X-Recipient: archive-cygwin AT delorie DOT com DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 0BCCB3858C78 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com; s=default; t=1707257515; bh=uH2UGXsr+1xEC1/EEAtXpNEAUBX0zK3jUE1YGILSH0A=; h=Date:To:Cc:Subject:In-Reply-To:References:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: From:Reply-To:From; b=S+QbuDheIdxpgoN8Mk+BMsyo16rNsuMqyUWhrYJvOzz7ORE3kukdVztnd7WTud1rE Vor4xhq/MvLhY3eDzKnhI+N9b/ZdG9pmXLTvX9npt8Mk5BB9SMbcOCO/ym/rRq/4nB IvM01oxUdimnrWstuYPFT/wASUHYdC+4CwTQYnsc= X-Original-To: cygwin AT cygwin DOT com Delivered-To: cygwin AT cygwin DOT com DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org AB8B33858D33 ARC-Filter: OpenARC Filter v1.0.0 sourceware.org AB8B33858D33 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1707257454; cv=none; b=ws9avUE4oOP7op8LcjWp7FKA/2Uvr7L7IeceytWmgJDolEoqJaaHu9h81WRpc8V+zHmkePWWVQRaCTx7Rx/XC9rsktoSsy0/z3HsvTJ3U1/8OJwjcGFXlM096cLMMLJvKjYHhYGuxGXBg/NB/Y23zXQXUBhFkq9Vj0qhhXbIqxg= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1707257454; c=relaxed/simple; bh=r4Eo6JFjzcBovTUN8uoDsbWibc6rTUetXrZ0O+f7Gdg=; h=MIME-Version:Date:From:To:Subject:Message-ID; b=C6idIVvoltNux6TL1H4+limCPwaop0Tmssfra+7Q1/7dOV9JGBk+mtd80mouVPEWA4WylB8Lx9obshTQa+z1io418IlRthc+2RDPs+nRefP71WoFALrLFef2m4XhvX6V4TkQwsWE56I7wcD8DfBVHABwxN4b6uZrJB84bZ0TXFM= ARC-Authentication-Results: i=1; server2.sourceware.org MIME-Version: 1.0 Date: Tue, 06 Feb 2024 14:10:39 -0800 To: Suman Chakraborty Cc: cygwin AT cygwin DOT com Subject: Re: MULTIPLE VULNERABILITY REPORT: Multiple DLL Hijacking Vulnerability in CygWin setup-x86_64.exe In-Reply-To: References: User-Agent: Roundcube Webmail/1.4.15 Message-ID: <0b8c28c486475cf1868aea678779ee7a@kylheku.com> X-Sender: kaz AT kylheku DOT com X-MagicMail-OS: Unknown X-MagicMail-UUID: 96c77b8e-c53c-11ee-8ccb-005056953255 X-MagicMail-Authenticated: fuck DOT telus AT novus DOT ca X-MagicMail-SourceIP: 104.37.63.7 X-MagicMail-RegexMatch: 1 X-MagicMail-EnvelopeFrom: X-Spam-Status: No, score=-0.0 required=5.0 tests=BAYES_20, HEADER_FROM_DIFFERENT_DOMAINS, KAM_DMARC_STATUS, RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: cygwin AT cygwin DOT com X-Mailman-Version: 2.1.30 Precedence: list List-Id: General Cygwin discussions and problem reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Kaz Kylheku via Cygwin Reply-To: Kaz Kylheku Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com Sender: "Cygwin" On 2024-02-04 21:22, Suman Chakraborty via Cygwin wrote: > 1. Executive Summary: > > The vulnerability pertains to not finding > the profapi.dll, CFGMGR32.dll, edputil.dll, urlmon.dll, SspiCli.dll, > Wldp.dll, MPR.dll, ServicingCommon.dll, TextShaping.dll, CRYPTBASE.DLL, > PROPSYS.dll and insecure loading of dynamic link libraries (DLLs), > specifically profapi.dll. If exploited, this vulnerability could allow an > attacker to execute arbitrary code on a victim's machine, potentially > leading to data breaches, system compromise, and other malicious activities. By what means is setup.exe probing these DLLs? I don't see any references to profapi.dll in its source tree (git grep -i profapi turns up nothing). If these DLL's being missing doesn't stop the program from running, doesn't that mean it's just probing for them with LoadLibrary or LoadLibraryEx explicitly, and then handling the failure gracefully? Setup itself doesn't use LoadLibrary or LoadLibraryEx. The MinGW toolchain must be introducing that somehow? It is curious. -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation: https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple