====================================================================== = Security Objectives Advisory (SECOBJADV-2008-02) = ====================================================================== Cygwin Installation and Update Process can be Subverted Vulnerability http://www.security-objectives.com/advisories/SECOBJADV-2008-02.txt AFFECTED: Cygwin setup.exe 2.573.2.2 PLATFORM: Intel / Windows CLASSIFICATION: Insufficient Verification of Data Authenticity (CWE-345) RESEARCHER: Derek Callaway IMPACT: Client-side code execution SEVERITY: Medium DIFFICULTY: Moderate REFERENCES: CVE-2008-3323, RedHat Bugzilla Bug 449929 BACKGROUND Cygwin is a Linux-like environment for Windows. It consists of two parts: 1. A DLL (cygwin1.dll) which acts as a Linux API emulation layer providing substantial Linux API functionality. 2. A collection of tools which provide Linux look and feel. SUMMARY Cygwin is a Linux-like environment for Microsoft Windows copyrighted by Red Hat, Inc. Tarball software packages are installed and updated via setup.exe. This program downloads a package list and packages from mirrors over plaintext HTTP or FTP. The package list contains MD5 checksums for verifying package integrity. If a rogue server answers the HTTP request responsible for package updates and responds with a modified MD5 string setup.exe will download and install a malicious package. ANALYSIS To successfully exploit this vulnerability an attacker must be able to somehow position themself such that they can impersonate a Cygwin mirror. As a proof-of-concept the local hosts file was modified but an attack that occurs in the wild can be accomplished through DNS cache poisoning, ARP redirection, TCP hijacking, impersonation of a Wi-Fi Access Point, etc. The attacker also would have configured a rogue web server to push out package code of their choosing. The success of attacks that utilize the DNS cache poisoning approach has recently been compounded by Kaminsky's birthday paradox technique (CVE-2008-1447.) For testing purposes, gzip was used as the malicious package although any and all packages can be trojanned (including base-files.) gzip was chosen for testing purposes because it is so common. A real attacker would probably target more of a lynchpin package like bash. The version, time, size, and MD5 sum of the gzip entry in the setup.ini file was modified for the rogue Cygwin server. The location of the altered gzip package was /sourceware/cygwin/release/gzip/gzip-3.1.33-7.tar.bz2. When setup.exe is executed it will automatically download the modified package from the rogue server. /usr/bin/gzip was replaced by /usr/bin/ls during Security Objectives' testing. In a real attack scenario bash could be trojanned or a complete rootkit could be installed. The user is likely to not even notice the malicious package being setup as it is auto-selected for installation. WORKAROUND Refrain from using Cygwin setup.exe versions prior to 2.573.2.3. VENDOR RESPONSE Cygwin Setup.exe version 2.573.2.3 addresses this vulnerability. http://cygwin.com/setup/snapshots/setup-2.573.2.3.exe DISCLOSURE TIMELINE 20-May-2008 Discovery of Vulnerability 22-May-2008 Developed Proof-of-Concept 25-May-2008 Reported to Vendor 04-Jun-2008 RedHat Bugzilla ID Opened 19-Jun-2008 Vendor Supplied Patched Program for Testing 21-Jun-2008 Fix Applied to Bug in Original Patch 22-Jul-2008 New Setup Program Tested and Verified 25-Jul-2008 Published Advisory ABOUT SECURITY OBJECTIVES Security Objectives is a security centric consultancy and software development corporation which operates in the area of application assurance software. Security Objectives employs methods that are centered on software comprehension, therefore a more in-depth contextual understanding of the application is developed. http://security-objectives.com/ LEGAL Permission is granted for electronic distribution of this advisory. It may not be edited without the written consent of Security Objectives. The information contained in this advisory is believed to be accurate based on currently available information and is provided "as is" without warranty of any kind, either expressed or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. The entire risk as to the quality and performance of the information is with you.