Cygwin DLL Hijacking

2016-02-26T00:00:00
ID PACKETSTORM:135970
Type packetstorm
Reporter Stefan Kanthak
Modified 2016-02-26T00:00:00

Description

                                        
                                            `Hi @ll,  
  
Cygwin's setup-x86.exe loads and executes UXTheme.dll  
(on Windows XP also ClbCatQ.dll) and some more DLLs from its  
"application directory".  
  
For software downloaded with a web browser the application  
directory is typically the user's "Downloads" directory: see  
<https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>,  
<http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>  
and <http://seclists.org/fulldisclosure/2012/Aug/134>  
  
If UXTheme.dll (or one of the other DLLs) gets planted in the  
user's "Downloads" directory per "drive-by download" or "social  
engineering" this vulnerability becomes a remote code execution.  
  
If setup-x86.exe is NOT started with --no-admin the vulnerability  
results in an escalation of privilege too!  
  
  
Proof of concept/demonstration:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
1. visit <http://home.arcor.de/skanthak/sentinel.html>, download  
<http://home.arcor.de/skanthak/download/SENTINEL.DLL> and save  
it as UXTheme.dll in your "Downloads" directory, then copy it  
as DWMAPI.dll;  
  
2. on Windows XP, copy the downloaded UXTheme.dll as ClbCatQ.dll;  
  
3. download setup-x86.exe and save it in your "Downloads" directory;  
  
4. execute setup-x86.exe from your "Downloads" directory;  
  
5. notice the message boxes displayed from the DLLs placed in step 1  
(and ClbCatQ.dll placed in step 2).  
  
PWNED!  
  
6. copy the downloaded UXTheme.dll as WSock32.dll (on Windows XP  
also as PSAPI.dll and WS2_32.dll);  
  
7. rerun setup-x86.exe from your "Downloads" directory.  
  
DOSSED!  
  
8. turning the denial of service into an arbitrary (remote) code  
execution is trivial: just add the SINGLE entry (PSAPI.dll:  
EnumProcesses, WSock32.Dll: recv, WS2_32.dll: Ordinal 21)  
referenced from setup-x86.exe to a rogue DLL of your choice.  
  
PWNED again!  
  
  
See <http://seclists.org/fulldisclosure/2015/Nov/101>,  
<http://seclists.org/fulldisclosure/2015/Dec/86> and  
<http://seclists.org/fulldisclosure/2015/Dec/121> plus  
<http://home.arcor.de/skanthak/!execute.html> and  
<http://home.arcor.de/skanthak/sentinel.html> for details about  
this well-known and well-documented BEGINNER'S error!  
  
  
stay tuned  
Stefan Kanthak  
  
  
Timeline:  
~~~~~~~~~  
  
2015-12-28 report sent to <security@cygwin.com>,  
<security@cygwin.org> and <security@sourceware.org>  
  
BOUNCED  
  
2015-12-28 report sent to <security@redhat.com>  
  
No answer, not even an acknowledgement of receipt  
  
2016-01-06 report resent to <cygwin@cygwin.com> and  
<security@redhat.com>  
  
2016-01-07 clueless reply from reader of <cygwin@cygwin.com>:  
"- cygwin mailing list is public, you violate your  
own policy;  
- Windows XP is unsupported"  
  
2016-01-07 sent reply to <cygwin@cygwin.com>:  
- see <https://cygwin.com/lists.html>  
| cygwin: In general, you should send questions and  
| bug reports here.  
- see RFC 2142: <security@cygwin.com>,  
<security@cygwin.org> and <security@sourceware.org>  
all bounce, then read my policy again.  
- Windows Embedded POSReady 2009 is Windows XP SP3  
in disguise and supported until 2019.  
- which part of "UXTheme.dll is loaded (on every version  
of Windows)" is not understood?  
  
<cygwin@cygwin.com>:  
In an effort to cut down on our spam intake, we block email that is  
detected as spam by the SpamAssassin program. Your email was flagged as  
spam by that program. See: http://spamassassin.apache.org/ for more  
details.  
[...]  
Contact cygwin-owner@cygwin.com if you have questions about this. (#5.7.2)  
  
2016-01-07 sent questions to <cygwin-owner@cygwin.com>  
  
<cygwin-owner@cygwin.com>: host sourceware.org[209.132.180.131] said:  
552 spam score exceeded threshold (in reply to end of DATA command)  
  
2016-02-26 report published  
Cygwin is obviously neither interested in communication  
nor willing to fix their vulnerable installer!  
`