X-Recipient:	archive-cygwin AT delorie DOT com
DomainKey-Signature:	a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:mime-version:in-reply-to:references:from:date
	:message-id:subject:to:cc:content-type; q=dns; s=default; b=sFOF
	DwZMYSxlieLLTqXaCIwDWNSItsoFa/ewVpFZrI1WAAZXdN2Z7U+JlpQCK40EqAhR
	9AsbHDBbUxJoAw2SYg4M8et+TNyCFiQMn81mRK2lmuygu9/DXlEYpEnHHTJeWIfe
	Atc7vvuLpc9Ojr7sMp8M8QXRbMMk9vAgd3TEuVk=
DKIM-Signature:	v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:mime-version:in-reply-to:references:from:date
	:message-id:subject:to:cc:content-type; s=default; bh=se7JWktFfh
	ESjJRuSKGyGyz2W88=; b=qBlyYijms4C88BwpflNWNEjQapic0ldq1o8U0NJRmE
	w8UI1jPwO7XLwvakf2oVKvM+Vbvv4mbgClsGlfT/6GbF3n8kAftco5BKz0YZDe7y
	gbH2p9FOKtkcXxIK81o4z8jhDvBB+qQsOIyIBZsJ/c+ioorxXOMmf04psb+xLW3e
	E=
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com
Authentication-Results:	sourceware.org; auth=none
X-Virus-Found:	No
X-Spam-SWARE-Status:	No, score=2.9 required=5.0 tests=AWL,BAYES_99,BAYES_999,EXECUTABLE_URI,FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,SPF_PASS autolearn=no version=3.3.2 spammy=cert, vulnerable, turning, sk:insight
X-HELO:	mail-pa0-f50.google.com
X-Received:	by 10.66.142.232 with SMTP id rz8mr153035781pab.74.1452185616206; Thu, 07 Jan 2016 08:53:36 -0800 (PST)
MIME-Version:	1.0
In-Reply-To:	<EF7B6182B7C54BBAA5083C40EF14529D@W340>
References:	<EF7B6182B7C54BBAA5083C40EF14529D AT W340>
From:	Yucong Sun <sunyucong AT gmail DOT com>
Date:	Fri, 8 Jan 2016 00:53:06 +0800
Message-ID:	<CAJygYd17T4rarjmkucgRJiHxHncrqVsXeqW-ohn0ehADObjmMg@mail.gmail.com>
Subject:	Re: [PWNED/DOSSED] Cygwin's setup-x86.exe loads and executes rogue DLL from its application directory
To:	cygwin AT cygwin DOT com
Cc:	cygwin AT cygwin DOT org, security AT redhat DOT com
X-IsSubscribed:	yes

Your emails could have been clearer , in any case, it seems the
easy/right solution is to add

SetDefaultDllDirectories(LOAD_LIBRARY_SEARCH_SYSTEM32)

to the exe?

On Wed, Jan 6, 2016 at 10:17 PM, Stefan Kanthak <stefan DOT kanthak AT nexgo DOT de> wrote:
> Second and last chance!
> See <http://home.arcor.de/skanthak/policy.html>
>
> ----- Original Message -----
> From: "Stefan Kanthak" <stefan DOT kanthak AT nexgo DOT de>
> To: <security AT cygwin DOT org>
> Cc: <security AT redhat DOT com>
> Sent: Monday, December 28, 2015 4:23 AM
> Subject: [PWNED/DOSSED] Cygwin's setup-x86.exe loads and executes rogue DLL from its application directory
>
>
>> Hi,
>>
>> Cygwin's setup-x86.exe loads and executes UXTheme.dll
>> (on Windows XP also ClbCatQ.dll) and more from its
>> "application directory".
>>
>> For software downloaded with a web browser the application
>> directory is typically the user's "Downloads" directory: see
>> <https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>,
>> <http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>
>> and <http://seclists.org/fulldisclosure/2012/Aug/134>
>>
>> If UXTheme.dll (or one of the other DLLs) gets planted in
>> the user's "Downloads" directory per "drive-by download" or
>> "social engineering" this vulnerability becomes a remote code
>> execution.
>>
>> If setup-x86.exe is NOT started with --no-admin the vulnerability
>> results in an escalation of privilege too!
>>
>>
>> Proof of concept/demonstration:
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>
>> 1. visit <http://home.arcor.de/skanthak/sentinel.html>, download
>>   <http://home.arcor.de/skanthak/download/SENTINEL.DLL> and save
>>   it as UXTheme.dll in your "Downloads" directory;
>>
>> 2. on Windows XP, copy the downloaded UXTheme.dll as ClbCatQ.dll;
>>
>> 3. download setup-x86.exe and save it in your "Downloads" directory;
>>
>> 4. execute setup-x86.exe from your "Downloads" directory;
>>
>> 5. notice the message boxes displayed from UXTheme.dll placed in
>>   step 1 (and ClbCatQ.dll placed in step 2).
>>
>> PWNED!
>>
>> 6. copy the downloaded UXTheme.dll as WSock32.dll (on Windows XP
>>   also as PSAPI.dll and WS2_32.dll);
>>
>> 7. rerun setup-x86.exe from your "Downloads" directory.
>>
>> DOSSED!
>>
>> 8. turning the denial of service into an arbitrary (remote) code
>>   execution is trivial: just add the SINGLE entry (PSAPI.dll:
>>   EnumProcesses, WSock32.Dll: recv, WS2_32.dll: Ordinal 21)
>>   referenced from setup-x86.exe to a rogue DLL of your choice.
>>
>> PWNED again!
>>
>>
>> See <http://seclists.org/fulldisclosure/2015/Nov/101>,
>> <http://seclists.org/fulldisclosure/2015/Dec/86> and
>> <http://seclists.org/fulldisclosure/2015/Dec/121> plus
>> <http://home.arcor.de/skanthak/!execute.html> and
>> <http://home.arcor.de/skanthak/sentinel.html> for details about
>> this well-known and well-documented BEGINNER'S error!
>>
>>
>> Then dump your vulnerable executable installer and provide a SAFE
>> installer instead: either .MSI or .INF (plus .CAB).
>>
>>
>> I'll publish in 45 days.
>> See <http://home.arcor.de/skanthak/policy.html> and return the
>> CVE identifier assigned for this vulnerability to me!
>>
>>
>> regards
>> Stefan Kanthak
>
> --
> Problem reports:       http://cygwin.com/problems.html
> FAQ:                   http://cygwin.com/faq/
> Documentation:         http://cygwin.com/docs.html
> Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
>

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

- Raw text -