MULTIPLE VULNERABILITY REPORT: Multiple DLL Hijacking Vulnerability in CygWin setup-x86_64.exe

Kaz Kylheku
Tue Feb 6 22:10:39 GMT 2024

On 2024-02-04 21:22, Suman Chakraborty via Cygwin wrote: 
> 1. Executive Summary:
> The vulnerability pertains to not finding
> the profapi.dll, CFGMGR32.dll, edputil.dll,  urlmon.dll, SspiCli.dll,
> Wldp.dll, MPR.dll, ServicingCommon.dll, TextShaping.dll, CRYPTBASE.DLL,
> PROPSYS.dll and insecure loading of dynamic link libraries (DLLs),
> specifically profapi.dll. If exploited, this vulnerability could allow an
> attacker to execute arbitrary code on a victim's machine, potentially
> leading to data breaches, system compromise, and other malicious activities.

By what means is setup.exe probing these DLLs?

I don't see any references to profapi.dll in its source tree
(git grep -i profapi turns up nothing).

If these DLL's being missing doesn't stop the program from running,
doesn't that mean it's just probing for them with LoadLibrary or
LoadLibraryEx explicitly, and then handling the failure gracefully?

Setup itself doesn't use LoadLibrary or LoadLibraryEx.

The MinGW toolchain must be introducing that somehow?

It is curious.

More information about the Cygwin mailing list