Cygwin main function: vulnerable to wchar_t to char conversion attacks or not?
Corinna Vinschen
corinna-cygwin@cygwin.com
Mon Jan 13 14:36:19 GMT 2025
On Jan 10 13:52, Kaz Kylheku via Cygwin wrote:
> On 2025-01-09 23:52, Marco Atzeri wrote:
> > On 10/01/2025 08:33, Andrey Repin via Cygwin wrote:
> >> Greetings, Kaz Kylheku!
> >>
> >>> Hi all,
> >>
> >>> I'm reading an article on attacks that are evidently possible against some Windows
> >>> programs in the area of command line parsing. See below.
> >>
> >>> Does the Cygwin run-time rely on GetCommandLineA to get the char-based command
> >>> line that is parsed into argv[]?
> >>
> >> You can answer this question yourself. The code is open.
> >
> > Specifically on https://cygwin.com/git/newlib-cygwin.git
> >
> > /pub/Cygwin/git/newlib-cygwin
> > $ grep -rH GetCommandLineA .
> > ./winsup/CVSChangeLogs.old/cygwin/ChangeLog-2013: (cygwin_GetCommandLineA): Ditto.
> > ./winsup/cygwin/cygwin.din:GetCommandLineA@0 = cygwin_GetCommandLineA@0 NOSIGFE
> > ./winsup/cygwin/include/cygwin/version.h: 268: Export GetCommandLineA, GetCommandLineW
> > ./winsup/cygwin/kernel32.cc:/* Cygwin replacement for GetCommandLineA. Returns a concatenated string
> > ./winsup/cygwin/kernel32.cc:cygwin_GetCommandLineA (void)
>
> I see that the kernel32.cc function uses RtlUnicodeStringtoAnsiString.
>
> The article I linked to mentions this specific function. The function does the
> "BestFit" thing, converting Unicode characters to ASCII pseudo-equivalents.
>
> If Cygwin relies on this function for converting the process command line
> into main() arguments, it is likely susceptible to argument injection.
Yeah, but it doesn't. This is just a wrapper function for external
apps. See function dll_crt0_1() in dcrt0.cc for the real deal.
Corinna
More information about the Cygwin
mailing list