exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

SECOBJADV-2008-02.txt

SECOBJADV-2008-02.txt
Posted Jul 26, 2008
Authored by Derek Callaway | Site security-objectives.com

Security Objectives Advisory - The Cygwin installation and update process can be subverted to a lack of checksum verification. Cygwin setup.exe version 2.573.2.2 is affected.

tags | advisory
SHA-256 | 7cbfe265f4aef5c957f93a0d315cd5334c327902cc77191d1a586a89fab67f7a

SECOBJADV-2008-02.txt

Change Mirror Download
======================================================================
= Security Objectives Advisory (SECOBJADV-2008-02) =
======================================================================

Cygwin Installation and Update Process can be Subverted Vulnerability

http://www.security-objectives.com/advisories/SECOBJADV-2008-02.txt

AFFECTED: Cygwin setup.exe 2.573.2.2

PLATFORM: Intel / Windows

CLASSIFICATION: Insufficient Verification of Data Authenticity (CWE-345)

RESEARCHER: Derek Callaway

IMPACT: Client-side code execution

SEVERITY: Medium

DIFFICULTY: Moderate

REFERENCES: CVE-2008-3323, RedHat Bugzilla Bug 449929


BACKGROUND

Cygwin is a Linux-like environment for Windows. It consists of two parts:

1. A DLL (cygwin1.dll) which acts as a Linux API emulation layer providing
substantial Linux API functionality.

2. A collection of tools which provide Linux look and feel.

SUMMARY

Cygwin is a Linux-like environment for Microsoft Windows copyrighted by
Red Hat, Inc. Tarball software packages are installed and updated via
setup.exe. This program downloads a package list and packages from
mirrors over plaintext HTTP or FTP. The package list contains MD5
checksums for verifying package integrity. If a rogue server answers the
HTTP request responsible for package updates and responds with a
modified MD5 string setup.exe will download and install a malicious package.

ANALYSIS

To successfully exploit this vulnerability an attacker must be able to
somehow position themself such that they can impersonate a Cygwin mirror.
As a proof-of-concept the local hosts file was modified but an attack
that occurs in the wild can be accomplished through DNS cache
poisoning, ARP redirection, TCP hijacking, impersonation of a Wi-Fi
Access Point, etc. The attacker also would have configured a rogue web
server to push out package code of their choosing. The success of
attacks that utilize the DNS cache poisoning approach has recently been
compounded by Kaminsky's birthday paradox technique (CVE-2008-1447.)

For testing purposes, gzip was used as the malicious package although
any and all packages can be trojanned (including base-files.) gzip was
chosen for testing purposes because it is so common. A real attacker
would probably target more of a lynchpin package like bash. The version,
time, size, and MD5 sum of the gzip entry in the setup.ini file was
modified for the rogue Cygwin server. The location of the altered gzip
package was /sourceware/cygwin/release/gzip/gzip-3.1.33-7.tar.bz2.

When setup.exe is executed it will automatically download the modified
package from the rogue server. /usr/bin/gzip was replaced by /usr/bin/ls
during Security Objectives' testing. In a real attack scenario bash
could be trojanned or a complete rootkit could be installed. The user is
likely to not even notice the malicious package being setup as it is
auto-selected for installation.

WORKAROUND

Refrain from using Cygwin setup.exe versions prior to 2.573.2.3.

VENDOR RESPONSE

Cygwin Setup.exe version 2.573.2.3 addresses this vulnerability.

http://cygwin.com/setup/snapshots/setup-2.573.2.3.exe

DISCLOSURE TIMELINE

20-May-2008 Discovery of Vulnerability
22-May-2008 Developed Proof-of-Concept
25-May-2008 Reported to Vendor
04-Jun-2008 RedHat Bugzilla ID Opened
19-Jun-2008 Vendor Supplied Patched Program for Testing
21-Jun-2008 Fix Applied to Bug in Original Patch
22-Jul-2008 New Setup Program Tested and Verified
25-Jul-2008 Published Advisory

ABOUT SECURITY OBJECTIVES

Security Objectives is a security centric consultancy and software development
corporation which operates in the area of application assurance software.
Security Objectives employs methods that are centered on software
comprehension, therefore a more in-depth contextual understanding of the
application is developed.

http://security-objectives.com/

LEGAL

Permission is granted for electronic distribution of this advisory.
It may not be edited without the written consent of Security Objectives.

The information contained in this advisory is believed to be accurate based on
currently available information and is provided "as is" without warranty of
any kind, either expressed or implied, including, but not limited to, the
implied warranties of merchantability and fitness for a particular purpose.
The entire risk as to the quality and performance of the information is with
you.

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close