| delorie.com/archives/browse.cgi | search |
| Mailing-List: | contact cygwin-help AT sourceware DOT cygnus DOT com; run by ezmlm |
| List-Subscribe: | <mailto:cygwin-subscribe AT sources DOT redhat DOT com> |
| List-Archive: | <http://sources.redhat.com/ml/cygwin/> |
| List-Post: | <mailto:cygwin AT sources DOT redhat DOT com> |
| List-Help: | <mailto:cygwin-help AT sources DOT redhat DOT com>, <http://sources.redhat.com/ml/#faqs> |
| Sender: | cygwin-owner AT sources DOT redhat DOT com |
| Delivered-To: | mailing list cygwin AT sources DOT redhat DOT com |
| Subject: | RE: The security of OpenSSH with cygwin. |
| Date: | Tue, 22 May 2001 11:35:07 +1000 |
| MIME-Version: | 1.0 |
| Message-ID: | <EA18B9FA0FE4194AA2B4CDB91F73C0EF79E8@itdomain002.itdomain.net.au> |
| X-MS-Has-Attach: | |
| content-class: | urn:content-classes:message |
| X-MimeOLE: | Produced By Microsoft Exchange V6.0.4417.0 |
| X-MS-TNEF-Correlator: | |
| Thread-Topic: | The security of OpenSSH with cygwin. |
| Thread-Index: | AcDiXdBn9XL/TZufTy+E/XnRyyow8AAABrDw |
| From: | "Robert Collins" <robert DOT collins AT itdomain DOT com DOT au> |
| To: | <joetesta AT hushmail DOT com> |
| Cc: | <cygwin AT cygwin DOT com> |
| X-MIME-Autoconverted: | from quoted-printable to 8bit by delorie.com id VAA20574 |
Joe, Have you looked up the thread I referred you too? It explained the issue. IN DETAIL. > > Right. I cannot emphasize strongly enough that Cygwin is > NOT A SECURE > > ENVIRONMENT. Do NOT trust it with sensitive data. It is trivially > > easy to hack. > > > > cgf > > > My Windows programming days ended awhile ago, so pardon me if > this is incorrect > or doesn't make sense. > > Under Windows 9x and Millenium, there is no (respectable) > security model, .... Correct. > Now this brings me to another question: what does this mean > in Windows > NT/2000? I have no experience with these operating systems, > but here's > what I dare to assume: the security model would disallow > this inter-process > mingling. Please don't assume without at least reading the references you are given. That wastes your time and ours. No-one said _anything_ about the security model being the issue - they said that Cygwin AS IT IS IMPLEMENTED TODAY has KNOWN PROBLEMS resulting in TRIVIAL HACKS. Please read the thread I referred you to. It explains the particular issue I mentioned. A thumbnail sketch is that 1) if you have access to duplicate a handle from a process and 2) that process has a handle to itself with full rights (the default behaviour) 3) a simple brute force attack will get you a handle to the process with full rights, which lets you write into that process's memory space. > Are there any other issues, proven or otherwise, that anyone > is aware of? I don't have a canonical list. Use the source Joe. For your stated purpose, (ssh + cygwin), via the stated attack above if I can run a custom , or via bash appropriate shellcode I can get memory write access to any cygwin linked process. If that process happens to be running as SYSTEM or an administrator access account, then injecting custom code into that will pretty much open the door to anything. Rob -- Want to unsubscribe from this list? Check out: http://cygwin.com/ml/#unsubscribe-simple
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |