This is the mail archive of the cygwin-developers mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

RE: cygwin1.dll up to 1.5.22 overflow


On 13 November 2007 10:42, Daniel Fdez. Bleda wrote:

> Dave,
>> 
>>   You didn't answer all our questions yet, specifically which was the
>> vulnerable function.  I was hoping to get some feel for whether this could
>> be exploited remotely, e.g. by uploading a long file to an ftp server, and
>> whether it could be used to increase privilege, by triggering in a cygwin
>> service.
> The vulnerable command is "touch". We didn't analyze the code, as we
> suppose is easier for you -or the maintainer coder- to locate the
> vulnerable function. At least, faster. So, what is the vulnerable
> function? I don't know. The vulnerability is easly exploitable, so,
> you could check it fastly to be sure where is the flaw.

  It'll be somewhere in the path handling I'd guess.  I'll roll back my
installation a few dll versions and see if I can find it.  (I'm at work, so
it'll have to wait for my lunch hour or until I get some spare time at the end
of the day).  However, it does sound to me like it would probably be possible
to leverage a server into creating such a file and then stat'ing it, so I
reckon the answer is most likely 'yes'.


>>   BTW, it's not clear from your subject line: cygwin1.dll < 1.5.22, or
>> cygwin1.dll <= 1.5.22?  Which was the first fixed version?
> cygwin1.dll <= 1.5.22
> But I'll check it again.

  Thanks.


    cheers,
      DaveK
-- 
Can't think of a witty .sigline today....


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]