============================================= INTERNET SECURITY AUDITORS ALERT 2007-005 - Original release date: May 23rd, 2007 - Last revised: November 24th, 2007 - Discovered by: Jesus Olmos Gonzalez - Severity: 5/5 ============================================= I. VULNERABILITY ------------------------- Cygwin buffer overflow in the filename length check II. BACKGROUND ------------------------- Cygwin is a Linux-like environment for Windows wich consists in a dll binary (cygwin1.dll) wichs emulates linux api, and a set of tools which provide Linux look and feel. Sometimes, the administrators relay in cygwin security in order to open a daemon to the net (sshd, telnetd, ftpd ...) over cygwin. III. DESCRIPTION ------------------------- Traditionally, linux filesystem allow 255 bytes long, nevertheless cygwin allow 239 bytes and there is a check that prevents filenames equal or major than 240. In spite of the check, there is a 232 bytes long dynamic memory buffer where is stored the filename, so that is possible make a evil filename with 233-239 bytes long that bypasses the check and overflows the heap maximum 7 bytes. So you had to penetrate in machine and put the evil-file and then 7 bytes of the private heap and ebx and edi registers are for the exploit. The following file has to be uploaded, if we use touch to create it, cygwin will be bofed. AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABB BBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTT TTUUUUVVVVWWWWXXXXYYYY ... $ cat scp.exe.stackdump Exception: STATUS_ACCESS_VIOLATION at eip=6109008D eax=6167343A ebx=5959595A ecx=6167343C edx=04A96F89 esi=6E6C0055 edi=59595957 ebp=6E6C006C esp=0022E51B program=C:\sshd\bin\scp.exe cs=001B ds=0023 es=0023 fs=0038 gs=0000 ss=0023 $ gdb /usr/bin/touch.exe GNU gdb 2003-09-20-cvs (cygwin-special) ... (gdb) r AAAA ... Program received signal SIGSEGV, Segmentation fault. 0x61091eea in getppid () from /usr/bin/cygwin1.dll (gdb) x/i 0x61091eea 0x61091eea <getppid+2954>: mov 0xc(%ebp),%eax (gdb) i r ebp eax ebp 0x22006b 0x22006b eax 0xffffffff -1 filename: [nops][shellcode][jmp][buff] nops + shellcode = 210 bytes jmp = 4 bytes buff = 24 bytes IV. PROOF OF CONCEPT ------------------------- Not public. V. BUSINESS IMPACT ------------------------- Systems could be compromissed exploiting this vulnerability. VI. SYSTEMS AFFECTED ------------------------- All cygwin1.dll up to 1.5.7. Is possible that versions from 1.5.7 to 1.5.19 are vulnerable too due bad use of name length constants in cygwin code. VII. SOLUTION ------------------------- The patch is available at http://www.cygwin.com/snapshots Latest version (1.5.24) don't have this problem. VIII. REFERENCES ------------------------- http://www.cygwin.com IX. CREDITS ------------------------- This vulnerability has been discovered and reported by Jesus Olmos Gonzalez (jolmos (at) isecauditors=dot=com) X. REVISION HISTORY ------------------------- May 23, 2006: Initial release August 06, 2007: First Revision November 23, 2007: Last Revision XI. DISCLOSURE TIMELINE ------------------------- May 23, 2006: Vulnerability acquired by Jesus Olmos Gonzalez (Internet Security Auditors) November 08, 2007: First vendor notification and discussion in devel list about its impact. Considered collaterally corrected. November 24, 2007: Published. XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors, S.L. accepts no responsibility for any damage caused by the use or misuse of this information.