Cygwin DLL Hijacking
Posted on 29 February 2016
Hi @ll, Cygwin's setup-x86.exe loads and executes UXTheme.dll (on Windows XP also ClbCatQ.dll) and some more DLLs from its "application directory". For software downloaded with a web browser the application directory is typically the user's "Downloads" directory: see <https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>, <http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html> and <http://seclists.org/fulldisclosure/2012/Aug/134> If UXTheme.dll (or one of the other DLLs) gets planted in the user's "Downloads" directory per "drive-by download" or "social engineering" this vulnerability becomes a remote code execution. If setup-x86.exe is NOT started with --no-admin the vulnerability results in an escalation of privilege too! Proof of concept/demonstration: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1. visit <http://home.arcor.de/skanthak/sentinel.html>, download <http://home.arcor.de/skanthak/download/SENTINEL.DLL> and save it as UXTheme.dll in your "Downloads" directory, then copy it as DWMAPI.dll; 2. on Windows XP, copy the downloaded UXTheme.dll as ClbCatQ.dll; 3. download setup-x86.exe and save it in your "Downloads" directory; 4. execute setup-x86.exe from your "Downloads" directory; 5. notice the message boxes displayed from the DLLs placed in step 1 (and ClbCatQ.dll placed in step 2). PWNED! 6. copy the downloaded UXTheme.dll as WSock32.dll (on Windows XP also as PSAPI.dll and WS2_32.dll); 7. rerun setup-x86.exe from your "Downloads" directory. DOSSED! 8. turning the denial of service into an arbitrary (remote) code execution is trivial: just add the SINGLE entry (PSAPI.dll: EnumProcesses, WSock32.Dll: recv, WS2_32.dll: Ordinal 21) referenced from setup-x86.exe to a rogue DLL of your choice. PWNED again! See <http://seclists.org/fulldisclosure/2015/Nov/101>, <http://seclists.org/fulldisclosure/2015/Dec/86> and <http://seclists.org/fulldisclosure/2015/Dec/121> plus <http://home.arcor.de/skanthak/!execute.html> and <http://home.arcor.de/skanthak/sentinel.html> for details about this well-known and well-documented BEGINNER'S error! stay tuned Stefan Kanthak Timeline: ~~~~~~~~~ 2015-12-28 report sent to <security@cygwin.com>, <security@cygwin.org> and <security@sourceware.org> BOUNCED 2015-12-28 report sent to <security@redhat.com> No answer, not even an acknowledgement of receipt 2016-01-06 report resent to <cygwin@cygwin.com> and <security@redhat.com> 2016-01-07 clueless reply from reader of <cygwin@cygwin.com>: "- cygwin mailing list is public, you violate your own policy; - Windows XP is unsupported" 2016-01-07 sent reply to <cygwin@cygwin.com>: - see <https://cygwin.com/lists.html> | cygwin: In general, you should send questions and | bug reports here. - see RFC 2142: <security@cygwin.com>, <security@cygwin.org> and <security@sourceware.org> all bounce, then read my policy again. - Windows Embedded POSReady 2009 is Windows XP SP3 in disguise and supported until 2019. - which part of "UXTheme.dll is loaded (on every version of Windows)" is not understood? <cygwin@cygwin.com>: In an effort to cut down on our spam intake, we block email that is detected as spam by the SpamAssassin program. Your email was flagged as spam by that program. See: http://spamassassin.apache.org/ for more details. [...] Contact cygwin-owner@cygwin.com if you have questions about this. (#5.7.2) 2016-01-07 sent questions to <cygwin-owner@cygwin.com> <cygwin-owner@cygwin.com>: host sourceware.org[209.132.180.131] said: 552 spam score exceeded threshold (in reply to end of DATA command) 2016-02-26 report published Cygwin is obviously neither interested in communication nor willing to fix their vulnerable installer!