X-Recipient: archive-cygwin AT delorie DOT com
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 59A5A3858409
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
	s=default; t=1707679206;
	bh=yXh8WS3d/2YPjatjXrQibDMtCST0PWBzkFczywo0ma4=;
	h=Date:Subject:To:References:In-Reply-To:List-Id:List-Unsubscribe:
	 List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:
	 From;
	b=UNIOk/vsxQzejtZXwe57dywEA/9LREmqNGAI8WbdsTKrctXg8WtnoDSyW1iPrePeZ
	 3K5O8ZPUenw91G5kZnBfDnUTLobfg3QrlFWkP3YxkbASJkVSWiYiX0Fhtl6r6EYAkp
	 YvLvVuhdx7pC3OghKX2zTblaGcqGunBPbnHJPRjc=
X-Original-To: cygwin AT cygwin DOT com
Delivered-To: cygwin AT cygwin DOT com
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org A8B2B3858D35
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org A8B2B3858D35
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1707679155; cv=none;
 b=KZd9LXS79JISx70cGjTy+7eRNgK6kl8bzIzRIc3GtJT4sW6yvQpho0JqIpCf9ovio08JP+LgKJuHvuOa6pRSzyV1C+nVBCKGymkmZN3+zkFvZcZkJshN14UA58xlJKXXs0Z/Ue2X4LzhAph3hLOkZYvLdEnJuqo0VPB1udRx3kc=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;
 t=1707679155; c=relaxed/simple;
 bh=Qr1JOAKrLw/8pAWvDLzdYiPCAnCKtMenmWkS82V5FeY=;
 h=DKIM-Signature:Message-ID:Date:MIME-Version:Subject:To:From;
 b=DhnJWjBWGXMLJmnbmhBfsrfolyNwzWguOutPkrVnaeAZBdAqV9LAQvdVUOkp0lgxPC2F7qS0GHheQsKJ4HxpkSBVbmiTpDcZUQ5VghP+JEMwFCoiKVXyBzwurP1ZfYMWV6yLIUiFxoVxozz/oeDB5VstEB58p1oUkoHN+bIFhgc=
ARC-Authentication-Results: i=1; server2.sourceware.org
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1707679152; x=1708283952;
 h=content-transfer-encoding:in-reply-to:from:references:to
 :content-language:subject:user-agent:mime-version:date:message-id
 :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
 bh=6aDM6GE49eqODoUEdsIgYS9+85BSk763Grn7vxKXR/c=;
 b=HthgV92zcKRtFYnto+PJE2slfvK3XrHnZ/AIjk99MpGwWxyt7Pc6Tt/u/ePkCk6n6P
 9w5yNk1PNpRxZ7x9zjuPjCfa8DS760X6BEXbcNVjLIfxWC9xIfHOiN1W4xFGK1sRDH9K
 3Cvmx4fLHwQ5/hyKrqw2SNVzjwz4SbtyqvnPcs8keC/tiD4XYGqbjWOAigcY72R4HZuU
 PznZambuk0NLVTrg64L+DCv0OnaB90mzO+68jwD62IB7XCd66ZFIjRUmoJhPW10goKUe
 0f08EXk57bWHfJui4OG0vdxTzYZtIWqQqxanoM1fmPkc6t9UiKteuPmz14tVpSa60wir
 qB0w==
X-Gm-Message-State: AOJu0Ywxb/OrF1L3or4pmMsGJs544ILuYw3C7s2QaJGhGeYXDuFCYh9N
 lHXaDvsSlQKJ3D7XgnFgrAnGiunWT1T1iPBMfO38goI2M2pukouOfAXU/9RT
X-Google-Smtp-Source: AGHT+IEj75dzPGYZeTTPt5xAsAHd90P+vEedtqiU853DrDP2c5+EVLjDN1kThJvpsDQmd4F9dDaHFg==
X-Received: by 2002:a4a:9d1a:0:b0:59a:57ba:b68e with SMTP id
 w26-20020a4a9d1a000000b0059a57bab68emr3507010ooj.1.1707679151916; 
 Sun, 11 Feb 2024 11:19:11 -0800 (PST)
Message-ID: <b989b867-dade-4aaa-8598-d328d9ac6485@gmail.com>
Date: Sun, 11 Feb 2024 20:19:09 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: MULTIPLE VULNERABILITY REPORT: Multiple DLL Hijacking
 Vulnerability in CygWin setup-x86_64.exe
Content-Language: en-GB
To: cygwin AT cygwin DOT com
References: <CAK+bv_tLZMeXWQgKMaS2EZcq9LuBy=3JfYOPz6-Rq+2LqDbqWg AT mail DOT gmail DOT com>
 <0b8c28c486475cf1868aea678779ee7a AT kylheku DOT com>
In-Reply-To: <0b8c28c486475cf1868aea678779ee7a@kylheku.com>
X-Spam-Status: No, score=-1.5 required=5.0 tests=BAYES_00, DKIM_SIGNED,
 DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,
 SPF_HELO_NONE, SPF_PASS, TXREP,
 T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
 server2.sourceware.org
X-BeenThere: cygwin AT cygwin DOT com
X-Mailman-Version: 2.1.30
List-Id: General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Archive: <https://cygwin.com/pipermail/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe: <https://cygwin.com/mailman/listinfo/cygwin>,
 <mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
From: =?utf-8?q?Csaba_R=C3=A1duly_via_Cygwin?= <cygwin AT cygwin DOT com>
Reply-To: =?UTF-8?Q?Csaba_R=C3=A1duly?= <rcsaba AT gmail DOT com>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Sender: "Cygwin" <cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com>

On 06/02/2024 23:10, Kaz Kylheku via Cygwin wrote:
> On 2024-02-04 21:22, Suman Chakraborty via Cygwin wrote:
>> 1. Executive Summary:
>>
>> The vulnerability pertains to not finding
>> the profapi.dll, CFGMGR32.dll, edputil.dll,  urlmon.dll, SspiCli.dll,
>> Wldp.dll, MPR.dll, ServicingCommon.dll, TextShaping.dll, CRYPTBASE.DLL,
>> PROPSYS.dll and insecure loading of dynamic link libraries (DLLs),
>> specifically profapi.dll. If exploited, this vulnerability could allow an
>> attacker to execute arbitrary code on a victim's machine, potentially
>> leading to data breaches, system compromise, and other malicious activities.
> By what means is setup.exe probing these DLLs?
>
> I don't see any references to profapi.dll in its source tree
> (git grep -i profapi turns up nothing).

According to Dependecy Walker, profapi.dll is a dependency of userenv.dll,

which in turn is a dependency of sechost.dll,

which in turn is a dependency of advapi32.dll

I don't think setup-x86_64.exe has any say in how these dependencies are 
loaded.

Csaba

-- 
Life is complex, with real and imaginary parts.


-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple