MULTIPLE VULNERABILITY REPORT: Multiple DLL Hijacking Vulnerability in CygWin setup-x86_64.exe
Brian Inglis
Brian.Inglis@SystematicSW.ab.ca
Wed Feb 7 04:53:47 GMT 2024
On 2024-02-06 15:10, Kaz Kylheku via Cygwin wrote:
> On 2024-02-04 21:22, Suman Chakraborty via Cygwin wrote:
>> 1. Executive Summary:
>>
>> The vulnerability pertains to not finding
>> the profapi.dll, CFGMGR32.dll, edputil.dll, urlmon.dll, SspiCli.dll,
>> Wldp.dll, MPR.dll, ServicingCommon.dll, TextShaping.dll, CRYPTBASE.DLL,
>> PROPSYS.dll and insecure loading of dynamic link libraries (DLLs),
>> specifically profapi.dll. If exploited, this vulnerability could allow an
>> attacker to execute arbitrary code on a victim's machine, potentially
>> leading to data breaches, system compromise, and other malicious activities.
>
> By what means is setup.exe probing these DLLs?
>
> I don't see any references to profapi.dll in its source tree
> (git grep -i profapi turns up nothing).
>
> If these DLL's being missing doesn't stop the program from running,
> doesn't that mean it's just probing for them with LoadLibrary or
> LoadLibraryEx explicitly, and then handling the failure gracefully?
>
> Setup itself doesn't use LoadLibrary or LoadLibraryEx.
>
> The MinGW toolchain must be introducing that somehow?
>
> It is curious.
Could be any one of the proprietary DLLs pulled into Cygwin Setup:
$ upx -dqqqot ~/mirror/x86_64/setup-x86_64.exe
$ grep -ao '%%%\ssetup-version\s[0-9]\+\.[0-9]\+' t
%%% setup-version 2.929
$ cygcheck ./t
...\t
C:\WINDOWS\system32\KERNEL32.DLL
C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\system32\KERNELBASE.dll
C:\WINDOWS\system32\ADVAPI32.dll
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\SECHOST.dll
C:\WINDOWS\system32\RPCRT4.dll
C:\WINDOWS\system32\COMCTL32.dll
C:\WINDOWS\system32\GDI32.dll
C:\WINDOWS\system32\win32u.dll
C:\WINDOWS\system32\USER32.dll
C:\WINDOWS\system32\ole32.dll
C:\WINDOWS\system32\combase.dll
C:\WINDOWS\system32\PSAPI.DLL
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\msvcp_win.dll
C:\WINDOWS\system32\SHLWAPI.dll
C:\WINDOWS\system32\WININET.dll
C:\WINDOWS\system32\WS2_32.dll
OP:
Which version and date of setup-x86_64.exe are you checking?
Do you have any A/V or EPP installed on your system which could be injecting
these interlopers into the call chain?
--
Take care. Thanks, Brian Inglis Calgary, Alberta, Canada
La perfection est atteinte Perfection is achieved
non pas lorsqu'il n'y a plus rien à ajouter not when there is no more to add
mais lorsqu'il n'y a plus rien à retirer but when there is no more to cut
-- Antoine de Saint-Exupéry
More information about the Cygwin
mailing list