Mail Archives: cygwin/2024/02/05/00:22:57

Suman Chakraborty via Cygwin <cygwin AT cygwin DOT com> · Mon, 5 Feb 2024 10:52:18 +0530

Hey Cygwin Team,

I hope this email finds you well. As an independent security researcher, I
often explore open-source projects to identify and report potential
security vulnerabilities. During my recent exploration of Cygwin, I came
across a critical vulnerability in setup-x86_64.exe
<https://cygwin.com/setup-x86_64.exe> that I believe warrants your
immediate attention.

1. Executive Summary:

The vulnerability pertains to not finding
the profapi.dll, CFGMGR32.dll, edputil.dll,  urlmon.dll, SspiCli.dll,
Wldp.dll, MPR.dll, ServicingCommon.dll, TextShaping.dll, CRYPTBASE.DLL,
PROPSYS.dll and insecure loading of dynamic link libraries (DLLs),
specifically profapi.dll. If exploited, this vulnerability could allow an
attacker to execute arbitrary code on a victim's machine, potentially
leading to data breaches, system compromise, and other malicious activities.

2. Details of the Vulnerability:

Type: DLL Hijacking
Affected Component:  profapi.dll, CFGMGR32.dll, edputil.dll,  urlmon.dll,
SspiCli.dll, Wldp.dll, MPR.dll, ServicingCommon.dll, TextShaping.dll,
CRYPTBASE.DLL, PROPSYS.dll
Impact: Remote Code Execution, Data Theft or
Manipulation, Persistence, Bypassing Security Mechanisms, Spreading Malware.
Description: The application attempts to load profapi.dll from its current
working directory (CWD). If a malicious version of test.dll is present in
the CWD, the application will inadvertently load and execute the malicious
DLL.

3. Proof of Concept:

I've attached a proof of concept to this email, demonstrating the
vulnerability in action. Please review it to understand the potential
impact and exploitability.
The link is given below:
POC Video:
https://drive.google.com/file/d/11rBPnImiZS-CEwPM9eBlU6GSHjHYD2ns/view?usp=sharing
This is a POC video for profapi.dll. All other DLLs are hijacked in similar
method

4. Conclusion:
The identified DLL Hijacking vulnerability poses a significant risk to
users of Cygwin during the installation and executing the setup-x86_64.exe
<https://cygwin.com/setup-x86_64.exe>. I urge you to address this issue
promptly. I'm available for any further clarification or assistance in
addressing the vulnerability

Thank you for your attention to this matter, and I appreciate the hard work
you put into maintaining and improving open-source projects for the
community.Best regards,
Submitted by:
Suman Kumar Chakraborty
LinkedIn:https://www.linkedin.com/in/suman-chakraborty-b857901b1/

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

X-Recipient:	archive-cygwin AT delorie DOT com
DKIM-Filter:	OpenDKIM Filter v2.11.0 sourceware.org 40813385841B
DKIM-Signature:	v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
	s=default; t=1707110575;
	bh=L4QCuGnIbs1PmH3jdyIYrN3Lv/qR5KQrdQme/oAfDJE=;
	h=Date:Subject:To:List-Id:List-Unsubscribe:List-Archive:List-Post:
	List-Help:List-Subscribe:From:Reply-To:From;
	b=pyylMYZfOUyYtTPWhLDFWJYaYDTWkiwfAzstpNgYfr98BEvYAv9jLNZx0nv0Sk2w+
	/rmAgzJ0eVasYC0vJntWI68BZsOtvttwamb4+kjzIfg4sR43mUmO7QDvMajxZpmcPE
	NPp4qK3HMe/8a06G4VH0KrNKalyNufjdlEz2wYvY=
X-Original-To:	cygwin AT cygwin DOT com
Delivered-To:	cygwin AT cygwin DOT com
DMARC-Filter:	OpenDMARC Filter v1.4.2 sourceware.org E8B783858CDB
ARC-Filter:	OpenARC Filter v1.0.0 sourceware.org E8B783858CDB
ARC-Seal:	i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1707110553; cv=none;
	b=uBe/PDcoOeglNoPKJrirAXr14S+SzM1E6IxZtzkQ9DlWrTOH0WNtAOaiTVchlSKBCGyuA4Liq+dEoiKwQOpIjcL10DOtQiyNV5BWXexKB5DZ6PfBihjQgoJJ8BV8uDaz6s/sxoJ2Ipo6ywQh2ACGFFj3Gb6h5bgfkKWsTWkHdEM=
ARC-Message-Signature:	i=1; a=rsa-sha256; d=sourceware.org; s=key;
	t=1707110553; c=relaxed/simple;
	bh=RKolRjpNi7Bo/9VIFiwDZZV5oYbilPN/il7C5Q8OnSM=;
	h=DKIM-Signature:MIME-Version:From:Date:Message-ID:Subject:To;
	b=Kh5MyMSo3MSRy3QyfRUdw9pJ0aBPpZOyunEUGmudNji1z5AbFp3HZKS/yqrze1+6r4PZdVTiZ85zdBz5xUJCMMDs5gCvmymuiVpd7+Z6b0zFPQEgYxrp42v6kxYTV5Ys8mflLHsaPU7NfZFn8o6Q3fBMyaPBenKfIy/vkh26qhY=
ARC-Authentication-Results:	i=1; server2.sourceware.org
X-Google-DKIM-Signature:	v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20230601; t=1707110550; x=1707715350;
	h=to:subject:message-id:date:from:mime-version:x-gm-message-state
	:from:to:cc:subject:date:message-id:reply-to;
	bh=rUtR9PSz+RB0wVDXSALu0aATpX1OZHhV0joFspCP1PA=;
	b=wRVZvqEFlN/KKhT2z6LJg3wjOggmkMCWgjndjhx3I4dj6ztDr1gy1vUeF5dykLqckU
	GVB9Qpva8pIQ4GZ/oA5ISqymdCS+1wELUhY0ergBYWdTQtuuvjutb3k/OZkiEyFyr55a
	IQ/1ASESX36dSMgNiV1axqQdMPDrXOjpCAnQzW4jHMwumUN+pr/bXqS+ze4/JPEFlVeB
	htOmZpuPU6YiIxRKotSitE2hq26s4LxL3z5YS+pvAgjGYYlsgtHeKy1YF7AG+FjK/cb3
	k/GLkbgHELF6RyTrYvOdDbauFb4jHG5tWHw5VkVI4e4T+M2IQNKpJtWe9qgZrHks8Sb6
	oG7A==
X-Gm-Message-State:	AOJu0YxWS/3d5LSDgQ6S50bfPFlFOSAoInH3BdDkBVpcBR/I9lczzUUI
	a0gokwnqQROlnUw2RB/aeO33+wHTTG3h5fKb2bUHX6xcZFjdiMu9ioL4dmKG/qrFIqogKnf18ut
	zUio/+tZ1VLjHCu49KuUUqTZgREINzXLeew==
X-Google-Smtp-Source:	AGHT+IFNYL1t0animtyNPDME4YReZ88FDXYsvV7DWDUJ7TUrL3OvOtjmPvoPUFy2UIvf11b4s+H0heP6zMj0oj0+PHk=
X-Received:	by 2002:a0d:e8cc:0:b0:604:135f:f765 with SMTP id
	r195-20020a0de8cc000000b00604135ff765mr11562831ywe.43.1707110549807; Sun, 04
	Feb 2024 21:22:29 -0800 (PST)
MIME-Version:	1.0
Date:	Mon, 5 Feb 2024 10:52:18 +0530
Message-ID:	<CAK+bv_tLZMeXWQgKMaS2EZcq9LuBy=3JfYOPz6-Rq+2LqDbqWg@mail.gmail.com>
Subject:	MULTIPLE VULNERABILITY REPORT: Multiple DLL Hijacking Vulnerability
	in CygWin setup-x86_64.exe
To:	cygwin AT cygwin DOT com
X-Spam-Status:	No, score=3.7 required=5.0 tests=BAYES_50, DKIM_SIGNED,
	DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_ENVFROM_END_DIGIT,
	FREEMAIL_FROM, HTML_MESSAGE, KAM_EXEURI, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,
	SPF_PASS, TXREP,
	T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6
X-Spam-Level:	***
X-Spam-Checker-Version:	SpamAssassin 3.4.6 (2021-04-09) on
	server2.sourceware.org
X-Content-Filtered-By:	Mailman/MimeDel 2.1.30
X-BeenThere:	cygwin AT cygwin DOT com
X-Mailman-Version:	2.1.30
List-Id:	General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Archive:	<https://cygwin.com/pipermail/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe:	<https://cygwin.com/mailman/listinfo/cygwin>,
	<mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
From:	Suman Chakraborty via Cygwin <cygwin AT cygwin DOT com>
Reply-To:	Suman Chakraborty <chakrabortysuman487 AT gmail DOT com>
Sender:	"Cygwin" <cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com>

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019