From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 10357 invoked by alias); 21 Sep 2009 08:41:28 -0000 Received: (qmail 10346 invoked by uid 22791); 21 Sep 2009 08:41:27 -0000 X-SWARE-Spam-Status: No, hits=1.4 required=5.0 tests=AWL,BAYES_00 X-Spam-Check-By: sourceware.org Received: from pizza.lunch.za.net (HELO pizza.lunch.za.net) (80.68.92.4) by sourceware.org (qpsmtpd/0.43rc1) with ESMTP; Mon, 21 Sep 2009 08:41:22 +0000 Received: from spectrum.zx ([196.210.206.250]) (authenticated bits=0) by pizza.lunch.za.net (8.13.8/8.14.3/ho) with ESMTP id n8L8fGnA023252 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for ; Mon, 21 Sep 2009 10:41:18 +0200 From: Andrew McGill To: cygwin@cygwin.com Subject: Write access for BUILTIN\USERS - cygwin privilege escalation vulnerability for Windows 2008 default installation Date: Mon, 21 Sep 2009 08:41:00 -0000 User-Agent: KMail/1.12.1 (Linux/2.6.24-19-generic; KDE/4.3.1; i686; ; ) MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Message-Id: <200909211041.17032.list2009@lunch.za.net> X-IsSubscribed: yes Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com X-SW-Source: 2009-09/txt/msg00478.txt.bz2 Hi, I ran setup.ext to install cygwin in c:\cygwin on a (fairly) fresh installation of Windows Server 2008. On this server, the permissions of C:\ were set to allow new files to be created in subdirectories by BUILTIN\Users. The cygwin folder inherited from the default permissions on C:\ the following ACL: [C:\cygwin] icacls c:\cygwin c:\cygwin NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F) BUILTIN\Administrators:(I)(OI)(CI)(F) BUILTIN\Users:(I)(OI)(CI)(RX) BUILTIN\Users:(I)(CI)(AD) <<<<<<< AAAAAAAARGH! BUILTIN\Users:(I)(CI)(WD) <<<<<<< AAAAAAAARGH! ZEROTOOL\Administrator:(I)(F) CREATOR OWNER:(I)(OI)(CI)(IO)(F) This allows ANY member of BUILTIN/Users, including nt authority\network service to create files. I can pwn the box from IIS by writing content to these files -- and not much creativity is needed to think of many more: c:/cygwin/home/Administrator/.ssh/authorized_keys c:/cygwin/home/Administrator/.bashrc c:/cygwin/home/Administrator/.bash_logout c:/cygwin/home/Administrator/.bash_profile c:/cygwin/home/Administrator/.vimrc This permission was default on the system - it seems to be there on Windows 2003 as well, and maybe before that. Folders like c:\windows and c:\inetpub have explicit permissions for builtin/users. Perhaps this is some kind of secret best practice that cygwin is missing out on? If not, it's merely a series of unfortunate events that adds up to a privilege escalation vulnerability, and you really should understand windows ACL's before running cygwin. Feature request: The cygwin installer should set permissions on c:\cygwin to be the same as %windir%, and not trust the operating system to do the "right thing". -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple