[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Executable installers are vulnerable^WEVIL (case 27): Cygwin's installers allow arbitrary (remote) code execution WITH escalation of privilege

Hi @ll,

Cygwin's setup-x86.exe loads and executes UXTheme.dll
(on Windows XP also ClbCatQ.dll) and some more DLLs from its
"application directory".

For software downloaded with a web browser the application
directory is typically the user's "Downloads" directory: see
and <http://seclists.org/fulldisclosure/2012/Aug/134>

If UXTheme.dll (or one of the other DLLs) gets planted in the
user's "Downloads" directory per "drive-by download" or "social
engineering" this vulnerability becomes a remote code execution.

If setup-x86.exe is NOT started with --no-admin the vulnerability
results in an escalation of privilege too!

Proof of concept/demonstration:

1. visit <http://home.arcor.de/skanthak/sentinel.html>, download
   <http://home.arcor.de/skanthak/download/SENTINEL.DLL> and save
   it as UXTheme.dll in your "Downloads" directory, then copy it
   as DWMAPI.dll;

2. on Windows XP, copy the downloaded UXTheme.dll as ClbCatQ.dll;

3. download setup-x86.exe and save it in your "Downloads" directory;

4. execute setup-x86.exe from your "Downloads" directory;

5. notice the message boxes displayed from the DLLs placed in step 1
   (and ClbCatQ.dll placed in step 2).


6. copy the downloaded UXTheme.dll as WSock32.dll (on Windows XP
   also as PSAPI.dll and WS2_32.dll);

7. rerun setup-x86.exe from your "Downloads" directory.


8. turning the denial of service into an arbitrary (remote) code
   execution is trivial: just add the SINGLE entry (PSAPI.dll:
   EnumProcesses, WSock32.Dll: recv, WS2_32.dll: Ordinal 21)
   referenced from setup-x86.exe to a rogue DLL of your choice.

PWNED again!

See <http://seclists.org/fulldisclosure/2015/Nov/101>,
<http://seclists.org/fulldisclosure/2015/Dec/86> and
<http://seclists.org/fulldisclosure/2015/Dec/121> plus
<http://home.arcor.de/skanthak/!execute.html> and
<http://home.arcor.de/skanthak/sentinel.html> for details about
this well-known and well-documented BEGINNER'S error!

stay tuned
Stefan Kanthak


2015-12-28    report sent to <security@xxxxxxxxxx>,
              <security@xxxxxxxxxx> and <security@xxxxxxxxxxxxxx>


2015-12-28    report sent to <security@xxxxxxxxxx>

              No answer, not even an acknowledgement of receipt

2016-01-06    report resent to <cygwin@xxxxxxxxxx> and

2016-01-07    clueless reply from reader of <cygwin@xxxxxxxxxx>:
              "- cygwin mailing list is public, you violate your
                 own policy;
               - Windows XP is unsupported"

2016-01-07    sent reply to <cygwin@xxxxxxxxxx>:
              - see <https://cygwin.com/lists.html>
                | cygwin: In general, you should send questions and
                |         bug reports here.
              - see RFC 2142: <security@xxxxxxxxxx>,
                <security@xxxxxxxxxx> and <security@xxxxxxxxxxxxxx>
                all bounce, then read my policy again.
              - Windows Embedded POSReady 2009 is Windows XP SP3
                in disguise and supported until 2019.
              - which part of "UXTheme.dll is loaded (on every version
                of Windows)" is not understood?

In an effort to cut down on our spam intake, we block email that is
detected as spam by the SpamAssassin program.  Your email was flagged as
spam by that program.  See: http://spamassassin.apache.org/ for more
Contact cygwin-owner@xxxxxxxxxx if you have questions about this. (#5.7.2)

2016-01-07    sent questions to <cygwin-owner@xxxxxxxxxx>

<cygwin-owner@xxxxxxxxxx>: host sourceware.org[] said:
    552 spam score exceeded threshold (in reply to end of DATA command)

2016-02-26    report published
              Cygwin is obviously neither interested in communication
              nor willing to fix their vulnerable installer!