[Bug 2715] New: Insecure file creation of "regxxxxxxx.tmp" in /tmp - wine-bugs

12 Feb 2005


      http://bugs.winehq.org/show_bug.cgi?id=2715
Summary: Insecure file creation of "regxxxxxxx.tmp" in /tmp
           Product: Wine
           Version: 20041201
          Platform: PC
        OS/Version: Linux
            Status: UNCONFIRMED
          Severity: major
          Priority: P2
         Component: wine-files
        AssignedTo: wine-bugs@winehq.org
        ReportedBy: badpenguin79@hotmail.com
When an application is runned, wine makes a dump of windows registry in /tmp
with name regxxxxxxx.tmp .
regxxxxxxx.tmp is created with -rw-r--r-- permissions.
This could represent a security problem in a multi-user environment.
Indeed, any local user could access to windows registry's dump and get sensitive 
information, like passwords or other private data.
A local attacker could use a script to check every X seconds the presence of a 
regxxxxxxx.tmp and copy it in his home directory for a successive analysis.
I have made some tests to reproduce this bug, running several applications and i 
noted that it's been possibile get information in
HKEY_CURRENT_USER\Software\Microsoft\Protected Storage System Provider
and
-------------------------------------------------------------------------------
[Software\Microsoft\Internet Account Manager\Accounts\00000008]
"Account Name"="libero.it"
"Connection Type"=dword:00000003
"POP3 Server"="pop3.libero.it"
"POP3 User Name"="xxxxxxx"
"POP3 Password2"=hex:xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,\
  xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,\
  xx,xx,xx,xx,xx,xx,xx,xx,xx,xx
"POP3 Prompt for Password"=dword:00000000
"SMTP Server"="mail.libero.it"
"SMTP Display Name"="xxxxxx"
"SMTP Email Address"="xxxxxx@libero.it"
"POP3 Skip Account"=dword:00000000
"POP3 Port"=dword:0000006e
"SMTP User Name"=""
"SMTP Password2"=hex:xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,\
  xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,xx,\
  xx,xx,xx,xx,xx,xx,xx,xx,xx,xx
"SMTP Use Sicily"=dword:00000000
"SMTP Prompt for Password"=dword:00000000
-------------------------------------------------------------------------------
where there were outlook's passwords encrypted.
Note that also if they are encrypted, they could be imported on the windows 
registry system of the attacker and so gain illegal access to victim's account.
I think that regxxxxxxx.tmp should be created with 0600 permissions.
Best regards,
Giovanni Delvecchio
-- 
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.