cygwin1.dll up to 1.5.22 overflow

Dave Korn
Tue Nov 13 10:45:00 GMT 2007

On 13 November 2007 10:42, Daniel Fdez. Bleda wrote:

> Dave,
>>   You didn't answer all our questions yet, specifically which was the
>> vulnerable function.  I was hoping to get some feel for whether this could
>> be exploited remotely, e.g. by uploading a long file to an ftp server, and
>> whether it could be used to increase privilege, by triggering in a cygwin
>> service.
> The vulnerable command is "touch". We didn't analyze the code, as we
> suppose is easier for you -or the maintainer coder- to locate the
> vulnerable function. At least, faster. So, what is the vulnerable
> function? I don't know. The vulnerability is easly exploitable, so,
> you could check it fastly to be sure where is the flaw.

  It'll be somewhere in the path handling I'd guess.  I'll roll back my
installation a few dll versions and see if I can find it.  (I'm at work, so
it'll have to wait for my lunch hour or until I get some spare time at the end
of the day).  However, it does sound to me like it would probably be possible
to leverage a server into creating such a file and then stat'ing it, so I
reckon the answer is most likely 'yes'.

>>   BTW, it's not clear from your subject line: cygwin1.dll < 1.5.22, or
>> cygwin1.dll <= 1.5.22?  Which was the first fixed version?
> cygwin1.dll <= 1.5.22
> But I'll check it again.


Can't think of a witty .sigline today....

More information about the Cygwin-developers mailing list