X-Recipient: archive-cygwin@delorie.com DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 40813385841B DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com; s=default; t=1707110575; bh=L4QCuGnIbs1PmH3jdyIYrN3Lv/qR5KQrdQme/oAfDJE=; h=Date:Subject:To:List-Id:List-Unsubscribe:List-Archive:List-Post: List-Help:List-Subscribe:From:Reply-To:From; b=pyylMYZfOUyYtTPWhLDFWJYaYDTWkiwfAzstpNgYfr98BEvYAv9jLNZx0nv0Sk2w+ /rmAgzJ0eVasYC0vJntWI68BZsOtvttwamb4+kjzIfg4sR43mUmO7QDvMajxZpmcPE NPp4qK3HMe/8a06G4VH0KrNKalyNufjdlEz2wYvY= X-Original-To: cygwin@cygwin.com Delivered-To: cygwin@cygwin.com DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org E8B783858CDB ARC-Filter: OpenARC Filter v1.0.0 sourceware.org E8B783858CDB ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1707110553; cv=none; b=uBe/PDcoOeglNoPKJrirAXr14S+SzM1E6IxZtzkQ9DlWrTOH0WNtAOaiTVchlSKBCGyuA4Liq+dEoiKwQOpIjcL10DOtQiyNV5BWXexKB5DZ6PfBihjQgoJJ8BV8uDaz6s/sxoJ2Ipo6ywQh2ACGFFj3Gb6h5bgfkKWsTWkHdEM= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1707110553; c=relaxed/simple; bh=RKolRjpNi7Bo/9VIFiwDZZV5oYbilPN/il7C5Q8OnSM=; h=DKIM-Signature:MIME-Version:From:Date:Message-ID:Subject:To; b=Kh5MyMSo3MSRy3QyfRUdw9pJ0aBPpZOyunEUGmudNji1z5AbFp3HZKS/yqrze1+6r4PZdVTiZ85zdBz5xUJCMMDs5gCvmymuiVpd7+Z6b0zFPQEgYxrp42v6kxYTV5Ys8mflLHsaPU7NfZFn8o6Q3fBMyaPBenKfIy/vkh26qhY= ARC-Authentication-Results: i=1; server2.sourceware.org X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707110550; x=1707715350; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=rUtR9PSz+RB0wVDXSALu0aATpX1OZHhV0joFspCP1PA=; b=wRVZvqEFlN/KKhT2z6LJg3wjOggmkMCWgjndjhx3I4dj6ztDr1gy1vUeF5dykLqckU GVB9Qpva8pIQ4GZ/oA5ISqymdCS+1wELUhY0ergBYWdTQtuuvjutb3k/OZkiEyFyr55a IQ/1ASESX36dSMgNiV1axqQdMPDrXOjpCAnQzW4jHMwumUN+pr/bXqS+ze4/JPEFlVeB htOmZpuPU6YiIxRKotSitE2hq26s4LxL3z5YS+pvAgjGYYlsgtHeKy1YF7AG+FjK/cb3 k/GLkbgHELF6RyTrYvOdDbauFb4jHG5tWHw5VkVI4e4T+M2IQNKpJtWe9qgZrHks8Sb6 oG7A== X-Gm-Message-State: AOJu0YxWS/3d5LSDgQ6S50bfPFlFOSAoInH3BdDkBVpcBR/I9lczzUUI a0gokwnqQROlnUw2RB/aeO33+wHTTG3h5fKb2bUHX6xcZFjdiMu9ioL4dmKG/qrFIqogKnf18ut zUio/+tZ1VLjHCu49KuUUqTZgREINzXLeew== X-Google-Smtp-Source: AGHT+IFNYL1t0animtyNPDME4YReZ88FDXYsvV7DWDUJ7TUrL3OvOtjmPvoPUFy2UIvf11b4s+H0heP6zMj0oj0+PHk= X-Received: by 2002:a0d:e8cc:0:b0:604:135f:f765 with SMTP id r195-20020a0de8cc000000b00604135ff765mr11562831ywe.43.1707110549807; Sun, 04 Feb 2024 21:22:29 -0800 (PST) MIME-Version: 1.0 Date: Mon, 5 Feb 2024 10:52:18 +0530 Message-ID: Subject: MULTIPLE VULNERABILITY REPORT: Multiple DLL Hijacking Vulnerability in CygWin setup-x86_64.exe To: cygwin@cygwin.com X-Spam-Status: No, score=3.7 required=5.0 tests=BAYES_50, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_ENVFROM_END_DIGIT, FREEMAIL_FROM, HTML_MESSAGE, KAM_EXEURI, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Level: *** X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-Content-Filtered-By: Mailman/MimeDel 2.1.30 X-BeenThere: cygwin@cygwin.com X-Mailman-Version: 2.1.30 List-Id: General Cygwin discussions and problem reports List-Archive: List-Post: List-Help: List-Subscribe: , From: Suman Chakraborty via Cygwin Reply-To: Suman Chakraborty Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "Cygwin" Hey Cygwin Team, I hope this email finds you well. As an independent security researcher, I often explore open-source projects to identify and report potential security vulnerabilities. During my recent exploration of Cygwin, I came across a critical vulnerability in setup-x86_64.exe that I believe warrants your immediate attention. 1. Executive Summary: The vulnerability pertains to not finding the profapi.dll, CFGMGR32.dll, edputil.dll, urlmon.dll, SspiCli.dll, Wldp.dll, MPR.dll, ServicingCommon.dll, TextShaping.dll, CRYPTBASE.DLL, PROPSYS.dll and insecure loading of dynamic link libraries (DLLs), specifically profapi.dll. If exploited, this vulnerability could allow an attacker to execute arbitrary code on a victim's machine, potentially leading to data breaches, system compromise, and other malicious activities. 2. Details of the Vulnerability: Type: DLL Hijacking Affected Component: profapi.dll, CFGMGR32.dll, edputil.dll, urlmon.dll, SspiCli.dll, Wldp.dll, MPR.dll, ServicingCommon.dll, TextShaping.dll, CRYPTBASE.DLL, PROPSYS.dll Impact: Remote Code Execution, Data Theft or Manipulation, Persistence, Bypassing Security Mechanisms, Spreading Malware. Description: The application attempts to load profapi.dll from its current working directory (CWD). If a malicious version of test.dll is present in the CWD, the application will inadvertently load and execute the malicious DLL. 3. Proof of Concept: I've attached a proof of concept to this email, demonstrating the vulnerability in action. Please review it to understand the potential impact and exploitability. The link is given below: POC Video: https://drive.google.com/file/d/11rBPnImiZS-CEwPM9eBlU6GSHjHYD2ns/view?usp=sharing This is a POC video for profapi.dll. All other DLLs are hijacked in similar method 4. Conclusion: The identified DLL Hijacking vulnerability poses a significant risk to users of Cygwin during the installation and executing the setup-x86_64.exe . I urge you to address this issue promptly. I'm available for any further clarification or assistance in addressing the vulnerability Thank you for your attention to this matter, and I appreciate the hard work you put into maintaining and improving open-source projects for the community.Best regards, Submitted by: Suman Kumar Chakraborty LinkedIn:https://www.linkedin.com/in/suman-chakraborty-b857901b1/ -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation: https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple