This is the mail archive of the
cygwin-developers
mailing list for the Cygwin project.
Re: cygwin1.dll up to 1.5.22 overflow
On Nov 13 10:44, Dave Korn wrote:
> On 13 November 2007 10:42, Daniel Fdez. Bleda wrote:
>
> > Dave,
> >>
> >> You didn't answer all our questions yet, specifically which was the
> >> vulnerable function. I was hoping to get some feel for whether this could
> >> be exploited remotely, e.g. by uploading a long file to an ftp server, and
> >> whether it could be used to increase privilege, by triggering in a cygwin
> >> service.
> > The vulnerable command is "touch". We didn't analyze the code, as we
> > suppose is easier for you -or the maintainer coder- to locate the
> > vulnerable function. At least, faster. So, what is the vulnerable
> > function? I don't know. The vulnerability is easly exploitable, so,
> > you could check it fastly to be sure where is the flaw.
>
> It'll be somewhere in the path handling I'd guess. I'll roll back my
> installation a few dll versions and see if I can find it. (I'm at work, so
> it'll have to wait for my lunch hour or until I get some spare time at the end
> of the day). However, it does sound to me like it would probably be possible
> to leverage a server into creating such a file and then stat'ing it, so I
> reckon the answer is most likely 'yes'.
>
>
> >> BTW, it's not clear from your subject line: cygwin1.dll < 1.5.22, or
> >> cygwin1.dll <= 1.5.22? Which was the first fixed version?
> > cygwin1.dll <= 1.5.22
> > But I'll check it again.
I'm somewhat mystified. All our filename buffers are at least
CYG_MAX_PATH in size, which is 260 chars including the trailing \0.
I don't see any filename buffer in Cygwin which would be 232 bytes or
something similar, not even in older code back to 1.5.19.
touch is basically open(),utimes(),close(). Can somebody show me a
filename buffer shorter than CYG_MAX_PATH in this code? I don't see
this. I also couldn't crash any Cygwin back to 1.5.21 by running a
touch on a file with a (POSIX or Win32) name length of 233-239
characters.
If somebody can give me a reproducible testcase, I will have another
look into this issue.
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Project Co-Leader cygwin AT cygwin DOT com
Red Hat