DMARC-Filter: OpenDMARC Filter v1.4.2 delorie.com 50ALwAr61648693
Authentication-Results: delorie.com; dmarc=pass (p=none dis=none) header.from=cygwin.com
Authentication-Results: delorie.com; spf=pass smtp.mailfrom=cygwin.com
DKIM-Filter: OpenDKIM Filter v2.11.0 delorie.com 50ALwAr61648693
Authentication-Results: delorie.com;
	dkim=pass (1024-bit key, unprotected) header.d=cygwin.com header.i=@cygwin.com header.a=rsa-sha256 header.s=default header.b=rZsArOlL
X-Recipient: archive-cygwin AT delorie DOT com
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 7248F3858031
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
	s=default; t=1736546288;
	bh=ruuzrN42xJyGIDlETSXvfsz0JG5RDIKd9UaXz86U3Ss=;
	h=Date:To:Cc:Subject:In-Reply-To:References:List-Id:
	 List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe:
	 From:Reply-To:From;
	b=rZsArOlLYbNwbHYetsSkuYag0tmODMykUYc/4x6h0HitB6OWwU03h200k1pyIrVmh
	 ptoL7vL2YixWvxEKZsy8/bPPani1jJhs24yKuxnOgpvj/jYnlnEwbwdnmdVq4nCHdS
	 ICK1Ja41LqjiU0rMRlKMSK714bjhMVlNNl51gmts=
X-Original-To: cygwin AT cygwin DOT com
Delivered-To: cygwin AT cygwin DOT com
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 01958385801B
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 01958385801B
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1736546001; cv=none;
 b=mv/xhl+PLC02txody3vg6m5M2jHqwUXXOYThB9A47AnR+U4lIUYVJHfLdi1+ETlUJrJVeucBCxhGNajJvyn1xxHBJyRwoiU3vpnqz1TFD/HryLxahhwLNbhycHFo6b5NTEwsn7XqnkphSbDgI3yIyrKfuWE7uVOcQBSyOgnrfFA=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;
 t=1736546001; c=relaxed/simple;
 bh=4t7nU8380oHktmgIhj3DSQTsYRjdq/kocDYcxYIXCYc=;
 h=MIME-Version:Date:From:To:Subject:Message-ID;
 b=AUPt9i7/ZRo9pAbTv1G/h+jsaB+M4akeowZHMh4BKJhf1qVXMDoMcAzo1tp1pqiZ2356N8JulW1lGUrW0KhM1i1WweCb/crjWqPsy+kYMsAKnCYQ27MzGRh6SahRzwv1PDb+ZUzNCWWQQRhj43BtaeHPOM0VSbGimarv6zp3QRM=
ARC-Authentication-Results: i=1; server2.sourceware.org
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 01958385801B
MIME-Version: 1.0
Date: Fri, 10 Jan 2025 13:52:31 -0800
To: Marco Atzeri <marco DOT atzeri AT gmail DOT com>
Cc: cygwin AT cygwin DOT com
Subject: Re: Cygwin main function: vulnerable to wchar_t to char conversion
 attacks or not?
In-Reply-To: <f1aa49a0-35c0-4df6-997e-33de5517adbc@gmail.com>
References: <2bc465c57c4826ff6eebbd566a92346e AT kylheku DOT com>
 <176904400 DOT 20250110103307 AT yandex DOT ru>
 <f1aa49a0-35c0-4df6-997e-33de5517adbc AT gmail DOT com>
User-Agent: Roundcube Webmail/1.4.15
Message-ID: <58ddf2002fe1e33993102592eeb0c506@kylheku.com>
X-Sender: kaz AT kylheku DOT com
X-MagicMail-OS: Unknown
X-MagicMail-UUID: 4e263016-cf9d-11ef-b16c-005056953255
X-MagicMail-Authenticated: fuck DOT telus AT novus DOT ca
X-MagicMail-SourceIP: 104.37.63.7
X-MagicMail-RegexMatch: 1
X-MagicMail-EnvelopeFrom: <fuck DOT telus AT novus DOT ca>
X-BeenThere: cygwin AT cygwin DOT com
X-Mailman-Version: 2.1.30
Precedence: list
List-Id: General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Unsubscribe: <https://cygwin.com/mailman/options/cygwin>,
 <mailto:cygwin-request AT cygwin DOT com?subject=unsubscribe>
List-Archive: <https://cygwin.com/pipermail/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe: <https://cygwin.com/mailman/listinfo/cygwin>,
 <mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
From: Kaz Kylheku via Cygwin <cygwin AT cygwin DOT com>
Reply-To: Kaz Kylheku <kaz AT kylheku DOT com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com
Sender: "Cygwin" <cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com>

On 2025-01-09 23:52, Marco Atzeri wrote:
> On 10/01/2025 08:33, Andrey Repin via Cygwin wrote:
>> Greetings, Kaz Kylheku!
>>
>>> Hi all,
>>
>>> I'm reading an article on attacks that are evidently possible against some Windows
>>> programs in the area of command line parsing. See below.
>>
>>> Does the Cygwin run-time rely on GetCommandLineA to get the char-based command
>>> line that is parsed into argv[]?
>>
>> You can answer this question yourself. The code is open.
> 
> Specifically on https://cygwin.com/git/newlib-cygwin.git
> 
> /pub/Cygwin/git/newlib-cygwin
> $ grep -rH GetCommandLineA .
> ./winsup/CVSChangeLogs.old/cygwin/ChangeLog-2013: (cygwin_GetCommandLineA): Ditto.
> ./winsup/cygwin/cygwin.din:GetCommandLineA AT 0 = cygwin_GetCommandLineA AT 0 NOSIGFE
> ./winsup/cygwin/include/cygwin/version.h:  268: Export GetCommandLineA, GetCommandLineW
> ./winsup/cygwin/kernel32.cc:/* Cygwin replacement for GetCommandLineA. Returns a concatenated string
> ./winsup/cygwin/kernel32.cc:cygwin_GetCommandLineA (void)

I see that the kernel32.cc function uses RtlUnicodeStringtoAnsiString.

The article I linked to mentions this specific function. The function does the
"BestFit" thing, converting Unicode characters to ASCII pseudo-equivalents.

If Cygwin relies on this function for converting the process command line
into main() arguments, it is likely susceptible to argument injection.






-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple