Mail Archives: cygwin/2024/02/06/23:54:15

Brian Inglis via Cygwin <cygwin AT cygwin DOT com> · Tue, 6 Feb 2024 21:53:47 -0700

On 2024-02-06 15:10, Kaz Kylheku via Cygwin wrote:
> On 2024-02-04 21:22, Suman Chakraborty via Cygwin wrote:
>> 1. Executive Summary:
>>
>> The vulnerability pertains to not finding
>> the profapi.dll, CFGMGR32.dll, edputil.dll,  urlmon.dll, SspiCli.dll,
>> Wldp.dll, MPR.dll, ServicingCommon.dll, TextShaping.dll, CRYPTBASE.DLL,
>> PROPSYS.dll and insecure loading of dynamic link libraries (DLLs),
>> specifically profapi.dll. If exploited, this vulnerability could allow an
>> attacker to execute arbitrary code on a victim's machine, potentially
>> leading to data breaches, system compromise, and other malicious activities.
> 
> By what means is setup.exe probing these DLLs?
> 
> I don't see any references to profapi.dll in its source tree
> (git grep -i profapi turns up nothing).
> 
> If these DLL's being missing doesn't stop the program from running,
> doesn't that mean it's just probing for them with LoadLibrary or
> LoadLibraryEx explicitly, and then handling the failure gracefully?
> 
> Setup itself doesn't use LoadLibrary or LoadLibraryEx.
> 
> The MinGW toolchain must be introducing that somehow?
> 
> It is curious.

Could be any one of the proprietary DLLs pulled into Cygwin Setup:

$ upx -dqqqot ~/mirror/x86_64/setup-x86_64.exe
$ grep -ao '%%%\ssetup-version\s[0-9]\+\.[0-9]\+' t
%%% setup-version 2.929
$ cygcheck ./t
...\t
   C:\WINDOWS\system32\KERNEL32.DLL
     C:\WINDOWS\system32\ntdll.dll
     C:\WINDOWS\system32\KERNELBASE.dll
   C:\WINDOWS\system32\ADVAPI32.dll
     C:\WINDOWS\system32\msvcrt.dll
     C:\WINDOWS\system32\SECHOST.dll
       C:\WINDOWS\system32\RPCRT4.dll
   C:\WINDOWS\system32\COMCTL32.dll
     C:\WINDOWS\system32\GDI32.dll
       C:\WINDOWS\system32\win32u.dll
     C:\WINDOWS\system32\USER32.dll
   C:\WINDOWS\system32\ole32.dll
     C:\WINDOWS\system32\combase.dll
   C:\WINDOWS\system32\PSAPI.DLL
   C:\WINDOWS\system32\SHELL32.dll
     C:\WINDOWS\system32\msvcp_win.dll
   C:\WINDOWS\system32\SHLWAPI.dll
   C:\WINDOWS\system32\WININET.dll
   C:\WINDOWS\system32\WS2_32.dll

OP:
Which version and date of setup-x86_64.exe are you checking?
Do you have any A/V or EPP installed on your system which could be injecting 
these interlopers into the call chain?

-- 
Take care. Thanks, Brian Inglis              Calgary, Alberta, Canada

La perfection est atteinte                   Perfection is achieved
non pas lorsqu'il n'y a plus rien Ă  ajouter  not when there is no more to add
mais lorsqu'il n'y a plus rien Ă  retirer     but when there is no more to cut
                                 -- Antoine de Saint-ExupĂŠry

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

X-Recipient:	archive-cygwin AT delorie DOT com
DKIM-Filter:	OpenDKIM Filter v2.11.0 sourceware.org D66E33858297
DKIM-Signature:	v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
	s=default; t=1707281653;
	bh=1bZtybvBE16jqh5cSYG2zUowA37Pwlch5nxtcGgXPho=;
	h=Date:Subject:To:References:In-Reply-To:List-Id:List-Unsubscribe:
	List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc:
	From;
	b=jbuWJmgp9xE4oKXwA//n2pSLd7yGwpmEuiyKwQKpsKLa8X+RN0K3Z5vOC8kUIenQr
	n2GjvVsLwyoaKFW4uhkghXPgEeORKBBznkCzSln/9fvrOIqk79wdJhwhCaB3y+XeGe
	ETMfCch6CSMSp+R21vum3qu9E70GxyJQ4mF6A6BU=
X-Original-To:	cygwin AT cygwin DOT com
Delivered-To:	cygwin AT cygwin DOT com
DMARC-Filter:	OpenDMARC Filter v1.4.2 sourceware.org 9E8C53858D33
ARC-Filter:	OpenARC Filter v1.0.0 sourceware.org 9E8C53858D33
ARC-Seal:	i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1707281632; cv=none;
	b=gWhroVCgj98Q9PqgW7B2OIoL6HhFavxJWvz60wipNNXvGurYzOArK6VzBH3sYsIOmID0Oxyr1u8SRhaW3s/uAGVPB+vlP0+FnkkDy89FIBr8cLg2QOm+fD6cMvhRFJ4N56Wq4yRWlJqzExLnOe1m9dQZRWYKAl0eQMfBGiDrZQM=
ARC-Message-Signature:	i=1; a=rsa-sha256; d=sourceware.org; s=key;
	t=1707281632; c=relaxed/simple;
	bh=g790LgpzWnhPVYFZ4Bn7MsdooHDujix5eMHG89uySpg=;
	h=Message-ID:Date:MIME-Version:Subject:To:From;
	b=Z42vOYbXv/CGMWS3Jgu+eWgp7L5yq5aAc1pv4tDRVNt+Mi2fbWWZF2Hs3mHg6aX/qbSm2UL/pOOWgMQWmGfJGk9KqwFgYsabirk4kzfOLvnPhJ+AGDLMeRfBmQ/mr53XqP4dMfXx5i/+ZcufdsFjPEqlIQPQCHx1/RHBEvvn1Nc=
ARC-Authentication-Results:	i=1; server2.sourceware.org
Message-ID:	<eb643586-ed1a-4c0f-b6af-0d7d8afc7e65@SystematicSW.ab.ca>
Date:	Tue, 6 Feb 2024 21:53:47 -0700
MIME-Version:	1.0
User-Agent:	Mozilla Thunderbird
Subject:	Re: MULTIPLE VULNERABILITY REPORT: Multiple DLL Hijacking
	Vulnerability in CygWin setup-x86_64.exe
To:	cygwin AT cygwin DOT com
References:	<CAK+bv_tLZMeXWQgKMaS2EZcq9LuBy=3JfYOPz6-Rq+2LqDbqWg AT mail DOT gmail DOT com>
	<0b8c28c486475cf1868aea678779ee7a AT kylheku DOT com>
Organization:	Systematic Software
In-Reply-To:	<0b8c28c486475cf1868aea678779ee7a@kylheku.com>
X-Rspamd-Queue-Id:	C3C482000D
X-Spam-Status:	No, score=-2.2 required=5.0 tests=BAYES_00, KAM_DMARC_STATUS,
	RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, SPF_HELO_PASS,
	SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE,
	UNPARSEABLE_RELAY autolearn=ham autolearn_force=no version=3.4.6
X-Stat-Signature:	snz6q8n47cqkmw1xxufnimhk8k63m9h1
X-Rspamd-Server:	rspamout04
X-Session-Marker:	427269616E2E496E676C69734053797374656D6174696353572E61622E6361
X-Session-ID:	U2FsdGVkX1875VmpAIGPMXXJEaeU2ai/qglsrkE1g6U=
X-HE-Tag:	1707281628-536011
X-HE-Meta:	U2FsdGVkX1+PUVlsAmBkCxe4VNknfHVZFcHN9i01STP2bDNDsbBlOuswQZuEQvqfc1iccY4K6BUpXvJWT8l1WXstHr/wghbQlrYdlafFXJwKrv/SM7yGyLiBaJKdwenN6+xuUMtlKkG3f5Dy2Mc6VHtbIuC1cDGyXiCPBDAOXlkXZJyLR1fZYwoCrrSjDpKtbvLYhKwn/XprD7DzImmf+hXg8RLZMpbb9mhCxTWeyiWhirfSxV6WE9sSjlWWzxvU/Cwwik/aEUfb2GOQWOspxSfyxBthuQ+Du/DFgT3XQeD4HAviH3Y+/Zrfi75b7MC8VGGymCh6Awqn2ITUV9Bp2usiGUlNaYlQ
X-Spam-Checker-Version:	SpamAssassin 3.4.6 (2021-04-09) on
	server2.sourceware.org
X-BeenThere:	cygwin AT cygwin DOT com
X-Mailman-Version:	2.1.30
List-Id:	General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Unsubscribe:	<https://cygwin.com/mailman/options/cygwin>,
	<mailto:cygwin-request AT cygwin DOT com?subject=unsubscribe>
List-Archive:	<https://cygwin.com/pipermail/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe:	<https://cygwin.com/mailman/listinfo/cygwin>,
	<mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
From:	Brian Inglis via Cygwin <cygwin AT cygwin DOT com>
Reply-To:	cygwin AT cygwin DOT com
Cc:	Brian Inglis <Brian DOT Inglis AT SystematicSW DOT ab DOT ca>
Errors-To:	cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com
Sender:	"Cygwin" <cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com>
X-MIME-Autoconverted:	from base64 to 8bit by delorie.com id 4174sF57027811

webmaster	delorie software privacy
Copyright Š 2019 by DJ Delorie	Updated Jul 2019