Mail Archives: cygwin/2024/02/06/17:11:57

Kaz Kylheku via Cygwin <cygwin AT cygwin DOT com> · Tue, 06 Feb 2024 14:10:39 -0800

On 2024-02-04 21:22, Suman Chakraborty via Cygwin wrote: 
> 1. Executive Summary:
> 
> The vulnerability pertains to not finding
> the profapi.dll, CFGMGR32.dll, edputil.dll,  urlmon.dll, SspiCli.dll,
> Wldp.dll, MPR.dll, ServicingCommon.dll, TextShaping.dll, CRYPTBASE.DLL,
> PROPSYS.dll and insecure loading of dynamic link libraries (DLLs),
> specifically profapi.dll. If exploited, this vulnerability could allow an
> attacker to execute arbitrary code on a victim's machine, potentially
> leading to data breaches, system compromise, and other malicious activities.

By what means is setup.exe probing these DLLs?

I don't see any references to profapi.dll in its source tree
(git grep -i profapi turns up nothing).

If these DLL's being missing doesn't stop the program from running,
doesn't that mean it's just probing for them with LoadLibrary or
LoadLibraryEx explicitly, and then handling the failure gracefully?

Setup itself doesn't use LoadLibrary or LoadLibraryEx.

The MinGW toolchain must be introducing that somehow?

It is curious.

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

X-Recipient:	archive-cygwin AT delorie DOT com
DKIM-Filter:	OpenDKIM Filter v2.11.0 sourceware.org 0BCCB3858C78
DKIM-Signature:	v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
	s=default; t=1707257515;
	bh=uH2UGXsr+1xEC1/EEAtXpNEAUBX0zK3jUE1YGILSH0A=;
	h=Date:To:Cc:Subject:In-Reply-To:References:List-Id:
	List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe:
	From:Reply-To:From;
	b=S+QbuDheIdxpgoN8Mk+BMsyo16rNsuMqyUWhrYJvOzz7ORE3kukdVztnd7WTud1rE
	Vor4xhq/MvLhY3eDzKnhI+N9b/ZdG9pmXLTvX9npt8Mk5BB9SMbcOCO/ym/rRq/4nB
	IvM01oxUdimnrWstuYPFT/wASUHYdC+4CwTQYnsc=
X-Original-To:	cygwin AT cygwin DOT com
Delivered-To:	cygwin AT cygwin DOT com
DMARC-Filter:	OpenDMARC Filter v1.4.2 sourceware.org AB8B33858D33
ARC-Filter:	OpenARC Filter v1.0.0 sourceware.org AB8B33858D33
ARC-Seal:	i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1707257454; cv=none;
	b=ws9avUE4oOP7op8LcjWp7FKA/2Uvr7L7IeceytWmgJDolEoqJaaHu9h81WRpc8V+zHmkePWWVQRaCTx7Rx/XC9rsktoSsy0/z3HsvTJ3U1/8OJwjcGFXlM096cLMMLJvKjYHhYGuxGXBg/NB/Y23zXQXUBhFkq9Vj0qhhXbIqxg=
ARC-Message-Signature:	i=1; a=rsa-sha256; d=sourceware.org; s=key;
	t=1707257454; c=relaxed/simple;
	bh=r4Eo6JFjzcBovTUN8uoDsbWibc6rTUetXrZ0O+f7Gdg=;
	h=MIME-Version:Date:From:To:Subject:Message-ID;
	b=C6idIVvoltNux6TL1H4+limCPwaop0Tmssfra+7Q1/7dOV9JGBk+mtd80mouVPEWA4WylB8Lx9obshTQa+z1io418IlRthc+2RDPs+nRefP71WoFALrLFef2m4XhvX6V4TkQwsWE56I7wcD8DfBVHABwxN4b6uZrJB84bZ0TXFM=
ARC-Authentication-Results:	i=1; server2.sourceware.org
MIME-Version:	1.0
Date:	Tue, 06 Feb 2024 14:10:39 -0800
To:	Suman Chakraborty <chakrabortysuman487 AT gmail DOT com>
Cc:	cygwin AT cygwin DOT com
Subject:	Re: MULTIPLE VULNERABILITY REPORT: Multiple DLL Hijacking
	Vulnerability in CygWin setup-x86_64.exe
In-Reply-To:	<CAK+bv_tLZMeXWQgKMaS2EZcq9LuBy=3JfYOPz6-Rq+2LqDbqWg@mail.gmail.com>
References:	<CAK+bv_tLZMeXWQgKMaS2EZcq9LuBy=3JfYOPz6-Rq+2LqDbqWg AT mail DOT gmail DOT com>
User-Agent:	Roundcube Webmail/1.4.15
Message-ID:	<0b8c28c486475cf1868aea678779ee7a@kylheku.com>
X-Sender:	kaz AT kylheku DOT com
X-MagicMail-OS:	Unknown
X-MagicMail-UUID:	96c77b8e-c53c-11ee-8ccb-005056953255
X-MagicMail-Authenticated:	fuck DOT telus AT novus DOT ca
X-MagicMail-SourceIP:	104.37.63.7
X-MagicMail-RegexMatch:	1
X-MagicMail-EnvelopeFrom:	<fuck DOT telus AT novus DOT ca>
X-Spam-Status:	No, score=-0.0 required=5.0 tests=BAYES_20,
	HEADER_FROM_DIFFERENT_DOMAINS, KAM_DMARC_STATUS, RCVD_IN_MSPIKE_H3,
	RCVD_IN_MSPIKE_WL, SPF_HELO_NONE, SPF_PASS, TXREP,
	T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6
X-Spam-Checker-Version:	SpamAssassin 3.4.6 (2021-04-09) on
	server2.sourceware.org
X-BeenThere:	cygwin AT cygwin DOT com
X-Mailman-Version:	2.1.30
List-Id:	General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Unsubscribe:	<https://cygwin.com/mailman/options/cygwin>,
	<mailto:cygwin-request AT cygwin DOT com?subject=unsubscribe>
List-Archive:	<https://cygwin.com/pipermail/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe:	<https://cygwin.com/mailman/listinfo/cygwin>,
	<mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
From:	Kaz Kylheku via Cygwin <cygwin AT cygwin DOT com>
Reply-To:	Kaz Kylheku <kaz AT kylheku DOT com>
Errors-To:	cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com
Sender:	"Cygwin" <cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com>

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019