This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

report security problem


fhandler_console::create_invisible_console_workaround in
newlib-cygwin\winsup\cygwin\fhandler_console.cc will call CreateProcessW to
create a new hidden process. According to CreateProcessW documention:

The lpApplicationName parameter can be NULL. In that case, the module name
must be the first white space–delimited token in the lpCommandLine string.
If you are using a long file name that contains a space, use quoted strings
to indicate where the file name ends and the arguments begin; otherwise,
the file name is ambiguous. For example, consider the string "c:\program
files\sub dir\program name". This string can be interpreted in a number of
ways. The system tries to interpret the possibilities in the following
order:
c:\program.exe
c:\program files\sub.exe
c:\program files\sub dir\program.exe
c:\program files\sub dir\program name.exe

Unfortunately fhandler_console::create_invisible_console_workaround did not
use quote. This problem can be triggered by many ways since
the component was used by other softwares. I can confirm it can at least be
triggered by git(https://git-scm.com/download/win). Just create program.exe
and put it to C:\problem.exe, git-bash.exe creates process mintty.exe,
mintty.exe loads msys-2.0.dll which contains the vulnerable code and
program.exe get executed(I will inform git too).

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]