[ISecAuditors Security Advisories] Cygwin buffer overflow due incorrect filename length check Nov 24 2007 04:12PM
ISecAuditors Security Advisories (advisories isecauditors com)
=============================================
INTERNET SECURITY AUDITORS ALERT 2007-005
- Original release date: May 23rd, 2007
- Last revised: November 24th, 2007
- Discovered by: Jesus Olmos Gonzalez
- Severity: 5/5
=============================================

I. VULNERABILITY
-------------------------
Cygwin buffer overflow in the filename length check

II. BACKGROUND
-------------------------
Cygwin is a Linux-like environment for Windows wich consists in a dll
binary (cygwin1.dll) wichs emulates linux api, and a set of tools
which provide Linux look and feel.

Sometimes, the administrators relay in cygwin security in order to
open a daemon to the net (sshd, telnetd, ftpd ...) over cygwin.

III. DESCRIPTION
-------------------------
Traditionally, linux filesystem allow 255 bytes long, nevertheless
cygwin allow 239 bytes and there is a check that prevents filenames
equal or major than 240.

In spite of the check, there is a 232 bytes long dynamic memory buffer
where is stored the filename, so that is possible make a evil filename
with 233-239 bytes long that bypasses the check and overflows the heap
maximum 7 bytes.

So you had to penetrate in machine and put the evil-file and then 7
bytes of the private heap and ebx and edi registers are for the exploit.

The following file has to be uploaded, if we use touch to create it,
cygwin will be bofed.

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABB
BBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTT
TTUUUUVVVVWWWWXXXXYYYY

...

$ cat scp.exe.stackdump
Exception: STATUS_ACCESS_VIOLATION at eip=6109008D
eax=6167343A ebx=5959595A ecx=6167343C edx=04A96F89 esi=6E6C0055
edi=59595957
ebp=6E6C006C esp=0022E51B program=C:\sshd\bin\scp.exe
cs=001B ds=0023 es=0023 fs=0038 gs=0000 ss=0023

$ gdb /usr/bin/touch.exe
GNU gdb 2003-09-20-cvs (cygwin-special)
...
(gdb) r AAAA ...
Program received signal SIGSEGV, Segmentation fault.
0x61091eea in getppid () from /usr/bin/cygwin1.dll
(gdb) x/i 0x61091eea
0x61091eea <getppid+2954>: mov 0xc(%ebp),%eax
(gdb) i r ebp eax
ebp 0x22006b 0x22006b
eax 0xffffffff -1

filename: [nops][shellcode][jmp][buff]
nops + shellcode = 210 bytes
jmp = 4 bytes
buff = 24 bytes

IV. PROOF OF CONCEPT
-------------------------
Not public.

V. BUSINESS IMPACT
-------------------------
Systems could be compromissed exploiting this vulnerability.

VI. SYSTEMS AFFECTED
-------------------------
All cygwin1.dll up to 1.5.7.
Is possible that versions from 1.5.7 to 1.5.19 are vulnerable too due
bad use of name length constants in cygwin code.

VII. SOLUTION
-------------------------
The patch is available at http://www.cygwin.com/snapshots
Latest version (1.5.24) don't have this problem.

VIII. REFERENCES
-------------------------
http://www.cygwin.com

IX. CREDITS
-------------------------
This vulnerability has been discovered and reported
by Jesus Olmos Gonzalez (jolmos (at) isecauditors=dot=com)

X. REVISION HISTORY
-------------------------
May 23, 2006: Initial release
August 06, 2007: First Revision
November 23, 2007: Last Revision

XI. DISCLOSURE TIMELINE
-------------------------
May 23, 2006: Vulnerability acquired by
Jesus Olmos Gonzalez (Internet Security Auditors)
November 08, 2007: First vendor notification and discussion in devel
list about its impact. Considered collaterally
corrected.
November 24, 2007: Published.

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors, S.L. accepts no responsibility for any
damage caused by the use or misuse of this information.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus