Mail Archives: cygwin/2024/02/11/14:20:08

=?utf-8?q?Csaba_R=C3=A1duly_via_Cygwin?= <cygwin AT cygwin DOT com> · Sun, 11 Feb 2024 20:19:09 +0100

On 06/02/2024 23:10, Kaz Kylheku via Cygwin wrote:
> On 2024-02-04 21:22, Suman Chakraborty via Cygwin wrote:
>> 1. Executive Summary:
>>
>> The vulnerability pertains to not finding
>> the profapi.dll, CFGMGR32.dll, edputil.dll,  urlmon.dll, SspiCli.dll,
>> Wldp.dll, MPR.dll, ServicingCommon.dll, TextShaping.dll, CRYPTBASE.DLL,
>> PROPSYS.dll and insecure loading of dynamic link libraries (DLLs),
>> specifically profapi.dll. If exploited, this vulnerability could allow an
>> attacker to execute arbitrary code on a victim's machine, potentially
>> leading to data breaches, system compromise, and other malicious activities.
> By what means is setup.exe probing these DLLs?
>
> I don't see any references to profapi.dll in its source tree
> (git grep -i profapi turns up nothing).

According to Dependecy Walker, profapi.dll is a dependency of userenv.dll,

which in turn is a dependency of sechost.dll,

which in turn is a dependency of advapi32.dll

I don't think setup-x86_64.exe has any say in how these dependencies are 
loaded.

Csaba

-- 
Life is complex, with real and imaginary parts.

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

X-Recipient:	archive-cygwin AT delorie DOT com
DKIM-Filter:	OpenDKIM Filter v2.11.0 sourceware.org 59A5A3858409
DKIM-Signature:	v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
	s=default; t=1707679206;
	bh=yXh8WS3d/2YPjatjXrQibDMtCST0PWBzkFczywo0ma4=;
	h=Date:Subject:To:References:In-Reply-To:List-Id:List-Unsubscribe:
	List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:
	From;
	b=UNIOk/vsxQzejtZXwe57dywEA/9LREmqNGAI8WbdsTKrctXg8WtnoDSyW1iPrePeZ
	3K5O8ZPUenw91G5kZnBfDnUTLobfg3QrlFWkP3YxkbASJkVSWiYiX0Fhtl6r6EYAkp
	YvLvVuhdx7pC3OghKX2zTblaGcqGunBPbnHJPRjc=
X-Original-To:	cygwin AT cygwin DOT com
Delivered-To:	cygwin AT cygwin DOT com
DMARC-Filter:	OpenDMARC Filter v1.4.2 sourceware.org A8B2B3858D35
ARC-Filter:	OpenARC Filter v1.0.0 sourceware.org A8B2B3858D35
ARC-Seal:	i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1707679155; cv=none;
	b=KZd9LXS79JISx70cGjTy+7eRNgK6kl8bzIzRIc3GtJT4sW6yvQpho0JqIpCf9ovio08JP+LgKJuHvuOa6pRSzyV1C+nVBCKGymkmZN3+zkFvZcZkJshN14UA58xlJKXXs0Z/Ue2X4LzhAph3hLOkZYvLdEnJuqo0VPB1udRx3kc=
ARC-Message-Signature:	i=1; a=rsa-sha256; d=sourceware.org; s=key;
	t=1707679155; c=relaxed/simple;
	bh=Qr1JOAKrLw/8pAWvDLzdYiPCAnCKtMenmWkS82V5FeY=;
	h=DKIM-Signature:Message-ID:Date:MIME-Version:Subject:To:From;
	b=DhnJWjBWGXMLJmnbmhBfsrfolyNwzWguOutPkrVnaeAZBdAqV9LAQvdVUOkp0lgxPC2F7qS0GHheQsKJ4HxpkSBVbmiTpDcZUQ5VghP+JEMwFCoiKVXyBzwurP1ZfYMWV6yLIUiFxoVxozz/oeDB5VstEB58p1oUkoHN+bIFhgc=
ARC-Authentication-Results:	i=1; server2.sourceware.org
X-Google-DKIM-Signature:	v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20230601; t=1707679152; x=1708283952;
	h=content-transfer-encoding:in-reply-to:from:references:to
	:content-language:subject:user-agent:mime-version:date:message-id
	:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
	bh=6aDM6GE49eqODoUEdsIgYS9+85BSk763Grn7vxKXR/c=;
	b=HthgV92zcKRtFYnto+PJE2slfvK3XrHnZ/AIjk99MpGwWxyt7Pc6Tt/u/ePkCk6n6P
	9w5yNk1PNpRxZ7x9zjuPjCfa8DS760X6BEXbcNVjLIfxWC9xIfHOiN1W4xFGK1sRDH9K
	3Cvmx4fLHwQ5/hyKrqw2SNVzjwz4SbtyqvnPcs8keC/tiD4XYGqbjWOAigcY72R4HZuU
	PznZambuk0NLVTrg64L+DCv0OnaB90mzO+68jwD62IB7XCd66ZFIjRUmoJhPW10goKUe
	0f08EXk57bWHfJui4OG0vdxTzYZtIWqQqxanoM1fmPkc6t9UiKteuPmz14tVpSa60wir
	qB0w==
X-Gm-Message-State:	AOJu0Ywxb/OrF1L3or4pmMsGJs544ILuYw3C7s2QaJGhGeYXDuFCYh9N
	lHXaDvsSlQKJ3D7XgnFgrAnGiunWT1T1iPBMfO38goI2M2pukouOfAXU/9RT
X-Google-Smtp-Source:	AGHT+IEj75dzPGYZeTTPt5xAsAHd90P+vEedtqiU853DrDP2c5+EVLjDN1kThJvpsDQmd4F9dDaHFg==
X-Received:	by 2002:a4a:9d1a:0:b0:59a:57ba:b68e with SMTP id
	w26-20020a4a9d1a000000b0059a57bab68emr3507010ooj.1.1707679151916;
	Sun, 11 Feb 2024 11:19:11 -0800 (PST)
Message-ID:	<b989b867-dade-4aaa-8598-d328d9ac6485@gmail.com>
Date:	Sun, 11 Feb 2024 20:19:09 +0100
MIME-Version:	1.0
User-Agent:	Mozilla Thunderbird
Subject:	Re: MULTIPLE VULNERABILITY REPORT: Multiple DLL Hijacking
	Vulnerability in CygWin setup-x86_64.exe
To:	cygwin AT cygwin DOT com
References:	<CAK+bv_tLZMeXWQgKMaS2EZcq9LuBy=3JfYOPz6-Rq+2LqDbqWg AT mail DOT gmail DOT com>
	<0b8c28c486475cf1868aea678779ee7a AT kylheku DOT com>
In-Reply-To:	<0b8c28c486475cf1868aea678779ee7a@kylheku.com>
X-Spam-Status:	No, score=-1.5 required=5.0 tests=BAYES_00, DKIM_SIGNED,
	DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,
	SPF_HELO_NONE, SPF_PASS, TXREP,
	T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version:	SpamAssassin 3.4.6 (2021-04-09) on
	server2.sourceware.org
X-BeenThere:	cygwin AT cygwin DOT com
X-Mailman-Version:	2.1.30
List-Id:	General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Archive:	<https://cygwin.com/pipermail/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe:	<https://cygwin.com/mailman/listinfo/cygwin>,
	<mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
From:	=?utf-8?q?Csaba_R=C3=A1duly_via_Cygwin?= <cygwin AT cygwin DOT com>
Reply-To:	=?UTF-8?Q?Csaba_R=C3=A1duly?= <rcsaba AT gmail DOT com>
Sender:	"Cygwin" <cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com>

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019