Cygwin DLL Hijacking

Type packetstorm
Reporter Stefan Kanthak
Modified 2016-02-26T00:00:00


                                            `Hi @ll,  
Cygwin's setup-x86.exe loads and executes UXTheme.dll  
(on Windows XP also ClbCatQ.dll) and some more DLLs from its  
"application directory".  
For software downloaded with a web browser the application  
directory is typically the user's "Downloads" directory: see  
and <>  
If UXTheme.dll (or one of the other DLLs) gets planted in the  
user's "Downloads" directory per "drive-by download" or "social  
engineering" this vulnerability becomes a remote code execution.  
If setup-x86.exe is NOT started with --no-admin the vulnerability  
results in an escalation of privilege too!  
Proof of concept/demonstration:  
1. visit <>, download  
<> and save  
it as UXTheme.dll in your "Downloads" directory, then copy it  
as DWMAPI.dll;  
2. on Windows XP, copy the downloaded UXTheme.dll as ClbCatQ.dll;  
3. download setup-x86.exe and save it in your "Downloads" directory;  
4. execute setup-x86.exe from your "Downloads" directory;  
5. notice the message boxes displayed from the DLLs placed in step 1  
(and ClbCatQ.dll placed in step 2).  
6. copy the downloaded UXTheme.dll as WSock32.dll (on Windows XP  
also as PSAPI.dll and WS2_32.dll);  
7. rerun setup-x86.exe from your "Downloads" directory.  
8. turning the denial of service into an arbitrary (remote) code  
execution is trivial: just add the SINGLE entry (PSAPI.dll:  
EnumProcesses, WSock32.Dll: recv, WS2_32.dll: Ordinal 21)  
referenced from setup-x86.exe to a rogue DLL of your choice.  
PWNED again!  
See <>,  
<> and  
<> plus  
<!execute.html> and  
<> for details about  
this well-known and well-documented BEGINNER'S error!  
stay tuned  
Stefan Kanthak  
2015-12-28 report sent to <>,  
<> and <>  
2015-12-28 report sent to <>  
No answer, not even an acknowledgement of receipt  
2016-01-06 report resent to <> and  
2016-01-07 clueless reply from reader of <>:  
"- cygwin mailing list is public, you violate your  
own policy;  
- Windows XP is unsupported"  
2016-01-07 sent reply to <>:  
- see <>  
| cygwin: In general, you should send questions and  
| bug reports here.  
- see RFC 2142: <>,  
<> and <>  
all bounce, then read my policy again.  
- Windows Embedded POSReady 2009 is Windows XP SP3  
in disguise and supported until 2019.  
- which part of "UXTheme.dll is loaded (on every version  
of Windows)" is not understood?  
In an effort to cut down on our spam intake, we block email that is  
detected as spam by the SpamAssassin program. Your email was flagged as  
spam by that program. See: for more  
Contact if you have questions about this. (#5.7.2)  
2016-01-07 sent questions to <>  
<>: host[] said:  
552 spam score exceeded threshold (in reply to end of DATA command)  
2016-02-26 report published  
Cygwin is obviously neither interested in communication  
nor willing to fix their vulnerable installer!