* Re: [PWNED/DOSSED] Cygwin's setup-x86.exe loads and executes rogue DLL from its application directory
@ 2016-01-06 14:18 Stefan Kanthak
2016-01-07 16:53 ` Yucong Sun
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Stefan Kanthak @ 2016-01-06 14:18 UTC (permalink / raw)
To: cygwin, cygwin; +Cc: security
Second and last chance!
See <http://home.arcor.de/skanthak/policy.html>
----- Original Message -----
From: "Stefan Kanthak" <stefan.kanthak@nexgo.de>
To: <security@cygwin.org>
Cc: <security@redhat.com>
Sent: Monday, December 28, 2015 4:23 AM
Subject: [PWNED/DOSSED] Cygwin's setup-x86.exe loads and executes rogue DLL from its application directory
> Hi,
>
> Cygwin's setup-x86.exe loads and executes UXTheme.dll
> (on Windows XP also ClbCatQ.dll) and more from its
> "application directory".
>
> For software downloaded with a web browser the application
> directory is typically the user's "Downloads" directory: see
> <https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>,
> <http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>
> and <http://seclists.org/fulldisclosure/2012/Aug/134>
>
> If UXTheme.dll (or one of the other DLLs) gets planted in
> the user's "Downloads" directory per "drive-by download" or
> "social engineering" this vulnerability becomes a remote code
> execution.
>
> If setup-x86.exe is NOT started with --no-admin the vulnerability
> results in an escalation of privilege too!
>
>
> Proof of concept/demonstration:
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> 1. visit <http://home.arcor.de/skanthak/sentinel.html>, download
> <http://home.arcor.de/skanthak/download/SENTINEL.DLL> and save
> it as UXTheme.dll in your "Downloads" directory;
>
> 2. on Windows XP, copy the downloaded UXTheme.dll as ClbCatQ.dll;
>
> 3. download setup-x86.exe and save it in your "Downloads" directory;
>
> 4. execute setup-x86.exe from your "Downloads" directory;
>
> 5. notice the message boxes displayed from UXTheme.dll placed in
> step 1 (and ClbCatQ.dll placed in step 2).
>
> PWNED!
>
> 6. copy the downloaded UXTheme.dll as WSock32.dll (on Windows XP
> also as PSAPI.dll and WS2_32.dll);
>
> 7. rerun setup-x86.exe from your "Downloads" directory.
>
> DOSSED!
>
> 8. turning the denial of service into an arbitrary (remote) code
> execution is trivial: just add the SINGLE entry (PSAPI.dll:
> EnumProcesses, WSock32.Dll: recv, WS2_32.dll: Ordinal 21)
> referenced from setup-x86.exe to a rogue DLL of your choice.
>
> PWNED again!
>
>
> See <http://seclists.org/fulldisclosure/2015/Nov/101>,
> <http://seclists.org/fulldisclosure/2015/Dec/86> and
> <http://seclists.org/fulldisclosure/2015/Dec/121> plus
> <http://home.arcor.de/skanthak/!execute.html> and
> <http://home.arcor.de/skanthak/sentinel.html> for details about
> this well-known and well-documented BEGINNER'S error!
>
>
> Then dump your vulnerable executable installer and provide a SAFE
> installer instead: either .MSI or .INF (plus .CAB).
>
>
> I'll publish in 45 days.
> See <http://home.arcor.de/skanthak/policy.html> and return the
> CVE identifier assigned for this vulnerability to me!
>
>
> regards
> Stefan Kanthak
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PWNED/DOSSED] Cygwin's setup-x86.exe loads and executes rogue DLL from its application directory
2016-01-06 14:18 [PWNED/DOSSED] Cygwin's setup-x86.exe loads and executes rogue DLL from its application directory Stefan Kanthak
@ 2016-01-07 16:53 ` Yucong Sun
2016-01-07 17:39 ` Eric Blake
2016-01-08 20:04 ` Yaakov Selkowitz
2 siblings, 0 replies; 5+ messages in thread
From: Yucong Sun @ 2016-01-07 16:53 UTC (permalink / raw)
To: cygwin; +Cc: cygwin, security
Your emails could have been clearer , in any case, it seems the
easy/right solution is to add
SetDefaultDllDirectories(LOAD_LIBRARY_SEARCH_SYSTEM32)
to the exe?
On Wed, Jan 6, 2016 at 10:17 PM, Stefan Kanthak <stefan.kanthak@nexgo.de> wrote:
> Second and last chance!
> See <http://home.arcor.de/skanthak/policy.html>
>
> ----- Original Message -----
> From: "Stefan Kanthak" <stefan.kanthak@nexgo.de>
> To: <security@cygwin.org>
> Cc: <security@redhat.com>
> Sent: Monday, December 28, 2015 4:23 AM
> Subject: [PWNED/DOSSED] Cygwin's setup-x86.exe loads and executes rogue DLL from its application directory
>
>
>> Hi,
>>
>> Cygwin's setup-x86.exe loads and executes UXTheme.dll
>> (on Windows XP also ClbCatQ.dll) and more from its
>> "application directory".
>>
>> For software downloaded with a web browser the application
>> directory is typically the user's "Downloads" directory: see
>> <https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>,
>> <http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>
>> and <http://seclists.org/fulldisclosure/2012/Aug/134>
>>
>> If UXTheme.dll (or one of the other DLLs) gets planted in
>> the user's "Downloads" directory per "drive-by download" or
>> "social engineering" this vulnerability becomes a remote code
>> execution.
>>
>> If setup-x86.exe is NOT started with --no-admin the vulnerability
>> results in an escalation of privilege too!
>>
>>
>> Proof of concept/demonstration:
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>
>> 1. visit <http://home.arcor.de/skanthak/sentinel.html>, download
>> <http://home.arcor.de/skanthak/download/SENTINEL.DLL> and save
>> it as UXTheme.dll in your "Downloads" directory;
>>
>> 2. on Windows XP, copy the downloaded UXTheme.dll as ClbCatQ.dll;
>>
>> 3. download setup-x86.exe and save it in your "Downloads" directory;
>>
>> 4. execute setup-x86.exe from your "Downloads" directory;
>>
>> 5. notice the message boxes displayed from UXTheme.dll placed in
>> step 1 (and ClbCatQ.dll placed in step 2).
>>
>> PWNED!
>>
>> 6. copy the downloaded UXTheme.dll as WSock32.dll (on Windows XP
>> also as PSAPI.dll and WS2_32.dll);
>>
>> 7. rerun setup-x86.exe from your "Downloads" directory.
>>
>> DOSSED!
>>
>> 8. turning the denial of service into an arbitrary (remote) code
>> execution is trivial: just add the SINGLE entry (PSAPI.dll:
>> EnumProcesses, WSock32.Dll: recv, WS2_32.dll: Ordinal 21)
>> referenced from setup-x86.exe to a rogue DLL of your choice.
>>
>> PWNED again!
>>
>>
>> See <http://seclists.org/fulldisclosure/2015/Nov/101>,
>> <http://seclists.org/fulldisclosure/2015/Dec/86> and
>> <http://seclists.org/fulldisclosure/2015/Dec/121> plus
>> <http://home.arcor.de/skanthak/!execute.html> and
>> <http://home.arcor.de/skanthak/sentinel.html> for details about
>> this well-known and well-documented BEGINNER'S error!
>>
>>
>> Then dump your vulnerable executable installer and provide a SAFE
>> installer instead: either .MSI or .INF (plus .CAB).
>>
>>
>> I'll publish in 45 days.
>> See <http://home.arcor.de/skanthak/policy.html> and return the
>> CVE identifier assigned for this vulnerability to me!
>>
>>
>> regards
>> Stefan Kanthak
>
> --
> Problem reports: http://cygwin.com/problems.html
> FAQ: http://cygwin.com/faq/
> Documentation: http://cygwin.com/docs.html
> Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
>
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PWNED/DOSSED] Cygwin's setup-x86.exe loads and executes rogue DLL from its application directory
2016-01-06 14:18 [PWNED/DOSSED] Cygwin's setup-x86.exe loads and executes rogue DLL from its application directory Stefan Kanthak
2016-01-07 16:53 ` Yucong Sun
@ 2016-01-07 17:39 ` Eric Blake
[not found] ` <34A2D15A19D247B4A46A173C41C73094@W340>
2016-01-08 20:04 ` Yaakov Selkowitz
2 siblings, 1 reply; 5+ messages in thread
From: Eric Blake @ 2016-01-07 17:39 UTC (permalink / raw)
To: cygwin, stefan.kanthak
[-- Attachment #1: Type: text/plain, Size: 1265 bytes --]
On 01/06/2016 07:17 AM, Stefan Kanthak wrote:
> Second and last chance!
> See <http://home.arcor.de/skanthak/policy.html>
Your policy page mentions a 45-day window, but:
>
> ----- Original Message -----
> From: "Stefan Kanthak" <stefan.kanthak@nexgo.de>
> To: <security@cygwin.org>
> Cc: <security@redhat.com>
> Sent: Monday, December 28, 2015 4:23 AM
If this was your original off-list post, you just violated your own
policy, since you included cygwin AT cygwin.com which is a public list
on the ping, and thereby made the issue public, without waiting 45 days.
>> 1. visit <http://home.arcor.de/skanthak/sentinel.html>, download
>> <http://home.arcor.de/skanthak/download/SENTINEL.DLL> and save
>> it as UXTheme.dll in your "Downloads" directory;
>>
>> 2. on Windows XP, copy the downloaded UXTheme.dll as ClbCatQ.dll;
You do realize that Windows XP is unsupported by Microsoft; if your
exploit requires an unsupported OS, does it really deserve a fix?
>>
>> I'll publish in 45 days.
>> See <http://home.arcor.de/skanthak/policy.html> and return the
>> CVE identifier assigned for this vulnerability to me!
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 604 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PWNED/DOSSED] Cygwin's setup-x86.exe loads and executes rogue DLL from its application directory
2016-01-06 14:18 [PWNED/DOSSED] Cygwin's setup-x86.exe loads and executes rogue DLL from its application directory Stefan Kanthak
2016-01-07 16:53 ` Yucong Sun
2016-01-07 17:39 ` Eric Blake
@ 2016-01-08 20:04 ` Yaakov Selkowitz
2 siblings, 0 replies; 5+ messages in thread
From: Yaakov Selkowitz @ 2016-01-08 20:04 UTC (permalink / raw)
To: cygwin; +Cc: security, stefan.kanthak
On 2016-01-06 08:17, Stefan Kanthak wrote:
[snip]
I am analyzing this and working on a response, which I hope to have
early next week.
--
Yaakov
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PWNED/DOSSED] Cygwin's setup-x86.exe loads and executes rogue DLL from its application directory
[not found] ` <34A2D15A19D247B4A46A173C41C73094@W340>
@ 2016-01-09 9:11 ` Eric Blake
0 siblings, 0 replies; 5+ messages in thread
From: Eric Blake @ 2016-01-09 9:11 UTC (permalink / raw)
To: Stefan Kanthak; +Cc: cygwin
[-- Attachment #1: Type: text/plain, Size: 1677 bytes --]
[I got this mail via cc; I don't see the original in the mail archives,
which means it probably got eaten by the spam trap for too many raw
email addresses or other heuristics. I don't maintain cygwin.com, so
I'm only commenting as a side observer here...]
On 01/07/2016 02:59 PM, Stefan Kanthak wrote:
>> If this was your original off-list post, you just violated your own
>> policy since you included cygwin AT cygwin.com which is a public list
>> on the ping, and thereby made the issue public, without waiting 45 days.
>
> Simply wrong!
> Cygwin doesn't name a security mailbox on
> <https://cygwin.com/problems.html>, <https://cygwin.com/lists.html>
> states
>
> | cygwin: In general, you should send questions and bug reports here.
>
> (which I did), and all of <security@cygwin.com>, <security@cygwin.org>
> and <security@sourceware.org> bounce: see
> <http://www.ietf.org/rfc/rfc2142.txt> regarding this well-known role
> account (unfortunately RfC-ignorant.org closed).
Okay, maybe we should consider creating a closed-subscription
non-public-archives security@cygwin.com mailing list (however,
cygwin.org and sourceware.org are not the right domains). Or at least
update the web page to mention secalert@redhat.com as a reasonable
alternative closed list to contact with potential Cygwin security flaws.
I'll leave that up to others with actual admin rights on the cygwin.com
box, though.
> Next time: THINK BEFORE YOU POST!
Shouting at people is not the friendliest way to resolve security or
other issues.
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 604 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2016-01-08 22:21 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-01-06 14:18 [PWNED/DOSSED] Cygwin's setup-x86.exe loads and executes rogue DLL from its application directory Stefan Kanthak
2016-01-07 16:53 ` Yucong Sun
2016-01-07 17:39 ` Eric Blake
[not found] ` <34A2D15A19D247B4A46A173C41C73094@W340>
2016-01-09 9:11 ` Eric Blake
2016-01-08 20:04 ` Yaakov Selkowitz
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).