16 Nov
2007
16 Nov
'07
7:05 a.m.
On Nov 15, 2007 12:30 PM, Alex Ionescu <ionucu(a)videotron.ca> wrote:
"HCRYPTHASH hPrivate; /*CSP's handle -
Should not be given to application
under any circumstances!*/"
Are Wine people aware that DLLs load in the same address space as
applications? There is no way to protect this handle from the application
unless you store it in kernel-mode.
I am sure the guys working on this code now are aware of it.
That comment was written back in 2002 by someone I've never even hear of
so I expect it was a bit of a hack to get some application to work.
http://source.winehq.org/git/wine.git/?a=commit;h=e8273d60562acb5135c49e90d…
And I don't know what applications are using this functionality that they would
have had to implement it. I guess the Wine developers just don't care. I don't
really know anything about the context of this but I guess they figure it does
not really matter if its insecure as there are tons of other vectors
to exploit in
Wine and if something bypasses the traditional Unix security all is lost anyway.
I am not really qualified to comment on this. If you would like I will
ask Juan Lang
if he wants to implement it properly in Wine via a kernel module or something.
He has been the one recently working on crypto service providers and friends
so I can direct any questions you might have to him.
--
Steven Edwards
"There is one thing stronger than all the armies in the world, and
that is an idea whose time has come." - Victor Hugo