This is the mail archive of the cygwin-developers mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: cygwin1.dll up to 1.5.22 overflow


On Nov 13 10:44, Dave Korn wrote:
> On 13 November 2007 10:42, Daniel Fdez. Bleda wrote:
> 
> > Dave,
> >> 
> >>   You didn't answer all our questions yet, specifically which was the
> >> vulnerable function.  I was hoping to get some feel for whether this could
> >> be exploited remotely, e.g. by uploading a long file to an ftp server, and
> >> whether it could be used to increase privilege, by triggering in a cygwin
> >> service.
> > The vulnerable command is "touch". We didn't analyze the code, as we
> > suppose is easier for you -or the maintainer coder- to locate the
> > vulnerable function. At least, faster. So, what is the vulnerable
> > function? I don't know. The vulnerability is easly exploitable, so,
> > you could check it fastly to be sure where is the flaw.
> 
>   It'll be somewhere in the path handling I'd guess.  I'll roll back my
> installation a few dll versions and see if I can find it.  (I'm at work, so
> it'll have to wait for my lunch hour or until I get some spare time at the end
> of the day).  However, it does sound to me like it would probably be possible
> to leverage a server into creating such a file and then stat'ing it, so I
> reckon the answer is most likely 'yes'.
> 
> 
> >>   BTW, it's not clear from your subject line: cygwin1.dll < 1.5.22, or
> >> cygwin1.dll <= 1.5.22?  Which was the first fixed version?
> > cygwin1.dll <= 1.5.22
> > But I'll check it again.

I'm somewhat mystified.  All our filename buffers are at least
CYG_MAX_PATH in size, which is 260 chars including the trailing \0.
I don't see any filename buffer in Cygwin which would be 232 bytes or
something similar, not even in older code back to 1.5.19.

touch is basically open(),utimes(),close().  Can somebody show me a
filename buffer shorter than CYG_MAX_PATH in this code?  I don't see
this.  I also couldn't crash any Cygwin back to 1.5.21 by running a
touch on a file with a (POSIX or Win32) name length of 233-239
characters.

If somebody can give me a reproducible testcase, I will have another
look into this issue.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]