This is the mail archive of the cygwin-developers mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: cygwin1.dll up to 1.5.22 overflow


On Nov  8 14:17, Daniel Fdez. Bleda wrote:
> Dave,
> 
> Here you have the requested info of the advisory:
> ----------------------------------------------------------------------
> III. DESCRIPTION
> --------------------------
> Traditionally, linux filesystem allow 255 bytes long, nevertheless

Really?  PATH_MAX is 4096 on my Linux system.  Or are you talking about
NAME_MAX, the length of a single path component?

> cygwin allow 239 bytes and there is a check that prevents filenames
> equal or major than 240.

Cygwin up to 1.5.x allows filenames up to 259 chars, same as the Ascii
Win32 functions: http://msdn2.microsoft.com/en-us/library/aa365247.aspx

> In spite of the check, there is a 232 bytes long dynamic memory buffer
> where is stored the filename, so that is possible make a evil filename
> with 233-239 bytes long that bypasses the check and overflows the heap
> maximum 7 bytes. So you have to penetrate in machine and put the
> evil-file and then 7 bytes of the private heap and ebx and edi
> registers where mine.
> [...]
> I would like to avoid public discussion if you need (as I expect) more
> information.

As Dave mentioned, Cygwin is inherently insecure, and, given the fact
that you don't have the problem in recent versions, I don't see a need
to keep it such a secret.  So, here's Dave's question again:  Which is
the vulnerable function?


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]