Second and last chance! See <http://home.arcor.de/skanthak/policy.html>
----- Original Message ----- From: "Stefan Kanthak" <stefan.kant...@nexgo.de> To: <secur...@cygwin.org> Cc: <secur...@redhat.com> Sent: Monday, December 28, 2015 4:23 AM Subject: [PWNED/DOSSED] Cygwin's setup-x86.exe loads and executes rogue DLL from its application directory > Hi, > > Cygwin's setup-x86.exe loads and executes UXTheme.dll > (on Windows XP also ClbCatQ.dll) and more from its > "application directory". > > For software downloaded with a web browser the application > directory is typically the user's "Downloads" directory: see > <https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>, > <http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html> > and <http://seclists.org/fulldisclosure/2012/Aug/134> > > If UXTheme.dll (or one of the other DLLs) gets planted in > the user's "Downloads" directory per "drive-by download" or > "social engineering" this vulnerability becomes a remote code > execution. > > If setup-x86.exe is NOT started with --no-admin the vulnerability > results in an escalation of privilege too! > > > Proof of concept/demonstration: > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > 1. visit <http://home.arcor.de/skanthak/sentinel.html>, download > <http://home.arcor.de/skanthak/download/SENTINEL.DLL> and save > it as UXTheme.dll in your "Downloads" directory; > > 2. on Windows XP, copy the downloaded UXTheme.dll as ClbCatQ.dll; > > 3. download setup-x86.exe and save it in your "Downloads" directory; > > 4. execute setup-x86.exe from your "Downloads" directory; > > 5. notice the message boxes displayed from UXTheme.dll placed in > step 1 (and ClbCatQ.dll placed in step 2). > > PWNED! > > 6. copy the downloaded UXTheme.dll as WSock32.dll (on Windows XP > also as PSAPI.dll and WS2_32.dll); > > 7. rerun setup-x86.exe from your "Downloads" directory. > > DOSSED! > > 8. turning the denial of service into an arbitrary (remote) code > execution is trivial: just add the SINGLE entry (PSAPI.dll: > EnumProcesses, WSock32.Dll: recv, WS2_32.dll: Ordinal 21) > referenced from setup-x86.exe to a rogue DLL of your choice. > > PWNED again! > > > See <http://seclists.org/fulldisclosure/2015/Nov/101>, > <http://seclists.org/fulldisclosure/2015/Dec/86> and > <http://seclists.org/fulldisclosure/2015/Dec/121> plus > <http://home.arcor.de/skanthak/!execute.html> and > <http://home.arcor.de/skanthak/sentinel.html> for details about > this well-known and well-documented BEGINNER'S error! > > > Then dump your vulnerable executable installer and provide a SAFE > installer instead: either .MSI or .INF (plus .CAB). > > > I'll publish in 45 days. > See <http://home.arcor.de/skanthak/policy.html> and return the > CVE identifier assigned for this vulnerability to me! > > > regards > Stefan Kanthak -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
