============================================INTERNET SECURITY AUDITORS ALERT 2007-005
- Original release date: May 23rd, 2007
- Last revised: November 24th, 2007
- Discovered by: Jesus Olmos Gonzalez
- Severity: 5/5
Cygwin buffer overflow in the filename length check
Cygwin is a Linux-like environment for Windows wich consists in a dll
binary (cygwin1.dll) wichs emulates linux api, and a set of tools
which provide Linux look and feel.
Sometimes, the administrators relay in cygwin security in order to
open a daemon to the net (sshd, telnetd, ftpd ...) over cygwin.
Traditionally, linux filesystem allow 255 bytes long, nevertheless
cygwin allow 239 bytes and there is a check that prevents filenames
equal or major than 240.
In spite of the check, there is a 232 bytes long dynamic memory buffer
where is stored the filename, so that is possible make a evil filename
with 233-239 bytes long that bypasses the check and overflows the heap
maximum 7 bytes.
So you had to penetrate in machine and put the evil-file and then 7
bytes of the private heap and ebx and edi registers are for the exploit.
The following file has to be uploaded, if we use touch to create it,
cygwin will be bofed.
$ cat scp.exe.stackdump
Exception: STATUS_ACCESS_VIOLATION at eip=6109008D
eax=6167343A ebx=5959595A ecx=6167343C edx=04A96F89 esi=6E6C0055
ebp=6E6C006C esp=0022E51B program=C:\sshd\bin\scp.exe
cs=001B ds=0023 es=0023 fs=0038 gs=0000 ss=0023
$ gdb /usr/bin/touch.exe
GNU gdb 2003-09-20-cvs (cygwin-special)
(gdb) r AAAA ...
Program received signal SIGSEGV, Segmentation fault.
0x61091eea in getppid () from /usr/bin/cygwin1.dll
(gdb) x/i 0x61091eea