X-Recipient: archive-cygwin AT delorie DOT com DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org D66E33858297 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com; s=default; t=1707281653; bh=1bZtybvBE16jqh5cSYG2zUowA37Pwlch5nxtcGgXPho=; h=Date:Subject:To:References:In-Reply-To:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc: From; b=jbuWJmgp9xE4oKXwA//n2pSLd7yGwpmEuiyKwQKpsKLa8X+RN0K3Z5vOC8kUIenQr n2GjvVsLwyoaKFW4uhkghXPgEeORKBBznkCzSln/9fvrOIqk79wdJhwhCaB3y+XeGe ETMfCch6CSMSp+R21vum3qu9E70GxyJQ4mF6A6BU= X-Original-To: cygwin AT cygwin DOT com Delivered-To: cygwin AT cygwin DOT com DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 9E8C53858D33 ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 9E8C53858D33 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1707281632; cv=none; b=gWhroVCgj98Q9PqgW7B2OIoL6HhFavxJWvz60wipNNXvGurYzOArK6VzBH3sYsIOmID0Oxyr1u8SRhaW3s/uAGVPB+vlP0+FnkkDy89FIBr8cLg2QOm+fD6cMvhRFJ4N56Wq4yRWlJqzExLnOe1m9dQZRWYKAl0eQMfBGiDrZQM= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1707281632; c=relaxed/simple; bh=g790LgpzWnhPVYFZ4Bn7MsdooHDujix5eMHG89uySpg=; h=Message-ID:Date:MIME-Version:Subject:To:From; b=Z42vOYbXv/CGMWS3Jgu+eWgp7L5yq5aAc1pv4tDRVNt+Mi2fbWWZF2Hs3mHg6aX/qbSm2UL/pOOWgMQWmGfJGk9KqwFgYsabirk4kzfOLvnPhJ+AGDLMeRfBmQ/mr53XqP4dMfXx5i/+ZcufdsFjPEqlIQPQCHx1/RHBEvvn1Nc= ARC-Authentication-Results: i=1; server2.sourceware.org Message-ID: Date: Tue, 6 Feb 2024 21:53:47 -0700 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: MULTIPLE VULNERABILITY REPORT: Multiple DLL Hijacking Vulnerability in CygWin setup-x86_64.exe Content-Language: en-CA To: cygwin AT cygwin DOT com References: <0b8c28c486475cf1868aea678779ee7a AT kylheku DOT com> Organization: Systematic Software In-Reply-To: <0b8c28c486475cf1868aea678779ee7a@kylheku.com> X-Rspamd-Queue-Id: C3C482000D X-Spam-Status: No, score=-2.2 required=5.0 tests=BAYES_00, KAM_DMARC_STATUS, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, SPF_HELO_PASS, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE, UNPARSEABLE_RELAY autolearn=ham autolearn_force=no version=3.4.6 X-Stat-Signature: snz6q8n47cqkmw1xxufnimhk8k63m9h1 X-Rspamd-Server: rspamout04 X-Session-Marker: 427269616E2E496E676C69734053797374656D6174696353572E61622E6361 X-Session-ID: U2FsdGVkX1875VmpAIGPMXXJEaeU2ai/qglsrkE1g6U= X-HE-Tag: 1707281628-536011 X-HE-Meta: U2FsdGVkX1+PUVlsAmBkCxe4VNknfHVZFcHN9i01STP2bDNDsbBlOuswQZuEQvqfc1iccY4K6BUpXvJWT8l1WXstHr/wghbQlrYdlafFXJwKrv/SM7yGyLiBaJKdwenN6+xuUMtlKkG3f5Dy2Mc6VHtbIuC1cDGyXiCPBDAOXlkXZJyLR1fZYwoCrrSjDpKtbvLYhKwn/XprD7DzImmf+hXg8RLZMpbb9mhCxTWeyiWhirfSxV6WE9sSjlWWzxvU/Cwwik/aEUfb2GOQWOspxSfyxBthuQ+Du/DFgT3XQeD4HAviH3Y+/Zrfi75b7MC8VGGymCh6Awqn2ITUV9Bp2usiGUlNaYlQ X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: cygwin AT cygwin DOT com X-Mailman-Version: 2.1.30 Precedence: list List-Id: General Cygwin discussions and problem reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Brian Inglis via Cygwin Reply-To: cygwin AT cygwin DOT com Cc: Brian Inglis Content-Type: text/plain; charset="utf-8"; Format="flowed" Errors-To: cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com Sender: "Cygwin" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by delorie.com id 4174sF57027811 On 2024-02-06 15:10, Kaz Kylheku via Cygwin wrote: > On 2024-02-04 21:22, Suman Chakraborty via Cygwin wrote: >> 1. Executive Summary: >> >> The vulnerability pertains to not finding >> the profapi.dll, CFGMGR32.dll, edputil.dll, urlmon.dll, SspiCli.dll, >> Wldp.dll, MPR.dll, ServicingCommon.dll, TextShaping.dll, CRYPTBASE.DLL, >> PROPSYS.dll and insecure loading of dynamic link libraries (DLLs), >> specifically profapi.dll. If exploited, this vulnerability could allow an >> attacker to execute arbitrary code on a victim's machine, potentially >> leading to data breaches, system compromise, and other malicious activities. > > By what means is setup.exe probing these DLLs? > > I don't see any references to profapi.dll in its source tree > (git grep -i profapi turns up nothing). > > If these DLL's being missing doesn't stop the program from running, > doesn't that mean it's just probing for them with LoadLibrary or > LoadLibraryEx explicitly, and then handling the failure gracefully? > > Setup itself doesn't use LoadLibrary or LoadLibraryEx. > > The MinGW toolchain must be introducing that somehow? > > It is curious. Could be any one of the proprietary DLLs pulled into Cygwin Setup: $ upx -dqqqot ~/mirror/x86_64/setup-x86_64.exe $ grep -ao '%%%\ssetup-version\s[0-9]\+\.[0-9]\+' t %%% setup-version 2.929 $ cygcheck ./t ...\t C:\WINDOWS\system32\KERNEL32.DLL C:\WINDOWS\system32\ntdll.dll C:\WINDOWS\system32\KERNELBASE.dll C:\WINDOWS\system32\ADVAPI32.dll C:\WINDOWS\system32\msvcrt.dll C:\WINDOWS\system32\SECHOST.dll C:\WINDOWS\system32\RPCRT4.dll C:\WINDOWS\system32\COMCTL32.dll C:\WINDOWS\system32\GDI32.dll C:\WINDOWS\system32\win32u.dll C:\WINDOWS\system32\USER32.dll C:\WINDOWS\system32\ole32.dll C:\WINDOWS\system32\combase.dll C:\WINDOWS\system32\PSAPI.DLL C:\WINDOWS\system32\SHELL32.dll C:\WINDOWS\system32\msvcp_win.dll C:\WINDOWS\system32\SHLWAPI.dll C:\WINDOWS\system32\WININET.dll C:\WINDOWS\system32\WS2_32.dll OP: Which version and date of setup-x86_64.exe are you checking? Do you have any A/V or EPP installed on your system which could be injecting these interlopers into the call chain? -- Take care. Thanks, Brian Inglis Calgary, Alberta, Canada La perfection est atteinte Perfection is achieved non pas lorsqu'il n'y a plus rien à ajouter not when there is no more to add mais lorsqu'il n'y a plus rien à retirer but when there is no more to cut -- Antoine de Saint-Exupéry -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation: https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple