This is the mail archive of the cygwin-developers mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

RE: cygwin1.dll up to 1.5.22 overflow


On 13 November 2007 10:45, Dave Korn wrote:

> On 13 November 2007 10:42, Daniel Fdez. Bleda wrote:
> 
>> Dave,
>>> 
>>>   You didn't answer all our questions yet, specifically which was the
>>> vulnerable function.  I was hoping to get some feel for whether this could
>>> be exploited remotely, e.g. by uploading a long file to an ftp server, and
>>> whether it could be used to increase privilege, by triggering in a cygwin
>>> service.
>> The vulnerable command is "touch". We didn't analyze the code, as we
>> suppose is easier for you -or the maintainer coder- to locate the
>> vulnerable function. At least, faster. So, what is the vulnerable
>> function? I don't know. The vulnerability is easly exploitable, so,
>> you could check it fastly to be sure where is the flaw.
> 
>   It'll be somewhere in the path handling I'd guess.  I'll roll back my
> installation a few dll versions and see if I can find it.  (I'm at work, so
> it'll have to wait for my lunch hour or until I get some spare time at the
> end of the day).  However, it does sound to me like it would probably be
> possible to leverage a server into creating such a file and then stat'ing
> it, so I reckon the answer is most likely 'yes'.     

  Ok, now I'm confused.  I rebuilt 1.5.21-2 from source, then following your
instructions from the advisory:

------------------------------quote------------------------------
The following file has to be uploaded, if we use ***REMOVED***, cygwin
will be bofed and will execute the evil code.

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCCDDDDEE
EEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXX
YYYY
------------------------------quote------------------------------


  I touched the file, touched it again, ls'd it, stat'd it:


------------------------------quote------------------------------
/tmp/bof $ touch
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
A
ABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTU
U
UUVVVVWWWWXXXXYYYY
/tmp/bof $ ls
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCCDDDDEEEE
FF
FFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYY
/tmp/bof $ touch
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
A
ABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTU
U
UUVVVVWWWWXXXXYYYY
/tmp/bof $
/tmp/bof $ ls
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB
B
BBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUU
V
VVVWWWWXXXXYYYY
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCCDDDDEEEE
FF
FFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYY
/tmp/bof $ stat
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
A
BBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUU
U
UVVVVWWWWXXXXYYYY
  File:
`AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCC
CD
DDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWW
WX
XXXYYYY'
  Size: 0               Blocks: 0          IO Block: 1024   regular empty file
Device: 5c59b377h/1549382519d   Inode: 16607023626505315  Links: 1
Access: (0644/-rw-r--r--)  Uid: (11165/      dk)   Gid: (10513/Domain Users)
Access: 2007-11-13 14:57:54.357865000 +0000
Modify: 2007-11-13 14:57:54.357865000 +0000
Change: 2007-11-13 14:57:54.357865300 +0000
/tmp/bof $
/tmp/bof $ cygcheck -s -v -r 2>&1 | tee  cygcheck.out | grep 'DLL version'
    Cygwin DLL version info:
        DLL version: 1.5.21
/tmp/bof $
------------------------------quote------------------------------

  No sign of any problems.

  Daniel, do you have stack dumps or any other kind of error report or debug
trace that shows *where* the error occurs?  Is it possible that there is
something else involved in the setup where you detected the problem, such as
anti-virus or anti-spyware that hooks all file open/close calls and is the
actual source of the crash?


    cheers,
      DaveK
-- 
Can't think of a witty .sigline today....


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]