Re: Cygwin's ACL handling is NOT interoperable with Windows

2018-08-05 Thread Stefan Kanthak 
Andrey Repin wrote:

> Greetings, Stefan Kanthak!
> 
>> PS: <https://cygwin.com/cygwin-ug-net/using.html#pathnames-win32-api>
>> too states bloody lies:
> 
>> | The Windows subsystem only supports CWD paths of up to 258 chars.
 ~~~
> 
> 260 including drive letter.

WRONG, AGAIN!
260 is the value of MAX_PATH, which accounts for the trailing \0, and
commonly used as

| char buffer[MAX_PATH];

I recommend to read
<https://docs.microsoft.com/en-us/windows/desktop/fileio/naming-a-file>
VERY careful!

>> The Win32 API supports pathnames with up to 32767 (Unicode) characters;
>> this includes of course the CWD!
> 
> CWD may be, but command processor does not.

Neither Cygwin's WRONG documentation nor I referred to the command processor.

regards
Stefan

--
Problem reports:   http://cygwin.com/problems.html
FAQ:   http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info:  http://cygwin.com/ml/#unsubscribe-simple

Cygwin's ACL handling is NOT interoperable with Windows

2018-08-04 Thread Stefan Kanthak 
Hi,

<https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-files> states:

| There's just one problem when trying to map the POSIX permission model
| onto the Windows permission model.
...
| Canonical ACLs are unable to reflect each possible combination of POSIX
| permissions.
...
| Again: This works on all supported versions of Windows. Only the GUIs
| aren't able (or willing) to deal with that order.

These last two statements are wrong:

* the first statement holds ONLY because of the LIMITATION of the POSIX
  permissions; it is WRONG for the general case, which ALL Windows
  interfaces/components need to consider and handle, EVERYWHERE!

* the second statement is a blatant lie: to guarantee CORRECT
  interpretation of arbitrary ACLs, ALL Windows interfaces/components,
  not just the "GUIs", MUST create CANONICAL ACLs only.

  This especially means that not just Windows Explorer, but also the
  command processor with its builtin COPY command as well as the
  CopyFile() <https://msdn.microsoft.com/en-us/library/aa220078.aspx>
  API (just to pick 3 examples) bring INHERITED ACEs into their PROPER
  canonical order.

As Cygwin is a guest in the house of Windows, it should respect its hosts
house rules; instead it but violates them, and blames the host for its
faults!

| But don't even think of pressing OK...

Fortunately nobody need to press OK here, but everybody can demonstrate
Cygwin's defects as follows:

* Use Windows Explorer, the command processor or CopyFile() to copy an
  arbitrary file into a directory created by Cygwin, then inspect its
  ACL!

* Use Windows' Explorer, the command processor or CopyFile() to copy an
  arbitrary file created by Cygwin into an arbitrary directory created
  by Cygwin, then inspect its ACL.

* Use Windows Explorer or the command processor to create a subdirectory
  in a directory created by Cygwin, then inspects its ACL!

Do these ACLs reflect the intended or expected POSIX permissions?
OUCH³!


Win32 functions like CreateFile() and CreateDirectory()
(see <https://msdn.microsoft.com/en-us/library/aa363858.aspx>
and <https://msdn.microsoft.com/en-us/library/aa363855.aspx>)
allow to write NON-canonical ACLs via direct specification of a
"security descriptor"; if NULL is specified (which is the typical
case), they create canonical ACLs, reordering inherited ACEs!

Unfortunately their documentation misses remarks on the proper
canonical order of ACLs, and how inherited but UNORDERED ACLs are
handled.

The documentation of other Win32 functions, for example
AddAccessAllowedAce() and AddAccessDeniedAce()
(see <https://msdn.microsoft.com/en-us/library/aa374947.aspx>
and <https://msdn.microsoft.com/de-de/library/aa374962.aspx>)
but EXPLICITLY states:

| These functions do not automatically place the new ACE in the
| proper canonical order. It is the caller's responsibility to
| ensure that the ACL is in canonical order by adding ACEs in the
| proper sequence.

<https://msdn.microsoft.com/en-us/library/aa374951.aspx> and
<https://msdn.microsoft.com/en-us/library/aa374964.aspx> go further:

| The caller must ensure that ACEs are added to the DACL in the
| correct order. For more information, see Order of ACEs in a DACL.

<https://msdn.microsoft.com/en-us/library/aa379298.aspx>
<https://msdn.microsoft.com/en-us/library/aa446683.aspx>
<https://technet.microsoft.com/en-us/library/cc781716.aspx>

| The canonical order ensures that an explicit access-denied ACE is
| enforced regardless of any explicit access-allowed ACE.

JFTR: for the algorithm used in Windows and why the proper order of
  ACLs is crucial see
  <https://blogs.msdn.microsoft.com/oldnewthing/20070608-00/?p=26503>

  Also see <http://www.ntfs.com/ntfs-permissions-acl-use.htm>

Fix Cygwin's BUGGY ACL creation!

regards
Stefan Kanthak

PS: <https://cygwin.com/cygwin-ug-net/using.html#pathnames-win32-api>
too states bloody lies:

| The Windows subsystem only supports CWD paths of up to 258 chars.

The Win32 API supports pathnames with up to 32767 (Unicode) characters;
this includes of course the CWD!


--
Problem reports:   http://cygwin.com/problems.html
FAQ:   http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info:  http://cygwin.com/ml/#unsubscribe-simple

Re: Defective "portable executables" distributed/created by Cygwin

2018-05-10 Thread Stefan Kanthak 
VS/VC 2010 (as well as VS/VC 2008) is still supported by Microsoft.

To my knowledge, 10.00.40219.386 is the latest linker available for
VS/VC 2010.
Where can I get a fixed linker for this supported product?

regards
Stefan Kanthak

- Original Message - 
From: "YongKang Zhu" 
To: "Ten Tzen" ; "Steve Carroll (VISUAL STUDIO)" 
; "Stefan Kanthak"
; 
Cc: "Compiler Crash" 
Sent: Thursday, May 10, 2018 11:45 PM
Subject: RE: Defective "portable executables" distributed/created by Cygwin


I remember this has been fixed.  Please try use a more recent linker.

>From the exception message below, the linker from VS 2010 was being used.

From: Ten Tzen
Sent: Thursday, May 10, 2018 2:27 PM
To: Steve Carroll (VISUAL STUDIO) ; Stefan 
Kanthak ; cygwin@cygwin.com;
YongKang Zhu 
Cc: Compiler Crash 
Subject: Re: Defective "portable executables" distributed/created by Cygwin

+Yongkang

Get Outlook for iOS<https://aka.ms/o0ukef>

From: Steve Carroll (VISUAL STUDIO)
Sent: Thursday, May 10, 2018 3:29:24 PM
To: Stefan Kanthak; cygwin@cygwin.com<mailto:cygwin@cygwin.com>; Ten Tzen
Cc: Compiler Crash
Subject: RE: Defective "portable executables" distributed/created by Cygwin

@Ten Tzen can you take a look?

-Original Message-
From: Stefan Kanthak mailto:stefan.kant...@nexgo.de>>
Sent: Thursday, May 10, 2018 11:30 AM
To: cygwin@cygwin.com<mailto:cygwin@cygwin.com>
Cc: Compiler Crash 
mailto:compilercr...@microsoft.com>>
Subject: Defective "portable executables" distributed/created by Cygwin

Hi @ll,

the "portable executables" distributed by Cygwin (and of course those created 
with Cygwin's GCC toolchain too) have INVALID/ILLEGAL
headers:

0. Microsoft's DUMPBIN.EXE alias LINK.EXE /DUMP aborts with
   "access violation" (see below) on almost all Cygwin binaries!

1. they use INVALID/ILLEGAL section names like "/4" or "/14", upon
   which Microsoft's DUMPBIN.EXE alias LINK.EXE /DUMP stops enumerating
   the section headers (see below)!

   From the PE format specification
   
<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmsdn.microsoft.com%2Fen-us%2Flibrary%2F%2Fms680547.aspx%23secti
on_table__section_headers_&data=02%7C01%7CSteven.Carroll%40microsoft.com%7C0e2f82b44f0347620dda08d5b6a5bd04%7C72f988bf86f141af91ab2d
7cd011db47%7C1%7C0%7C636615745333593092&sdata=FUYwQywfO%2FPDIDeT3%2BQSaVEk7iLj32PRJT4T8mxUKdg%3D&reserved=0>:

| Offset  Size  Field  Description
|  0 8  Name   An 8-byte, null-padded UTF-8 encoded string.
|  If the string is exactly 8 characters long,
|  there is no terminating null. For longer names,
|  this field contains a slash (/) that is followed
|  by an ASCII representation of a decimal number
|  that is an offset into the string table.
|  Executable images do not use a string table and
| do
   ~~
|  not support section names longer than 8 characters.
   ~~~
|  Long names in object files are truncated if they
   
|  are emitted to an executable file.
   ~~

2. despite no COFF symbol table and a symbol count of 0 (in words: ZERO!)
   they specify the "PointerToSymbolTable" (see below)!

   From the PE format specification
   
<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmsdn.microsoft.com%2Fen-us%2Flibrary%2F%2Fms680547.aspx%23coff_
file_header__object_and_image_&data=02%7C01%7CSteven.Carroll%40microsoft.com%7C0e2f82b44f0347620dda08d5b6a5bd04%7C72f988bf86f141af91
ab2d7cd011db47%7C1%7C0%7C636615745333593092&sdata=gbNW5KJ5qkGc2IjJf3eEeSQDeqk3iQN5iBQUbf2WNec%3D&reserved=0>:

| Offset  Size  Field Description
|  8 4  PointerToSymbolTable  The file offset of the COFF symbol
| table, or zero if no COFF symbol
|     table is present. This value should
| be zero for an image because COFF
| debugging information is deprecated.

Please fix your tools!

regards
Stefan Kanthak

=== output from LINK.EXE /DUMP bash.exe ===

Microsoft (R) COFF/PE Dumper Version 10.00.40219.386 Copyright (C) Microsoft 
Corporation.  All rights reserved.


Dump of file bash.exe

File Type: EXECUTABLE IMAGE

LINK : fatal error LNK1000: Internal error during DumpSections

  Version 10.00.40219.386

  ExceptionCode= C005
  E

Defective "portable executables" distributed/created by Cygwin

2018-05-10 Thread Stefan Kanthak 
Hi @ll,

the "portable executables" distributed by Cygwin (and of course those
created with Cygwin's GCC toolchain too) have INVALID/ILLEGAL headers:

0. Microsoft's DUMPBIN.EXE alias LINK.EXE /DUMP aborts with
   "access violation" (see below) on almost all Cygwin binaries!

1. they use INVALID/ILLEGAL section names like "/4" or "/14", upon
   which Microsoft's DUMPBIN.EXE alias LINK.EXE /DUMP stops enumerating
   the section headers (see below)!

   From the PE format specification
   
<https://msdn.microsoft.com/en-us/library//ms680547.aspx#section_table__section_headers_>:

| Offset  Size  Field  Description
|  0 8  Name   An 8-byte, null-padded UTF-8 encoded string.
|  If the string is exactly 8 characters long,
|  there is no terminating null. For longer names,
|  this field contains a slash (/) that is followed
|  by an ASCII representation of a decimal number
|  that is an offset into the string table.
|  Executable images do not use a string table and do
   ~~
|  not support section names longer than 8 characters.
   ~~~
|  Long names in object files are truncated if they
   
|  are emitted to an executable file.
   ~~

2. despite no COFF symbol table and a symbol count of 0 (in words: ZERO!)
   they specify the "PointerToSymbolTable" (see below)!

   From the PE format specification
   
<https://msdn.microsoft.com/en-us/library//ms680547.aspx#coff_file_header__object_and_image_>:

| Offset  Size  Field Description
|  8 4  PointerToSymbolTable  The file offset of the COFF symbol
| table, or zero if no COFF symbol
| table is present. This value should
| be zero for an image because COFF
|     debugging information is deprecated.

Please fix your tools!

regards
Stefan Kanthak

=== output from LINK.EXE /DUMP bash.exe ===

Microsoft (R) COFF/PE Dumper Version 10.00.40219.386
Copyright (C) Microsoft Corporation.  All rights reserved.


Dump of file bash.exe

File Type: EXECUTABLE IMAGE

LINK : fatal error LNK1000: Internal error during DumpSections

  Version 10.00.40219.386

  ExceptionCode= C005
  ExceptionFlags   = 
  ExceptionAddress = 00427FE0 (0040) "C:\Program Files\Microsoft 
Visual Studio 2010\VC\bin\link.exe"
  NumberParameters = 0002
  ExceptionInformation[ 0] = 
  ExceptionInformation[ 1] = 0004

CONTEXT:
  Eax= 4040  Esp= 0012E740
  Ebx= 014B53C0  Ebp= 0012E768
  Ecx= 0004  Esi= 0004
  Edx= 00404164  Edi= 014C
  Eip= 00427FE0  EFlags = 00010246
  SegCs  = 001B  SegDs  = 0023
  SegSs  = 0023  SegEs  = 0023
  SegFs  = 003B  SegGs  = 
  Dr0=   Dr3= 
  Dr1=   Dr6= 
  Dr2=   Dr7= 

=== output from LINK.EXE /DUMP /HEADERS bash.exe ===

Microsoft (R) COFF/PE Dumper Version 10.00.40219.386
Copyright (C) Microsoft Corporation.  All rights reserved.


Dump of file bash.exe

PE signature found

File Type: EXECUTABLE IMAGE

FILE HEADER VALUES
 14C machine (x86)
   B number of sections
3000 time date stamp Thu Jan 01 04:24:48 1970
   C2600 file pointer to symbol table
   0 number of symbols
  E0 size of optional header
 32E characteristics
   Executable
   Line numbers stripped
   Symbols stripped
   Application can handle large (>2GB) addresses
   32 bit word machine
   Debug information stripped

OPTIONAL HEADER VALUES
 10B magic # (PE32)
2.25 linker version
   7C800 size of code
   C2200 size of initialized data
9E00 size of uninitialized data
1000 entry point (00401000)
1000 base of code
   7E000 base of data
  40 image base (0040 to 004D2FFF)
1000 section alignment
 200 file alignment
4.00 operating system version
1.00 image version
4.00 subsystem version
   0 Win32 version
   D3000 size of image
 400 size of headers
   C85A6 checksum
   3 subsystem (Windows CUI)
8000 DLL characteristics

Re: [PWNED/DOSSED] Cygwin's setup-x86.exe loads and executes rogue DLL from its application directory

2016-01-06 Thread Stefan Kanthak 
Second and last chance!
See <http://home.arcor.de/skanthak/policy.html>

- Original Message - 
From: "Stefan Kanthak" 
To: 
Cc: 
Sent: Monday, December 28, 2015 4:23 AM
Subject: [PWNED/DOSSED] Cygwin's setup-x86.exe loads and executes rogue DLL 
from its application directory


> Hi,
> 
> Cygwin's setup-x86.exe loads and executes UXTheme.dll
> (on Windows XP also ClbCatQ.dll) and more from its
> "application directory".
> 
> For software downloaded with a web browser the application
> directory is typically the user's "Downloads" directory: see
> <https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>,
> <http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>
> and <http://seclists.org/fulldisclosure/2012/Aug/134>
> 
> If UXTheme.dll (or one of the other DLLs) gets planted in
> the user's "Downloads" directory per "drive-by download" or
> "social engineering" this vulnerability becomes a remote code
> execution.
> 
> If setup-x86.exe is NOT started with --no-admin the vulnerability
> results in an escalation of privilege too!
> 
> 
> Proof of concept/demonstration:
> ~~~
> 
> 1. visit <http://home.arcor.de/skanthak/sentinel.html>, download
>   <http://home.arcor.de/skanthak/download/SENTINEL.DLL> and save
>   it as UXTheme.dll in your "Downloads" directory;
> 
> 2. on Windows XP, copy the downloaded UXTheme.dll as ClbCatQ.dll;
> 
> 3. download setup-x86.exe and save it in your "Downloads" directory;
> 
> 4. execute setup-x86.exe from your "Downloads" directory;
> 
> 5. notice the message boxes displayed from UXTheme.dll placed in
>   step 1 (and ClbCatQ.dll placed in step 2).
> 
> PWNED!
> 
> 6. copy the downloaded UXTheme.dll as WSock32.dll (on Windows XP
>   also as PSAPI.dll and WS2_32.dll);
> 
> 7. rerun setup-x86.exe from your "Downloads" directory.
> 
> DOSSED!
> 
> 8. turning the denial of service into an arbitrary (remote) code
>   execution is trivial: just add the SINGLE entry (PSAPI.dll:
>   EnumProcesses, WSock32.Dll: recv, WS2_32.dll: Ordinal 21)
>   referenced from setup-x86.exe to a rogue DLL of your choice.
> 
> PWNED again!
> 
> 
> See <http://seclists.org/fulldisclosure/2015/Nov/101>,
> <http://seclists.org/fulldisclosure/2015/Dec/86> and
> <http://seclists.org/fulldisclosure/2015/Dec/121> plus
> <http://home.arcor.de/skanthak/!execute.html> and
> <http://home.arcor.de/skanthak/sentinel.html> for details about
> this well-known and well-documented BEGINNER'S error!
> 
> 
> Then dump your vulnerable executable installer and provide a SAFE
> installer instead: either .MSI or .INF (plus .CAB).
> 
> 
> I'll publish in 45 days.
> See <http://home.arcor.de/skanthak/policy.html> and return the
> CVE identifier assigned for this vulnerability to me!
> 
> 
> regards
> Stefan Kanthak

--
Problem reports:   http://cygwin.com/problems.html
FAQ:   http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info:  http://cygwin.com/ml/#unsubscribe-simple