======================================================================
= Security Objectives Advisory (SECOBJADV-2008-02) =

Cygwin Installation and Update Process can be Subverted Vulnerability

http://www.security-objectives.com/advisories/SECOBJADV-2008-02.txt

AFFECTED: Cygwin setup.exe 2.573.2.2

PLATFORM: Intel / Windows

CLASSIFICATION: Insufficient Verification of Data Authenticity (CWE-345)

RESEARCHER: Derek Callaway

IMPACT: Client-side code execution

SEVERITY: Medium

DIFFICULTY: Moderate

REFERENCES: CVE-2008-3323, RedHat Bugzilla Bug 449929

BACKGROUND

Cygwin is a Linux-like environment for Windows. It consists of two parts:

1. A DLL (cygwin1.dll) which acts as a Linux API emulation layer providing
   substantial Linux API functionality.

2. A collection of tools which provide Linux look and feel.

SUMMARY

Cygwin is a Linux-like environment for Microsoft Windows copyrighted by
Red Hat, Inc. Tarball software packages are installed and updated via
setup.exe. This program downloads a package list and packages from
mirrors over plaintext HTTP or FTP. The package list contains MD5
checksums for verifying package integrity. If a rogue server answers the
HTTP request responsible for package updates and responds with a
modified MD5 string setup.exe will download and install a malicious package.

ANALYSIS

To successfully exploit this vulnerability an attacker must be able to
somehow position themself such that they can impersonate a Cygwin mirror.
As a proof-of-concept the local hosts file was modified but an attack
that occurs in the wild can be accomplished through DNS cache
poisoning, ARP redirection, TCP hijacking, impersonation of a Wi-Fi
Access Point, etc. The attacker also would have configured a rogue web
server to push out package code of their choosing. The success of
attacks that utilize the DNS cache poisoning approach has recently been
compounded by Kaminsky's birthday paradox technique (CVE-2008-1447.)

For testing purposes, gzip was used as the malicious package although
any and all packages can be trojanned (including base-files.) gzip was
chosen for testing purposes because it is so common. A real attacker
would probably target more of a lynchpin package like bash. The version,
time, size, and MD5 sum of the gzip entry in the setup.ini file was
modified for the rogue Cygwin server. The location of the altered gzip
package was /sourceware/cygwin/release/gzip/gzip-3.1.33-7.tar.bz2.

When setup.exe is executed it will automatically download the modified
package from the rogue server. /usr/bin/gzip was replaced by /usr/bin/ls
during Security Objectives' testing. In a real attack scenario bash
could be trojanned or a complete rootkit could be installed. The user is
likely to not even notice the malicious package being setup as it is
auto-selected for installation.

WORKAROUND

Refrain from using Cygwin setup.exe versions prior to 2.573.2.3.

VENDOR RESPONSE

Cygwin Setup.exe version 2.573.2.3 addresses this vulnerability.

http://cygwin.com/setup/snapshots/setup-2.573.2.3.exe

DISCLOSURE TIMELINE

20-May-2008 Discovery of Vulnerability
22-May-2008 Developed Proof-of-Concept
25-May-2008 Reported to Vendor
04-Jun-2008 RedHat Bugzilla ID Opened
19-Jun-2008 Vendor Supplied Patched Program for Testing
21-Jun-2008 Fix Applied to Bug in Original Patch
22-Jul-2008 New Setup Program Tested and Verified
25-Jul-2008 Published Advisory

ABOUT SECURITY OBJECTIVES

Security Objectives is a security centric consultancy and software development
corporation which operates in the area of application assurance software.
Security Objectives employs methods that are centered on software
comprehension, therefore a more in-depth contextual understanding of the
application is developed.

http://security-objectives.com/

LEGAL

Permission is granted for electronic distribution of this advisory.
It may not be edited without the written consent of Security Objectives.

The information contained in this advisory is believed to be accurate based on
currently available information and is provided "as is" without warranty of
any kind, either expressed or implied, including, but not limited to, the
implied warranties of merchantability and fitness for a particular purpose.
The entire risk as to the quality and performance of the information is with
you.