacheCounterMutexA") ret=100046a0 0009:Ret KERNEL32.CreateMutexA() retval=00000010 ret=100046a0 ... 0009:Call KERNEL32.CreateProcessA(00000000,0040f520 "attrib +h .",00000000,00000000,00000000,08000000,00000000,00000000,0032f644,0032f688) ret=004010ae ... 0009:Ret KERNEL32.CreateProcessA() retval=00000001 ret=004010ae ... 0009:Call KERNEL32.CreateProcessA(00000000,0040f4fc "icacls . /grant Everyone:F /T /C /Q",00000000,00000000,00000000,08000000,00000000,00000000,0032f638,0032f67c) ret=004010ae ... 0009:Ret KERNEL32.CreateProcessA() retval=00000001 ret=004010ae ... 003b:Call KERNEL32.CreateProcessA(00000000,1000d7ac "taskdl.exe",00000000,00000000,00000000,08000000,00000000,00000000,00e7e9c4,00e7e9b4) ret=100010d9 ... 003b:Ret KERNEL32.CreateProcessA() retval=00000001 ret=100010d9 ... 0009:Call KERNEL32.CreateProcessA(00000000,0032e74c "@WanaDecryptor@.exe fi",00000000,00000000,00000000,08000000,00000000,00000000,0032e6d4,0032e6c4) ret=100010d9 0009:Ret KERNEL32.CreateProcessA() retval=00000000 ret=100010d9 ... 0009:Call KERNEL32.CreateProcessA(00000000,0032df38 "192251494691850.bat",00000000,00000000,00000000,08000000,00000000,00000000,0032ded0,0032dec0) ret=100010d9 ... 0009:Ret KERNEL32.CreateProcessA() retval=00000001 ret=100010d9 ... 0041:Call KERNEL32.CreateProcessW(00329a18 L"C:\windows\system32\cscript.exe",0012cc00 L"cscript.exe //nologo m.vbs",00000000,00000000,00000001,00000000,00000000,00000000,003299d4,00329ed8) ret=7eed8a33 ... 0043:Call KERNEL32.__wine_kernel_init() ret=7bc6a77e ... 0041:Ret KERNEL32.CreateProcessW() retval=00000001 ret=7eed8a33 ... 0009:Call KERNEL32.CreateProcessA(00000000,0032e0d4 "attrib +h +s Z:\$RECYCLE",00000000,00000000,00000000,08000000,00000000,00000000,0032e068,0032e058) ret=100010d9 ... 0009:Ret KERNEL32.CreateProcessA() retval=00000001 ret=100010d9 ... 0009:Call KERNEL32.CreateProcessA(00000000,0032e74c "@WanaDecryptor@.exe co",00000000,00000000,00000000,08000000,00000000,00000000,0032e6c8,0032e6b8) ret=100010d9 ... 0009:Ret KERNEL32.CreateProcessA() retval=00000001 ret=100010d9 ... 0009:Call KERNEL32.CreateProcessA(00000000,0032e74c "cmd.exe /c start /b @WanaDecryptor@.exe vs",00000000,00000000,00000000,08000000,00000000,00000000,0032e6c8,0032e6b8) ret=100010d9 ... 0009:Ret KERNEL32.CreateProcessA() retval=00000001 ret=100010d9 ... 004b:Call KERNEL32.CreateProcessW(0033ae70 L"C:\windows\command\start.exe",00120220 L"C:\windows\command\start.exe /b @WanaDecryptor@.exe vs",00000000,00000000,00000001,00000000,00000000,00000000,0033ae2c,0033ae1c) ret=7eee067a ... 004b:Ret KERNEL32.CreateProcessW() retval=00000001 ret=7eee067a ... 004d:Call KERNEL32.CreateProcessW(00000000,0033e934 L""@WanaDecryptor@.exe" vs",00000000,00000000,00000000,00000410,00000000,00000000,0033e410,0033e400) ret=7eda895c ... 004d:Ret KERNEL32.CreateProcessW() retval=00000001 ret=7eda895c ... 0043:Call KERNEL32.lstrcmpiW(0013932c L"CreateShortcut",0013ca14 L"CreateShortcut") ret=7e85d788 0043:Ret KERNEL32.lstrcmpiW() retval=00000000 ret=7e85d788 ... 0043:trace:seh:raise_exception code=c0000005 flags=0 addr=0x283e2d29 ip=283e2d29 tid=0043 0043:trace:seh:raise_exception info[0]=00000008 0043:trace:seh:raise_exception info[1]=283e2d29 0043:trace:seh:raise_exception eax=0033efa4 ebx=0033f020 ecx=00000000 edx=0000000c esi=00143c18 edi=0033ef5c 0043:trace:seh:raise_exception ebp=0033ef68 esp=0033ef4c cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010206 0043:trace:seh:call_stack_handlers calling handler at 0x7bcae416 code=c0000005 flags=0 --- snip ---
Revisiting other WSH related bugs I've noticed them having regressed as well. Another example scriptlet, causing crash now:
--- snip --- set wshShell = Wscript.CreateObject("Wscript.Shell") strPath = wshShell.SpecialFolders("Desktop") --- snip ---
* bug 28605 * bug 29461
... potentially more
Regression testing/bisecting revealed:
--- snip --- $ git bisect good 722c28cb5de076a4894a0a23500b160531a8b744 is the first bad commit commit 722c28cb5de076a4894a0a23500b160531a8b744 Author: Nikolay Sivov nsivov@codeweavers.com Date: Wed Jan 25 00:50:36 2017 +0300
wshom: Added IProvideClassInfo support for implemented interfaces.
Signed-off-by: Nikolay Sivov nsivov@codeweavers.com Signed-off-by: Alexandre Julliard julliard@winehq.org
:040000 040000 bcf5f18298671fdc98e0fb37d4ef5adbd74b8d32 5b85d4ddacb4f824c07e40246e60d3324ddee2bc M dlls --- snip ---
Reverting on top of current master HEAD (wine 2.8) makes the crash go away:
--- snip --- $ git revert -n 722c28cb5de076a4894a0a23500b160531a8b744 --- snip ---
*************************************************************
A note of warning to Linux users trying to execute the malware/worm just out of curiosity. I'm not subscribed to mailing lists nor active in forums hence I write it here.
https://en.wikipedia.org/wiki/WannaCry_ransomware_attack
https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168
DO NOT TRY IT OUT UNLESS YOU KNOW WHAT YOU ARE DOING.
The Windows Script Host issue reported here is minor for that ransomware. It doesn't prevent it from doing its work - it works pretty well.
If you store precious data/documents on your root filesystem/mountpoints, subdirectories or any other user-writable locations, reachable through symlinks - it will encrypt them if they match specific file extensions (see link for file types affected).
I've used a Docker container with networking disabled, specific host->container directory mappings to sandbox the app with Wine and capture/analyse its doings. Removing drives from dosdevices is not secure unless one is sure that the app has no Linux/Wine awareness.
Regards