AOH :: HP Unsorted C :: BX3857.HTM

Cygwin Installation and Update Process can be Subverted Vulnerability
SECOBJADV-2008-02: Cygwin Installation and Update Process can be Subverted Vulnerability
SECOBJADV-2008-02: Cygwin Installation and Update Process can be Subverted Vulnerability

=         Security Objectives Advisory (SECOBJADV-2008-02)           

Cygwin Installation and Update Process can be Subverted Vulnerability 

AFFECTED: Cygwin setup.exe 2.573.2.2 

PLATFORM: Intel / Windows

CLASSIFICATION: Insufficient Verification of Data Authenticity (CWE-345)

RESEARCHER: Derek Callaway

IMPACT: Client-side code execution



REFERENCES: CVE-2008-3323, RedHat Bugzilla Bug 449929


Cygwin is a Linux-like environment for Windows. It consists of two parts: 

1. A DLL (cygwin1.dll) which acts as a Linux API emulation layer providing 

substantial Linux API functionality. 


2. A collection of tools which provide Linux look and feel. 


Cygwin is a Linux-like environment for Microsoft Windows copyrighted by 

Red Hat, Inc. Tarball software packages are installed and updated via 

setup.exe. This program downloads a package list and packages from 

mirrors over plaintext HTTP or FTP. The package list contains MD5 

checksums for verifying package integrity. If a rogue server answers the 

HTTP request responsible for package updates and responds with a 

modified MD5 string setup.exe will download and install a malicious package.


To successfully exploit this vulnerability an attacker must be able to 

somehow position themself such that they can impersonate a Cygwin mirror.

As a proof-of-concept the local hosts file was modified but an attack

that occurs in the wild can be accomplished through DNS cache 

poisoning, ARP redirection, TCP hijacking, impersonation of a Wi-Fi 

Access Point, etc. The attacker also would have configured a rogue web 

server to push out package code of their choosing. The success of 

attacks that utilize the DNS cache poisoning approach has recently been 

compounded by Kaminsky's birthday paradox technique (CVE-2008-1447.)

For testing purposes, gzip was used as the malicious package although 

any and all packages can be trojanned (including base-files.) gzip was 

chosen for testing purposes because it is so common. A real attacker  

would probably target more of a lynchpin package like bash. The version,

time, size, and MD5 sum of the gzip entry in the setup.ini file was 

modified for the rogue Cygwin server. The location of the altered gzip 

package was /sourceware/cygwin/release/gzip/gzip-3.1.33-7.tar.bz2.

When setup.exe is executed it will automatically download the modified

package from the rogue server. /usr/bin/gzip was replaced by /usr/bin/ls 

during Security Objectives' testing. In a real attack scenario bash 

could be trojanned or a complete rootkit could be installed. The user is 

likely to not even notice the malicious package being setup as it is 

auto-selected for installation.


Refrain from using Cygwin setup.exe versions prior to 2.573.2.3.


Cygwin Setup.exe version 2.573.2.3 addresses this vulnerability. 


20-May-2008 Discovery of Vulnerability

22-May-2008 Developed Proof-of-Concept

25-May-2008 Reported to Vendor

04-Jun-2008 RedHat Bugzilla ID Opened

19-Jun-2008 Vendor Supplied Patched Program for Testing

21-Jun-2008 Fix Applied to Bug in Original Patch

22-Jul-2008 New Setup Program Tested and Verified

25-Jul-2008 Published Advisory


Security Objectives is a security centric consultancy and software development 

corporation which operates in the area of application assurance software. 

Security Objectives employs methods that are centered on software 

comprehension, therefore a more in-depth contextual understanding of the 

application is developed. 


Permission is granted for electronic distribution of this advisory.

It may not be edited without the written consent of Security Objectives.

The information contained in this advisory is believed to be accurate based on 

currently available information and is provided "as is" without warranty of 

any kind, either expressed or implied, including, but not limited to, the 

implied warranties of merchantability and fitness for a particular purpose. 

The entire risk as to the quality and performance of the information is with 



The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH
We do not send spam. If you have received spam bearing an email address, please forward it with full headers to