This is the mail archive of the
mailing list for the Cygwin project.
Re: [PWNED/DOSSED] Cygwin's setup-x86.exe loads and executes rogue DLL from its application directory
- From: "Stefan Kanthak" <stefan dot kanthak at nexgo dot de>
- To: <cygwin at cygwin dot com>, <cygwin at cygwin dot org>
- Cc: <security at redhat dot com>
- Date: Wed, 6 Jan 2016 15:17:30 +0100
- Subject: Re: [PWNED/DOSSED] Cygwin's setup-x86.exe loads and executes rogue DLL from its application directory
- Authentication-results: sourceware.org; auth=none
Second and last chance!
----- Original Message -----
From: "Stefan Kanthak" <firstname.lastname@example.org>
Sent: Monday, December 28, 2015 4:23 AM
Subject: [PWNED/DOSSED] Cygwin's setup-x86.exe loads and executes rogue DLL from its application directory
> Cygwin's setup-x86.exe loads and executes UXTheme.dll
> (on Windows XP also ClbCatQ.dll) and more from its
> "application directory".
> For software downloaded with a web browser the application
> directory is typically the user's "Downloads" directory: see
> and <http://seclists.org/fulldisclosure/2012/Aug/134>
> If UXTheme.dll (or one of the other DLLs) gets planted in
> the user's "Downloads" directory per "drive-by download" or
> "social engineering" this vulnerability becomes a remote code
> If setup-x86.exe is NOT started with --no-admin the vulnerability
> results in an escalation of privilege too!
> Proof of concept/demonstration:
> 1. visit <http://home.arcor.de/skanthak/sentinel.html>, download
> <http://home.arcor.de/skanthak/download/SENTINEL.DLL> and save
> it as UXTheme.dll in your "Downloads" directory;
> 2. on Windows XP, copy the downloaded UXTheme.dll as ClbCatQ.dll;
> 3. download setup-x86.exe and save it in your "Downloads" directory;
> 4. execute setup-x86.exe from your "Downloads" directory;
> 5. notice the message boxes displayed from UXTheme.dll placed in
> step 1 (and ClbCatQ.dll placed in step 2).
> 6. copy the downloaded UXTheme.dll as WSock32.dll (on Windows XP
> also as PSAPI.dll and WS2_32.dll);
> 7. rerun setup-x86.exe from your "Downloads" directory.
> 8. turning the denial of service into an arbitrary (remote) code
> execution is trivial: just add the SINGLE entry (PSAPI.dll:
> EnumProcesses, WSock32.Dll: recv, WS2_32.dll: Ordinal 21)
> referenced from setup-x86.exe to a rogue DLL of your choice.
> PWNED again!
> See <http://seclists.org/fulldisclosure/2015/Nov/101>,
> <http://seclists.org/fulldisclosure/2015/Dec/86> and
> <http://seclists.org/fulldisclosure/2015/Dec/121> plus
> <http://home.arcor.de/skanthak/!execute.html> and
> <http://home.arcor.de/skanthak/sentinel.html> for details about
> this well-known and well-documented BEGINNER'S error!
> Then dump your vulnerable executable installer and provide a SAFE
> installer instead: either .MSI or .INF (plus .CAB).
> I'll publish in 45 days.
> See <http://home.arcor.de/skanthak/policy.html> and return the
> CVE identifier assigned for this vulnerability to me!
> Stefan Kanthak
Problem reports: http://cygwin.com/problems.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple