cygwin1.dll up to 1.5.22 overflow
Tue Nov 13 10:45:00 GMT 2007
On 13 November 2007 10:42, Daniel Fdez. Bleda wrote:
>> You didn't answer all our questions yet, specifically which was the
>> vulnerable function. I was hoping to get some feel for whether this could
>> be exploited remotely, e.g. by uploading a long file to an ftp server, and
>> whether it could be used to increase privilege, by triggering in a cygwin
> The vulnerable command is "touch". We didn't analyze the code, as we
> suppose is easier for you -or the maintainer coder- to locate the
> vulnerable function. At least, faster. So, what is the vulnerable
> function? I don't know. The vulnerability is easly exploitable, so,
> you could check it fastly to be sure where is the flaw.
It'll be somewhere in the path handling I'd guess. I'll roll back my
installation a few dll versions and see if I can find it. (I'm at work, so
it'll have to wait for my lunch hour or until I get some spare time at the end
of the day). However, it does sound to me like it would probably be possible
to leverage a server into creating such a file and then stat'ing it, so I
reckon the answer is most likely 'yes'.
>> BTW, it's not clear from your subject line: cygwin1.dll < 1.5.22, or
>> cygwin1.dll <= 1.5.22? Which was the first fixed version?
> cygwin1.dll <= 1.5.22
> But I'll check it again.
Can't think of a witty .sigline today....
More information about the Cygwin-developers