Executable installers are vulnerable^WEVIL (case 27): Cygwin's installers allow arbitrary (remote) code execution WITH escalation of privilege Feb 26 2016 03:45PM
Stefan Kanthak (stefan kanthak nexgo de)
Hi @ll,

Cygwin's setup-x86.exe loads and executes UXTheme.dll
(on Windows XP also ClbCatQ.dll) and some more DLLs from its
"application directory".

For software downloaded with a web browser the application
directory is typically the user's "Downloads" directory: see
and <http://seclists.org/fulldisclosure/2012/Aug/134>

If UXTheme.dll (or one of the other DLLs) gets planted in the
user's "Downloads" directory per "drive-by download" or "social
engineering" this vulnerability becomes a remote code execution.

If setup-x86.exe is NOT started with --no-admin the vulnerability
results in an escalation of privilege too!

Proof of concept/demonstration:

1. visit <http://home.arcor.de/skanthak/sentinel.html>, download
<http://home.arcor.de/skanthak/download/SENTINEL.DLL> and save
it as UXTheme.dll in your "Downloads" directory, then copy it
as DWMAPI.dll;

2. on Windows XP, copy the downloaded UXTheme.dll as ClbCatQ.dll;

3. download setup-x86.exe and save it in your "Downloads" directory;

4. execute setup-x86.exe from your "Downloads" directory;

5. notice the message boxes displayed from the DLLs placed in step 1
(and ClbCatQ.dll placed in step 2).


6. copy the downloaded UXTheme.dll as WSock32.dll (on Windows XP
also as PSAPI.dll and WS2_32.dll);

7. rerun setup-x86.exe from your "Downloads" directory.


8. turning the denial of service into an arbitrary (remote) code
execution is trivial: just add the SINGLE entry (PSAPI.dll:
EnumProcesses, WSock32.Dll: recv, WS2_32.dll: Ordinal 21)
referenced from setup-x86.exe to a rogue DLL of your choice.

PWNED again!

See <http://seclists.org/fulldisclosure/2015/Nov/101>,
<http://seclists.org/fulldisclosure/2015/Dec/86> and
<http://seclists.org/fulldisclosure/2015/Dec/121> plus
<http://home.arcor.de/skanthak/!execute.html> and
<http://home.arcor.de/skanthak/sentinel.html> for details about
this well-known and well-documented BEGINNER'S error!

stay tuned
Stefan Kanthak


2015-12-28 report sent to <security (at) cygwin (dot) com [email concealed]>,
<security (at) cygwin (dot) org [email concealed]> and <security (at) sourceware (dot) org [email concealed]>


2015-12-28 report sent to <security (at) redhat (dot) com [email concealed]>

No answer, not even an acknowledgement of receipt

2016-01-06 report resent to <cygwin (at) cygwin (dot) com [email concealed]> and
<security (at) redhat (dot) com [email concealed]>

2016-01-07 clueless reply from reader of <cygwin (at) cygwin (dot) com [email concealed]>:
"- cygwin mailing list is public, you violate your
own policy;
- Windows XP is unsupported"

2016-01-07 sent reply to <cygwin (at) cygwin (dot) com [email concealed]>:
- see <https://cygwin.com/lists.html>
| cygwin: In general, you should send questions and
| bug reports here.
- see RFC 2142: <security (at) cygwin (dot) com [email concealed]>,
<security (at) cygwin (dot) org [email concealed]> and <security (at) sourceware (dot) org [email concealed]>
all bounce, then read my policy again.
- Windows Embedded POSReady 2009 is Windows XP SP3
in disguise and supported until 2019.
- which part of "UXTheme.dll is loaded (on every version
of Windows)" is not understood?

<cygwin (at) cygwin (dot) com [email concealed]>:
In an effort to cut down on our spam intake, we block email that is
detected as spam by the SpamAssassin program. Your email was flagged as
spam by that program. See: http://spamassassin.apache.org/ for more
Contact cygwin-owner (at) cygwin (dot) com [email concealed] if you have questions about this. (#5.7.2)

2016-01-07 sent questions to <cygwin-owner (at) cygwin (dot) com [email concealed]>

<cygwin-owner (at) cygwin (dot) com [email concealed]>: host sourceware.org[] said:
552 spam score exceeded threshold (in reply to end of DATA command)

2016-02-26 report published
Cygwin is obviously neither interested in communication
nor willing to fix their vulnerable installer!

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus