X-Recipient: archive-cygwin AT delorie DOT com
X-SWARE-Spam-Status: No, hits=1.4 required=5.0 	tests=AWL,BAYES_00
X-Spam-Check-By: sourceware.org
From: Andrew McGill <list2009 AT lunch DOT za DOT net>
To: cygwin AT cygwin DOT com
Subject: Write access for BUILTIN\USERS - cygwin privilege escalation vulnerability for Windows 2008 default installation
Date: Mon, 21 Sep 2009 10:41:16 +0200
User-Agent: KMail/1.12.1 (Linux/2.6.24-19-generic; KDE/4.3.1; i686; ; )
MIME-Version: 1.0
Content-Type: text/plain;   charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-Id: <200909211041.17032.list2009@lunch.za.net>
X-IsSubscribed: yes
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

Hi,

I ran setup.ext to install cygwin in c:\cygwin on a (fairly) fresh 
installation of Windows Server 2008.  On this server, the permissions of C:\ 
were set to allow new files to be created in subdirectories by BUILTIN\Users.  

The cygwin folder inherited from the default permissions on C:\ the following 
ACL:

[C:\cygwin] icacls c:\cygwin
c:\cygwin NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
          BUILTIN\Administrators:(I)(OI)(CI)(F)
          BUILTIN\Users:(I)(OI)(CI)(RX)
          BUILTIN\Users:(I)(CI)(AD)   <<<<<<< AAAAAAAARGH!
          BUILTIN\Users:(I)(CI)(WD)   <<<<<<< AAAAAAAARGH!
          ZEROTOOL\Administrator:(I)(F)
          CREATOR OWNER:(I)(OI)(CI)(IO)(F)

This allows ANY member of BUILTIN/Users, including nt authority\network 
service to create files.  I can pwn the box from IIS by writing content to 
these files -- and not much creativity is needed to think of many more:

	c:/cygwin/home/Administrator/.ssh/authorized_keys
	c:/cygwin/home/Administrator/.bashrc
	c:/cygwin/home/Administrator/.bash_logout
	c:/cygwin/home/Administrator/.bash_profile
	c:/cygwin/home/Administrator/.vimrc

This permission was default on the system - it seems to be there on Windows 
2003 as well, and maybe before that.  Folders like c:\windows and c:\inetpub 
have explicit permissions for builtin/users.  Perhaps this is some kind of 
secret best practice that cygwin is missing out on?  If not, it's merely a 
series of unfortunate events that adds up to a privilege escalation 
vulnerability, and you really should understand windows ACL's before running 
cygwin.

Feature request: The cygwin installer should set permissions on c:\cygwin to 
be the same as %windir%, and not trust the operating system to do the "right 
thing".  

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple