This is the mail archive of the cygwin-developers mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: cygwin1.dll up to 1.5.22 overflow

From: "Daniel Fdez. Bleda" <dfernandez at isecauditors dot com>
To: Dave Korn <dave dot korn at artimi dot com>
Cc: cygwin-developers at cygwin dot com
Date: Thu, 08 Nov 2007 14:17:23 +0100
Subject: Re: cygwin1.dll up to 1.5.22 overflow
References: <4732F1CB.90305@isecauditors.com> <20071108114756.GV31224@calimero.vinschen.de> <47331426.5000804@isecauditors.com> <01de01c82206$e38e6f90$2e08a8c0@CAM.ARTIMI.COM>

Dave,

Here you have the requested info of the advisory:
----------------------------------------------------------------------
III. DESCRIPTION
--------------------------
Traditionally, linux filesystem allow 255 bytes long, nevertheless
cygwin allow 239 bytes and there is a check that prevents filenames
equal or major than 240.

In spite of the check, there is a 232 bytes long dynamic memory buffer
where is stored the filename, so that is possible make a evil filename
with 233-239 bytes long that bypasses the check and overflows the heap
maximum 7 bytes. So you have to penetrate in machine and put the
evil-file and then 7 bytes of the private heap and ebx and edi
registers where mine.

The following file has to be uploaded, if we use ***REMOVED***, cygwin
will be bofed and will execute the evil code.

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYY
...
----------------------------------------------------------------------
I would like to avoid public discussion if you need (as I expect) more
information.

Regards,

Dave Korn escribió:
> On 08 November 2007 13:51, Daniel Fdez. Bleda wrote:
> 
>> Dear Corinna,
>>
>> I understand from this that you are asking for that details about
>> explotation, pof, etc. of a vulnerability of a software should be
>> directly disclosed in the list? Sounds some kind of dangerous.
>>
>> I didn't usually include in "bugs" a bof that permits execute code.
>>
>> I'll do this as you requested omitting sensible information.
> 
>   I understand your need for caution.  I think maybe we should consider what
> is the best course of action to take and perhaps write up a semi-formal
> announcement for the list instead?
> 
>   Also, maybe we should retire the earlier vulnerable cygwin dll versions that
> are still on sourceware.org?
> 
>   Cygwin is inherently insecure, the shared memory mechanism allows
> unauthenticated communication across trust boundaries between processes;
> without a major redesign it's always going to be vulnerable to privilige
> escalation in particular.  It's not advisable to run a cygwin-based service
> facing the public internet IMO.
> 
>   Which was the vulnerable function?  I'd like to see how serious the
> opportunities for attack are before we rush into anything.
> 
> 
>     cheers,
>       DaveK

-- 
_________________________________
Daniel Fernández Bleda
Director Comercial
CISA, CISSP, ISO27001 Lead Auditor
OPSA/OPST Trainer, CHFI Instructor
dfernandez@isecauditors.com

Internet Security Auditors, S.L.
c. Santander, 101. Edif. A. 2º
E-08030 Barcelona (Spain)
Tel: +34 93 305 13 18
Fax: +34 93 278 22 48
Mov: +34 600 86 40 85
www.isecauditors.com
          ____________________________________
Este mensaje y los documentos que, en su caso lleve anexos, pueden
contener información CONFIDENCIAL. Por ello, se informa al
destinatario que la información contenida en el mismo es reservada y
su uso no autorizado, publicación o difusión, entera o parcialmente,
tanto en formato o medio físico como electrónico, sin el previo
consentimiento de Internet Security Auditors, está prohibida legalmente.

Si ha recibido este correo por error, le rogamos que nos lo comunique
por la misma vía o por teléfono (93 305 13 18), se abstenga de
realizar copias del mensaje o remitirlo o entregarlo a otra persona y
proceda a borrarlo de inmediato.

En cumplimiento de la Ley Orgánica 15/1999 de 13 de diciembre de
protección de datos de carácter personal, Internet Security Auditors
S.L., le informa de que sus datos personales se han incluido en
ficheros informatizados titularidad de Internet Security Auditors
S.L., que será el único destinatario de dichos datos, y cuya finalidad
exclusiva es la gestión de clientes y acciones de comunicación
comercial, y de que tiene la posibilidad de ejercer los derechos de
acceso, rectificación, cancelación y oposición previstos en la ley
mediante carta dirigida a Internet Security Auditors, c. Santander,
101. Edif. A. 2º 1ª, 08030 Barcelona, o vía e-mail a la siguiente
dirección de correo: legal@isecauditors.com

Follow-Ups:
- Re: cygwin1.dll up to 1.5.22 overflow
  - From: Corinna Vinschen

References:
- cygwin1.dll up to 1.5.22 overflow
  - From: Daniel Fdez. Bleda
- Re: cygwin1.dll up to 1.5.22 overflow
  - From: Corinna Vinschen
- Re: cygwin1.dll up to 1.5.22 overflow
  - From: Daniel Fdez. Bleda
- RE: cygwin1.dll up to 1.5.22 overflow
  - From: Dave Korn

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]