lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <1B61D11C317448618B7921425B4B3CF0@W340>
Date: Fri, 26 Feb 2016 16:45:00 +0100
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <fulldisclosure@...lists.org>
Cc: <bugtraq@...urityfocus.com>
Subject: Executable installers are vulnerable^WEVIL (case 27): Cygwin's installers allow arbitrary (remote) code execution WITH escalation of privilege

Hi @ll,

Cygwin's setup-x86.exe loads and executes UXTheme.dll
(on Windows XP also ClbCatQ.dll) and some more DLLs from its
"application directory".

For software downloaded with a web browser the application
directory is typically the user's "Downloads" directory: see
<https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>,
<http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>
and <http://seclists.org/fulldisclosure/2012/Aug/134>

If UXTheme.dll (or one of the other DLLs) gets planted in the
user's "Downloads" directory per "drive-by download" or "social
engineering" this vulnerability becomes a remote code execution.

If setup-x86.exe is NOT started with --no-admin the vulnerability
results in an escalation of privilege too!


Proof of concept/demonstration:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. visit <http://home.arcor.de/skanthak/sentinel.html>, download
   <http://home.arcor.de/skanthak/download/SENTINEL.DLL> and save
   it as UXTheme.dll in your "Downloads" directory, then copy it
   as DWMAPI.dll;

2. on Windows XP, copy the downloaded UXTheme.dll as ClbCatQ.dll;

3. download setup-x86.exe and save it in your "Downloads" directory;

4. execute setup-x86.exe from your "Downloads" directory;

5. notice the message boxes displayed from the DLLs placed in step 1
   (and ClbCatQ.dll placed in step 2).

PWNED!

6. copy the downloaded UXTheme.dll as WSock32.dll (on Windows XP
   also as PSAPI.dll and WS2_32.dll);

7. rerun setup-x86.exe from your "Downloads" directory.

DOSSED!

8. turning the denial of service into an arbitrary (remote) code
   execution is trivial: just add the SINGLE entry (PSAPI.dll:
   EnumProcesses, WSock32.Dll: recv, WS2_32.dll: Ordinal 21)
   referenced from setup-x86.exe to a rogue DLL of your choice.

PWNED again!


See <http://seclists.org/fulldisclosure/2015/Nov/101>,
<http://seclists.org/fulldisclosure/2015/Dec/86> and
<http://seclists.org/fulldisclosure/2015/Dec/121> plus
<http://home.arcor.de/skanthak/!execute.html> and
<http://home.arcor.de/skanthak/sentinel.html> for details about
this well-known and well-documented BEGINNER'S error!


stay tuned
Stefan Kanthak


Timeline:
~~~~~~~~~

2015-12-28    report sent to <security@...win.com>,
              <security@...win.org> and <security@...rceware.org>

BOUNCED

2015-12-28    report sent to <security@...hat.com>

              No answer, not even an acknowledgement of receipt

2016-01-06    report resent to <cygwin@...win.com> and
              <security@...hat.com>

2016-01-07    clueless reply from reader of <cygwin@...win.com>:
              "- cygwin mailing list is public, you violate your
                 own policy;
               - Windows XP is unsupported"

2016-01-07    sent reply to <cygwin@...win.com>:
              - see <https://cygwin.com/lists.html>
                | cygwin: In general, you should send questions and
                |         bug reports here.
              - see RFC 2142: <security@...win.com>,
                <security@...win.org> and <security@...rceware.org>
                all bounce, then read my policy again.
              - Windows Embedded POSReady 2009 is Windows XP SP3
                in disguise and supported until 2019.
              - which part of "UXTheme.dll is loaded (on every version
                of Windows)" is not understood?

<cygwin@...win.com>:
In an effort to cut down on our spam intake, we block email that is
detected as spam by the SpamAssassin program.  Your email was flagged as
spam by that program.  See: http://spamassassin.apache.org/ for more
details.
[...]
Contact cygwin-owner@...win.com if you have questions about this. (#5.7.2)

2016-01-07    sent questions to <cygwin-owner@...win.com>

<cygwin-owner@...win.com>: host sourceware.org[209.132.180.131] said:
    552 spam score exceeded threshold (in reply to end of DATA command)

2016-02-26    report published
              Cygwin is obviously neither interested in communication
              nor willing to fix their vulnerable installer!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ