what you don't know can hurt you

Cygwin DLL Hijacking

Cygwin DLL Hijacking
Posted Feb 26, 2016
Authored by Stefan Kanthak

Cygwin suffers suffers from a dll hijacking vulnerability.

tags | exploit
systems | windows
MD5 | 945e53b5cd9a63c5a7567d5da7106823

Cygwin DLL Hijacking

Change Mirror Download
Hi @ll,

Cygwin's setup-x86.exe loads and executes UXTheme.dll
(on Windows XP also ClbCatQ.dll) and some more DLLs from its
"application directory".

For software downloaded with a web browser the application
directory is typically the user's "Downloads" directory: see
and <http://seclists.org/fulldisclosure/2012/Aug/134>

If UXTheme.dll (or one of the other DLLs) gets planted in the
user's "Downloads" directory per "drive-by download" or "social
engineering" this vulnerability becomes a remote code execution.

If setup-x86.exe is NOT started with --no-admin the vulnerability
results in an escalation of privilege too!

Proof of concept/demonstration:

1. visit <http://home.arcor.de/skanthak/sentinel.html>, download
<http://home.arcor.de/skanthak/download/SENTINEL.DLL> and save
it as UXTheme.dll in your "Downloads" directory, then copy it
as DWMAPI.dll;

2. on Windows XP, copy the downloaded UXTheme.dll as ClbCatQ.dll;

3. download setup-x86.exe and save it in your "Downloads" directory;

4. execute setup-x86.exe from your "Downloads" directory;

5. notice the message boxes displayed from the DLLs placed in step 1
(and ClbCatQ.dll placed in step 2).


6. copy the downloaded UXTheme.dll as WSock32.dll (on Windows XP
also as PSAPI.dll and WS2_32.dll);

7. rerun setup-x86.exe from your "Downloads" directory.


8. turning the denial of service into an arbitrary (remote) code
execution is trivial: just add the SINGLE entry (PSAPI.dll:
EnumProcesses, WSock32.Dll: recv, WS2_32.dll: Ordinal 21)
referenced from setup-x86.exe to a rogue DLL of your choice.

PWNED again!

See <http://seclists.org/fulldisclosure/2015/Nov/101>,
<http://seclists.org/fulldisclosure/2015/Dec/86> and
<http://seclists.org/fulldisclosure/2015/Dec/121> plus
<http://home.arcor.de/skanthak/!execute.html> and
<http://home.arcor.de/skanthak/sentinel.html> for details about
this well-known and well-documented BEGINNER'S error!

stay tuned
Stefan Kanthak


2015-12-28 report sent to <security@cygwin.com>,
<security@cygwin.org> and <security@sourceware.org>


2015-12-28 report sent to <security@redhat.com>

No answer, not even an acknowledgement of receipt

2016-01-06 report resent to <cygwin@cygwin.com> and

2016-01-07 clueless reply from reader of <cygwin@cygwin.com>:
"- cygwin mailing list is public, you violate your
own policy;
- Windows XP is unsupported"

2016-01-07 sent reply to <cygwin@cygwin.com>:
- see <https://cygwin.com/lists.html>
| cygwin: In general, you should send questions and
| bug reports here.
- see RFC 2142: <security@cygwin.com>,
<security@cygwin.org> and <security@sourceware.org>
all bounce, then read my policy again.
- Windows Embedded POSReady 2009 is Windows XP SP3
in disguise and supported until 2019.
- which part of "UXTheme.dll is loaded (on every version
of Windows)" is not understood?

In an effort to cut down on our spam intake, we block email that is
detected as spam by the SpamAssassin program. Your email was flagged as
spam by that program. See: http://spamassassin.apache.org/ for more
Contact cygwin-owner@cygwin.com if you have questions about this. (#5.7.2)

2016-01-07 sent questions to <cygwin-owner@cygwin.com>

<cygwin-owner@cygwin.com>: host sourceware.org[] said:
552 spam score exceeded threshold (in reply to end of DATA command)

2016-02-26 report published
Cygwin is obviously neither interested in communication
nor willing to fix their vulnerable installer!
Login or Register to add favorites

File Archive:

February 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    33 Files
  • 2
    Feb 2nd
    30 Files
  • 3
    Feb 3rd
    15 Files
  • 4
    Feb 4th
    8 Files
  • 5
    Feb 5th
    11 Files
  • 6
    Feb 6th
    2 Files
  • 7
    Feb 7th
    1 Files
  • 8
    Feb 8th
    37 Files
  • 9
    Feb 9th
    15 Files
  • 10
    Feb 10th
    11 Files
  • 11
    Feb 11th
    26 Files
  • 12
    Feb 12th
    8 Files
  • 13
    Feb 13th
    1 Files
  • 14
    Feb 14th
    1 Files
  • 15
    Feb 15th
    9 Files
  • 16
    Feb 16th
    33 Files
  • 17
    Feb 17th
    6 Files
  • 18
    Feb 18th
    10 Files
  • 19
    Feb 19th
    20 Files
  • 20
    Feb 20th
    1 Files
  • 21
    Feb 21st
    1 Files
  • 22
    Feb 22nd
    17 Files
  • 23
    Feb 23rd
    15 Files
  • 24
    Feb 24th
    16 Files
  • 25
    Feb 25th
    28 Files
  • 26
    Feb 26th
    25 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2020 Packet Storm. All rights reserved.

Security Services
Hosting By