Re: MULTIPLE VULNERABILITY REPORT: Multiple DLL Hijacking Vulnerability in CygWin setup-x86_64.exe

Tue, 06 Feb 2024 20:54:33 -0800 

On 2024-02-06 15:10, Kaz Kylheku via Cygwin wrote:

On 2024-02-04 21:22, Suman Chakraborty via Cygwin wrote:

1. Executive Summary:

The vulnerability pertains to not finding
the profapi.dll, CFGMGR32.dll, edputil.dll,  urlmon.dll, SspiCli.dll,
Wldp.dll, MPR.dll, ServicingCommon.dll, TextShaping.dll, CRYPTBASE.DLL,
PROPSYS.dll and insecure loading of dynamic link libraries (DLLs),
specifically profapi.dll. If exploited, this vulnerability could allow an
attacker to execute arbitrary code on a victim's machine, potentially
leading to data breaches, system compromise, and other malicious activities.


By what means is setup.exe probing these DLLs?

I don't see any references to profapi.dll in its source tree
(git grep -i profapi turns up nothing).

If these DLL's being missing doesn't stop the program from running,
doesn't that mean it's just probing for them with LoadLibrary or
LoadLibraryEx explicitly, and then handling the failure gracefully?

Setup itself doesn't use LoadLibrary or LoadLibraryEx.

The MinGW toolchain must be introducing that somehow?

It is curious.


Could be any one of the proprietary DLLs pulled into Cygwin Setup:

$ upx -dqqqot ~/mirror/x86_64/setup-x86_64.exe
$ grep -ao '%%%\ssetup-version\s[0-9]\+\.[0-9]\+' t
%%% setup-version 2.929
$ cygcheck ./t
...\t
  C:\WINDOWS\system32\KERNEL32.DLL
    C:\WINDOWS\system32\ntdll.dll
    C:\WINDOWS\system32\KERNELBASE.dll
  C:\WINDOWS\system32\ADVAPI32.dll
    C:\WINDOWS\system32\msvcrt.dll
    C:\WINDOWS\system32\SECHOST.dll
      C:\WINDOWS\system32\RPCRT4.dll
  C:\WINDOWS\system32\COMCTL32.dll
    C:\WINDOWS\system32\GDI32.dll
      C:\WINDOWS\system32\win32u.dll
    C:\WINDOWS\system32\USER32.dll
  C:\WINDOWS\system32\ole32.dll
    C:\WINDOWS\system32\combase.dll
  C:\WINDOWS\system32\PSAPI.DLL
  C:\WINDOWS\system32\SHELL32.dll
    C:\WINDOWS\system32\msvcp_win.dll
  C:\WINDOWS\system32\SHLWAPI.dll
  C:\WINDOWS\system32\WININET.dll
  C:\WINDOWS\system32\WS2_32.dll

OP:
Which version and date of setup-x86_64.exe are you checking?
Do you have any A/V or EPP installed on your system which could be injecting these interlopers into the call chain? 

--
Take care. Thanks, Brian Inglis              Calgary, Alberta, Canada

La perfection est atteinte                   Perfection is achieved
non pas lorsqu'il n'y a plus rien à ajouter  not when there is no more to add
mais lorsqu'il n'y a plus rien à retirer     but when there is no more to cut
                                -- Antoine de Saint-Exupéry


--
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

Reply via email to