This is the mail archive of the
cygwin-developers
mailing list for the Cygwin project.
Re: cygwin1.dll up to 1.5.22 overflow
Dave,
I see is not easier as seamed. I'll try get more info about the
explotation. And send it to you. Probably I'm forgeting something
relevant.
Regards,
Dave Korn escribió:
> On 13 November 2007 10:45, Dave Korn wrote:
>
>> On 13 November 2007 10:42, Daniel Fdez. Bleda wrote:
>>
>>> Dave,
>>>> You didn't answer all our questions yet, specifically which was the
>>>> vulnerable function. I was hoping to get some feel for whether this could
>>>> be exploited remotely, e.g. by uploading a long file to an ftp server, and
>>>> whether it could be used to increase privilege, by triggering in a cygwin
>>>> service.
>>> The vulnerable command is "touch". We didn't analyze the code, as we
>>> suppose is easier for you -or the maintainer coder- to locate the
>>> vulnerable function. At least, faster. So, what is the vulnerable
>>> function? I don't know. The vulnerability is easly exploitable, so,
>>> you could check it fastly to be sure where is the flaw.
>> It'll be somewhere in the path handling I'd guess. I'll roll back my
>> installation a few dll versions and see if I can find it. (I'm at work, so
>> it'll have to wait for my lunch hour or until I get some spare time at the
>> end of the day). However, it does sound to me like it would probably be
>> possible to leverage a server into creating such a file and then stat'ing
>> it, so I reckon the answer is most likely 'yes'.
>
> Ok, now I'm confused. I rebuilt 1.5.21-2 from source, then following your
> instructions from the advisory:
>
> ------------------------------quote------------------------------
> The following file has to be uploaded, if we use ***REMOVED***, cygwin
> will be bofed and will execute the evil code.
>
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCCDDDDEE
> EEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXX
> YYYY
> ------------------------------quote------------------------------
>
>
> I touched the file, touched it again, ls'd it, stat'd it:
>
>
> ------------------------------quote------------------------------
> /tmp/bof $ touch
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> A
> ABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTU
> U
> UUVVVVWWWWXXXXYYYY
> /tmp/bof $ ls
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCCDDDDEEEE
> FF
> FFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYY
> /tmp/bof $ touch
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> A
> ABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTU
> U
> UUVVVVWWWWXXXXYYYY
> /tmp/bof $
> /tmp/bof $ ls
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB
> B
> BBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUU
> V
> VVVWWWWXXXXYYYY
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCCDDDDEEEE
> FF
> FFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYY
> /tmp/bof $ stat
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> A
> BBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUU
> U
> UVVVVWWWWXXXXYYYY
> File:
> `AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCC
> CD
> DDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWW
> WX
> XXXYYYY'
> Size: 0 Blocks: 0 IO Block: 1024 regular empty file
> Device: 5c59b377h/1549382519d Inode: 16607023626505315 Links: 1
> Access: (0644/-rw-r--r--) Uid: (11165/ dk) Gid: (10513/Domain Users)
> Access: 2007-11-13 14:57:54.357865000 +0000
> Modify: 2007-11-13 14:57:54.357865000 +0000
> Change: 2007-11-13 14:57:54.357865300 +0000
> /tmp/bof $
> /tmp/bof $ cygcheck -s -v -r 2>&1 | tee cygcheck.out | grep 'DLL version'
> Cygwin DLL version info:
> DLL version: 1.5.21
> /tmp/bof $
> ------------------------------quote------------------------------
>
> No sign of any problems.
>
> Daniel, do you have stack dumps or any other kind of error report or debug
> trace that shows *where* the error occurs? Is it possible that there is
> something else involved in the setup where you detected the problem, such as
> anti-virus or anti-spyware that hooks all file open/close calls and is the
> actual source of the crash?
>
>
> cheers,
> DaveK