This is the mail archive of the cygwin-developers mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: cygwin1.dll up to 1.5.22 overflow


Dave,

I see is not easier as seamed. I'll try get more info about the
explotation. And send it to you. Probably I'm forgeting something
relevant.

Regards,

Dave Korn escribió:
> On 13 November 2007 10:45, Dave Korn wrote:
> 
>> On 13 November 2007 10:42, Daniel Fdez. Bleda wrote:
>>
>>> Dave,
>>>>   You didn't answer all our questions yet, specifically which was the
>>>> vulnerable function.  I was hoping to get some feel for whether this could
>>>> be exploited remotely, e.g. by uploading a long file to an ftp server, and
>>>> whether it could be used to increase privilege, by triggering in a cygwin
>>>> service.
>>> The vulnerable command is "touch". We didn't analyze the code, as we
>>> suppose is easier for you -or the maintainer coder- to locate the
>>> vulnerable function. At least, faster. So, what is the vulnerable
>>> function? I don't know. The vulnerability is easly exploitable, so,
>>> you could check it fastly to be sure where is the flaw.
>>   It'll be somewhere in the path handling I'd guess.  I'll roll back my
>> installation a few dll versions and see if I can find it.  (I'm at work, so
>> it'll have to wait for my lunch hour or until I get some spare time at the
>> end of the day).  However, it does sound to me like it would probably be
>> possible to leverage a server into creating such a file and then stat'ing
>> it, so I reckon the answer is most likely 'yes'.     
> 
>   Ok, now I'm confused.  I rebuilt 1.5.21-2 from source, then following your
> instructions from the advisory:
> 
> ------------------------------quote------------------------------
> The following file has to be uploaded, if we use ***REMOVED***, cygwin
> will be bofed and will execute the evil code.
> 
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCCDDDDEE
> EEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXX
> YYYY
> ------------------------------quote------------------------------
> 
> 
>   I touched the file, touched it again, ls'd it, stat'd it:
> 
> 
> ------------------------------quote------------------------------
> /tmp/bof $ touch
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> A
> ABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTU
> U
> UUVVVVWWWWXXXXYYYY
> /tmp/bof $ ls
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCCDDDDEEEE
> FF
> FFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYY
> /tmp/bof $ touch
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> A
> ABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTU
> U
> UUVVVVWWWWXXXXYYYY
> /tmp/bof $
> /tmp/bof $ ls
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB
> B
> BBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUU
> V
> VVVWWWWXXXXYYYY
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCCDDDDEEEE
> FF
> FFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYY
> /tmp/bof $ stat
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> A
> BBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUU
> U
> UVVVVWWWWXXXXYYYY
>   File:
> `AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCC
> CD
> DDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWW
> WX
> XXXYYYY'
>   Size: 0               Blocks: 0          IO Block: 1024   regular empty file
> Device: 5c59b377h/1549382519d   Inode: 16607023626505315  Links: 1
> Access: (0644/-rw-r--r--)  Uid: (11165/      dk)   Gid: (10513/Domain Users)
> Access: 2007-11-13 14:57:54.357865000 +0000
> Modify: 2007-11-13 14:57:54.357865000 +0000
> Change: 2007-11-13 14:57:54.357865300 +0000
> /tmp/bof $
> /tmp/bof $ cygcheck -s -v -r 2>&1 | tee  cygcheck.out | grep 'DLL version'
>     Cygwin DLL version info:
>         DLL version: 1.5.21
> /tmp/bof $
> ------------------------------quote------------------------------
> 
>   No sign of any problems.
> 
>   Daniel, do you have stack dumps or any other kind of error report or debug
> trace that shows *where* the error occurs?  Is it possible that there is
> something else involved in the setup where you detected the problem, such as
> anti-virus or anti-spyware that hooks all file open/close calls and is the
> actual source of the crash?
> 
> 
>     cheers,
>       DaveK


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]