From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <cygwin-return-200782-listarch-cygwin=sourceware.org@cygwin.com>
Received: (qmail 39287 invoked by alias); 6 Jan 2016 14:18:08 -0000
Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm
Precedence: bulk
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe@cygwin.com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin@cygwin.com>
List-Help: <mailto:cygwin-help@cygwin.com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner@cygwin.com
Mail-Followup-To: cygwin@cygwin.com
Received: (qmail 39276 invoked by uid 89); 6 Jan 2016 14:18:07 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=3.4 required=5.0 tests=AWL,BAYES_50,EXECUTABLE_URI,FAKE_REPLY_C,RCVD_IN_DNSWL_LOW,SPF_PASS autolearn=no version=3.3.2 spammy=chance!, cert, vulnerable, H*Ad:U*security
X-HELO: mail-in-06.arcor-online.net
Received: from mail-in-06.arcor-online.net (HELO mail-in-06.arcor-online.net) (151.189.21.46) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with (CAMELLIA256-SHA encrypted) ESMTPS; Wed, 06 Jan 2016 14:18:02 +0000
Received: from mail-in-03-z2.arcor-online.net (mail-in-03-z2.arcor-online.net [151.189.8.15])	by mx.arcor.de (Postfix) with ESMTP id 3pbCTL5csbz7ln5;	Wed,  6 Jan 2016 15:17:58 +0100 (CET)
Received: from mail-in-05.arcor-online.net (mail-in-05.arcor-online.net [151.189.21.45])	by mail-in-03-z2.arcor-online.net (Postfix) with ESMTP id BD00C56393E;	Wed,  6 Jan 2016 15:17:58 +0100 (CET)
X-DKIM: Sendmail DKIM Filter v2.8.2 mail-in-05.arcor-online.net 3pbCTL2H1gz2xDd
Received: from W340 (p5499932A.dip0.t-ipconnect.de [84.153.147.42])	(Authenticated sender: skanthak@arcor.de)	by mail-in-05.arcor-online.net (Postfix) with ESMTPA id 3pbCTL2H1gz2xDd;	Wed,  6 Jan 2016 15:17:58 +0100 (CET)
Message-ID: <EF7B6182B7C54BBAA5083C40EF14529D@W340>
From: "Stefan Kanthak" <stefan.kanthak@nexgo.de>
To: <cygwin@cygwin.com>,	<cygwin@cygwin.org>
Cc: <security@redhat.com>
Subject: Re: [PWNED/DOSSED] Cygwin's setup-x86.exe loads and executes rogue DLL from its application directory
Date: Wed, 06 Jan 2016 14:18:00 -0000
MIME-Version: 1.0
Content-Type: text/plain;	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-SW-Source: 2016-01/txt/msg00047.txt.bz2

Second and last chance!
See <http://home.arcor.de/skanthak/policy.html>

----- Original Message ----- 
From: "Stefan Kanthak" <stefan.kanthak@nexgo.de>
To: <security@cygwin.org>
Cc: <security@redhat.com>
Sent: Monday, December 28, 2015 4:23 AM
Subject: [PWNED/DOSSED] Cygwin's setup-x86.exe loads and executes rogue DLL from its application directory


> Hi,
> 
> Cygwin's setup-x86.exe loads and executes UXTheme.dll
> (on Windows XP also ClbCatQ.dll) and more from its
> "application directory".
> 
> For software downloaded with a web browser the application
> directory is typically the user's "Downloads" directory: see
> <https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>,
> <http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>
> and <http://seclists.org/fulldisclosure/2012/Aug/134>
> 
> If UXTheme.dll (or one of the other DLLs) gets planted in
> the user's "Downloads" directory per "drive-by download" or
> "social engineering" this vulnerability becomes a remote code
> execution.
> 
> If setup-x86.exe is NOT started with --no-admin the vulnerability
> results in an escalation of privilege too!
> 
> 
> Proof of concept/demonstration:
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> 1. visit <http://home.arcor.de/skanthak/sentinel.html>, download
>   <http://home.arcor.de/skanthak/download/SENTINEL.DLL> and save
>   it as UXTheme.dll in your "Downloads" directory;
> 
> 2. on Windows XP, copy the downloaded UXTheme.dll as ClbCatQ.dll;
> 
> 3. download setup-x86.exe and save it in your "Downloads" directory;
> 
> 4. execute setup-x86.exe from your "Downloads" directory;
> 
> 5. notice the message boxes displayed from UXTheme.dll placed in
>   step 1 (and ClbCatQ.dll placed in step 2).
> 
> PWNED!
> 
> 6. copy the downloaded UXTheme.dll as WSock32.dll (on Windows XP
>   also as PSAPI.dll and WS2_32.dll);
> 
> 7. rerun setup-x86.exe from your "Downloads" directory.
> 
> DOSSED!
> 
> 8. turning the denial of service into an arbitrary (remote) code
>   execution is trivial: just add the SINGLE entry (PSAPI.dll:
>   EnumProcesses, WSock32.Dll: recv, WS2_32.dll: Ordinal 21)
>   referenced from setup-x86.exe to a rogue DLL of your choice.
> 
> PWNED again!
> 
> 
> See <http://seclists.org/fulldisclosure/2015/Nov/101>,
> <http://seclists.org/fulldisclosure/2015/Dec/86> and
> <http://seclists.org/fulldisclosure/2015/Dec/121> plus
> <http://home.arcor.de/skanthak/!execute.html> and
> <http://home.arcor.de/skanthak/sentinel.html> for details about
> this well-known and well-documented BEGINNER'S error!
> 
> 
> Then dump your vulnerable executable installer and provide a SAFE
> installer instead: either .MSI or .INF (plus .CAB).
> 
> 
> I'll publish in 45 days.
> See <http://home.arcor.de/skanthak/policy.html> and return the
> CVE identifier assigned for this vulnerability to me!
> 
> 
> regards
> Stefan Kanthak

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple