Write access for BUILTIN\USERS - cygwin privilege escalation vulnerability for Windows 2008 default installation

Andrew McGill list2009@lunch.za.net
Mon Sep 21 08:41:00 GMT 2009


Hi,

I ran setup.ext to install cygwin in c:\cygwin on a (fairly) fresh 
installation of Windows Server 2008.  On this server, the permissions of C:\ 
were set to allow new files to be created in subdirectories by BUILTIN\Users.  

The cygwin folder inherited from the default permissions on C:\ the following 
ACL:

[C:\cygwin] icacls c:\cygwin
c:\cygwin NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
          BUILTIN\Administrators:(I)(OI)(CI)(F)
          BUILTIN\Users:(I)(OI)(CI)(RX)
          BUILTIN\Users:(I)(CI)(AD)   <<<<<<< AAAAAAAARGH!
          BUILTIN\Users:(I)(CI)(WD)   <<<<<<< AAAAAAAARGH!
          ZEROTOOL\Administrator:(I)(F)
          CREATOR OWNER:(I)(OI)(CI)(IO)(F)

This allows ANY member of BUILTIN/Users, including nt authority\network 
service to create files.  I can pwn the box from IIS by writing content to 
these files -- and not much creativity is needed to think of many more:

	c:/cygwin/home/Administrator/.ssh/authorized_keys
	c:/cygwin/home/Administrator/.bashrc
	c:/cygwin/home/Administrator/.bash_logout
	c:/cygwin/home/Administrator/.bash_profile
	c:/cygwin/home/Administrator/.vimrc

This permission was default on the system - it seems to be there on Windows 
2003 as well, and maybe before that.  Folders like c:\windows and c:\inetpub 
have explicit permissions for builtin/users.  Perhaps this is some kind of 
secret best practice that cygwin is missing out on?  If not, it's merely a 
series of unfortunate events that adds up to a privilege escalation 
vulnerability, and you really should understand windows ACL's before running 
cygwin.

Feature request: The cygwin installer should set permissions on c:\cygwin to 
be the same as %windir%, and not trust the operating system to do the "right 
thing".  

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple



More information about the Cygwin mailing list