Possible Security Hole in SSHD w/ CYGWIN?

Sun Feb 14 01:48:00 GMT 2016

On Sat, Feb 13, 2016 at 8:29 PM, David Willis wrote:
> Hmm, storing the password in the registry would probably not be optimal... I
> would probably rather deal with lack of network share access from SSH
> sessions than store a plaintext password (haven't tested it so I can't say
> for sure, but since I see no mention of encrypting or hashing the password
> I'm guessing it is stored in plaintext)...

It is encrypted, but since cygwin needs to be able to use that
password to authenticate against Windows processes for the network
authentication, it is a reversible encryption, so it would be
relatively easy for a determined attacker to code their own reversal
of the encryption.  The full doc calls it obfuscation to avoid
confusion with the usual one way encryption done on passwords.  I have
not looked at where in the registry it is stored or what the
permissions on those keys are, but I would assume local admin
privilege is required to access it since the doc also states users
can't save the password if the cygwin processes are not running and
cyg_server requires local admin; logical extension, since the process
already requires local admin, make local admin required to read the
encrypted saved passwords.  (Again, this is my assumption; I have not
looked it up).

> For authenticated access within a session, I would think it would be better
> if the user was prompted to enter their password when attempting to access a
> share, similar to what happens when attempting to access a share via Windows
> Explorer (if you don't already have access with your currently logged on
> credentials). I think based on everything I've found out this would be the
> best solution to this scenario for SSH users that log in using key
> authentication.

"best", possibly, though may or may not be feasible, and "best" is
often very subjective.  Also would reduce the "Linux look and feel"
that is one of the goals on cygwin.

> And to your second point, that is also what I would expect, is that if
> anything there would be NO network access, rather than access based on the
> account that the sshd process is running as, regardless of its access.
> However what I gathered from Achim's message is that the access level of
> cyg_server is precisely the reason the user would have network share access
> with that account's privileges.

Yes... I was very surprised to say the least that I could access the
c$ admin share with a non-admin account... that opens things like
replacing core OS files very easily to anyone who authenticates with a
public key.

-- Erik

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple