| delorie.com/archives/browse.cgi | search |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| DomainKey-Signature: | a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:message-id:from:to:cc:subject:date | |
| :mime-version:content-type:content-transfer-encoding; q=dns; s= | |
| default; b=Zixc/N2b2UcbmsuJuSMT/NPQiM0xTD/+fO6ZB/1B4uBusw3nUT2vi | |
| 9/zbSimK1yXy9zHu3bbYIP+/gTj89z13uP/reO7s14+koAa8aFElGeWgSnOZZqfC | |
| 9onUs5DbrhkDRbGt//Np+qjPujieAmMI2t8r/MfvAtgeQ8umvP8NQM= | |
| DKIM-Signature: | v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:message-id:from:to:cc:subject:date | |
| :mime-version:content-type:content-transfer-encoding; s=default; | |
| bh=MmmVQoSK8O9yCvjzR2WFGyfl8Zo=; b=VEWVEerO1Q6QKmAg7p17WRKU5Lij | |
| lp5C2ZJxrvMxgWPyriIdc2Zak5gIqe0Jg6GWuoN2AoAwBjZLWtiTnPXXcfNEpBPp | |
| Dbmk4xVn2VOLepAjSPIxua23saydA07O0MgorFaqD7tNt7Q/UM64WHyLHtZp/E21 | |
| AuWOaaKj7WFcEAA= | |
| Mailing-List: | contact cygwin-help AT cygwin DOT com; run by ezmlm |
| List-Id: | <cygwin.cygwin.com> |
| List-Subscribe: | <mailto:cygwin-subscribe AT cygwin DOT com> |
| List-Archive: | <http://sourceware.org/ml/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs> |
| Sender: | cygwin-owner AT cygwin DOT com |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| Delivered-To: | mailing list cygwin AT cygwin DOT com |
| Authentication-Results: | sourceware.org; auth=none |
| X-Virus-Found: | No |
| X-Spam-SWARE-Status: | No, score=3.4 required=5.0 tests=AWL,BAYES_50,EXECUTABLE_URI,FAKE_REPLY_C,RCVD_IN_DNSWL_LOW,SPF_PASS autolearn=no version=3.3.2 spammy=chance!, cert, vulnerable, H*Ad:U*security |
| X-HELO: | mail-in-06.arcor-online.net |
| X-DKIM: | Sendmail DKIM Filter v2.8.2 mail-in-05.arcor-online.net 3pbCTL2H1gz2xDd |
| Message-ID: | <EF7B6182B7C54BBAA5083C40EF14529D@W340> |
| From: | "Stefan Kanthak" <stefan DOT kanthak AT nexgo DOT de> |
| To: | <cygwin AT cygwin DOT com>, <cygwin AT cygwin DOT org> |
| Cc: | <security AT redhat DOT com> |
| Subject: | Re: [PWNED/DOSSED] Cygwin's setup-x86.exe loads and executes rogue DLL from its application directory |
| Date: | Wed, 6 Jan 2016 15:17:30 +0100 |
| MIME-Version: | 1.0 |
Second and last chance! See <http://home.arcor.de/skanthak/policy.html> ----- Original Message ----- From: "Stefan Kanthak" <stefan DOT kanthak AT nexgo DOT de> To: <security AT cygwin DOT org> Cc: <security AT redhat DOT com> Sent: Monday, December 28, 2015 4:23 AM Subject: [PWNED/DOSSED] Cygwin's setup-x86.exe loads and executes rogue DLL from its application directory > Hi, > > Cygwin's setup-x86.exe loads and executes UXTheme.dll > (on Windows XP also ClbCatQ.dll) and more from its > "application directory". > > For software downloaded with a web browser the application > directory is typically the user's "Downloads" directory: see > <https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>, > <http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html> > and <http://seclists.org/fulldisclosure/2012/Aug/134> > > If UXTheme.dll (or one of the other DLLs) gets planted in > the user's "Downloads" directory per "drive-by download" or > "social engineering" this vulnerability becomes a remote code > execution. > > If setup-x86.exe is NOT started with --no-admin the vulnerability > results in an escalation of privilege too! > > > Proof of concept/demonstration: > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > 1. visit <http://home.arcor.de/skanthak/sentinel.html>, download > <http://home.arcor.de/skanthak/download/SENTINEL.DLL> and save > it as UXTheme.dll in your "Downloads" directory; > > 2. on Windows XP, copy the downloaded UXTheme.dll as ClbCatQ.dll; > > 3. download setup-x86.exe and save it in your "Downloads" directory; > > 4. execute setup-x86.exe from your "Downloads" directory; > > 5. notice the message boxes displayed from UXTheme.dll placed in > step 1 (and ClbCatQ.dll placed in step 2). > > PWNED! > > 6. copy the downloaded UXTheme.dll as WSock32.dll (on Windows XP > also as PSAPI.dll and WS2_32.dll); > > 7. rerun setup-x86.exe from your "Downloads" directory. > > DOSSED! > > 8. turning the denial of service into an arbitrary (remote) code > execution is trivial: just add the SINGLE entry (PSAPI.dll: > EnumProcesses, WSock32.Dll: recv, WS2_32.dll: Ordinal 21) > referenced from setup-x86.exe to a rogue DLL of your choice. > > PWNED again! > > > See <http://seclists.org/fulldisclosure/2015/Nov/101>, > <http://seclists.org/fulldisclosure/2015/Dec/86> and > <http://seclists.org/fulldisclosure/2015/Dec/121> plus > <http://home.arcor.de/skanthak/!execute.html> and > <http://home.arcor.de/skanthak/sentinel.html> for details about > this well-known and well-documented BEGINNER'S error! > > > Then dump your vulnerable executable installer and provide a SAFE > installer instead: either .MSI or .INF (plus .CAB). > > > I'll publish in 45 days. > See <http://home.arcor.de/skanthak/policy.html> and return the > CVE identifier assigned for this vulnerability to me! > > > regards > Stefan Kanthak -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |