Hi,
I ran setup.ext to install cygwin in c:\cygwin on a (fairly) fresh
installation of Windows Server 2008. On this server, the permissions of C:\
were set to allow new files to be created in subdirectories by BUILTIN\Users.
The cygwin folder inherited from the default permissions on C:\ the following
ACL:
[C:\cygwin] icacls c:\cygwin
c:\cygwin NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(F)
BUILTIN\Users:(I)(OI)(CI)(RX)
BUILTIN\Users:(I)(CI)(AD) <<<<<<< AAAAAAAARGH!
BUILTIN\Users:(I)(CI)(WD) <<<<<<< AAAAAAAARGH!
ZEROTOOL\Administrator:(I)(F)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
This allows ANY member of BUILTIN/Users, including nt authority\network
service to create files. I can pwn the box from IIS by writing content to
these files -- and not much creativity is needed to think of many more:
c:/cygwin/home/Administrator/.ssh/authorized_keys
c:/cygwin/home/Administrator/.bashrc
c:/cygwin/home/Administrator/.bash_logout
c:/cygwin/home/Administrator/.bash_profile
c:/cygwin/home/Administrator/.vimrc
This permission was default on the system - it seems to be there on Windows
2003 as well, and maybe before that. Folders like c:\windows and c:\inetpub
have explicit permissions for builtin/users. Perhaps this is some kind of
secret best practice that cygwin is missing out on? If not, it's merely a
series of unfortunate events that adds up to a privilege escalation
vulnerability, and you really should understand windows ACL's before running
cygwin.
Feature request: The cygwin installer should set permissions on c:\cygwin to
be the same as %windir%, and not trust the operating system to do the "right
thing".
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
