======================================================================
=         Security Objectives Advisory (SECOBJADV-2008-02)           =
======================================================================

Cygwin Installation and Update Process can be Subverted Vulnerability

http://www.security-objectives.com/advisories/SECOBJADV-2008-02.txt

AFFECTED: Cygwin setup.exe 2.573.2.2 

PLATFORM: Intel / Windows

CLASSIFICATION: Insufficient Verification of Data Authenticity (CWE-345)

RESEARCHER: Derek Callaway

IMPACT: Client-side code execution

SEVERITY: Medium

DIFFICULTY: Moderate

REFERENCES: CVE-2008-3323, RedHat Bugzilla Bug 449929


BACKGROUND

Cygwin is a Linux-like environment for Windows. It consists of two parts: 

1. A DLL (cygwin1.dll) which acts as a Linux API emulation layer providing 
substantial Linux API functionality. 
    
2. A collection of tools which provide Linux look and feel. 

SUMMARY

Cygwin is a Linux-like environment for Microsoft Windows copyrighted by 
Red Hat, Inc. Tarball software packages are installed and updated via 
setup.exe. This program downloads a package list and packages from 
mirrors over plaintext HTTP or FTP. The package list contains MD5 
checksums for verifying package integrity. If a rogue server answers the 
HTTP request responsible for package updates and responds with a 
modified MD5 string setup.exe will download and install a malicious package.

ANALYSIS

To successfully exploit this vulnerability an attacker must be able to 
somehow position themself such that they can impersonate a Cygwin mirror.
As a proof-of-concept the local hosts file was modified but an attack
that occurs in the wild can be accomplished through DNS cache 
poisoning, ARP redirection, TCP hijacking, impersonation of a Wi-Fi 
Access Point, etc. The attacker also would have configured a rogue web 
server to push out package code of their choosing. The success of 
attacks that utilize the DNS cache poisoning approach has recently been 
compounded by Kaminsky's birthday paradox technique (CVE-2008-1447.)

For testing purposes, gzip was used as the malicious package although 
any and all packages can be trojanned (including base-files.) gzip was 
chosen for testing purposes because it is so common. A real attacker  
would probably target more of a lynchpin package like bash. The version,
time, size, and MD5 sum of the gzip entry in the setup.ini file was 
modified for the rogue Cygwin server. The location of the altered gzip 
package was /sourceware/cygwin/release/gzip/gzip-3.1.33-7.tar.bz2.

When setup.exe is executed it will automatically download the modified
package from the rogue server. /usr/bin/gzip was replaced by /usr/bin/ls 
during Security Objectives' testing. In a real attack scenario bash 
could be trojanned or a complete rootkit could be installed. The user is 
likely to not even notice the malicious package being setup as it is 
auto-selected for installation.

WORKAROUND

Refrain from using Cygwin setup.exe versions prior to 2.573.2.3.

VENDOR RESPONSE

Cygwin Setup.exe version 2.573.2.3 addresses this vulnerability.

http://cygwin.com/setup/snapshots/setup-2.573.2.3.exe

DISCLOSURE TIMELINE

20-May-2008 Discovery of Vulnerability
22-May-2008 Developed Proof-of-Concept
25-May-2008 Reported to Vendor
04-Jun-2008 RedHat Bugzilla ID Opened
19-Jun-2008 Vendor Supplied Patched Program for Testing
21-Jun-2008 Fix Applied to Bug in Original Patch
22-Jul-2008 New Setup Program Tested and Verified
25-Jul-2008 Published Advisory

ABOUT SECURITY OBJECTIVES

Security Objectives is a security centric consultancy and software development 
corporation which operates in the area of application assurance software. 
Security Objectives employs methods that are centered on software 
comprehension, therefore a more in-depth contextual understanding of the 
application is developed.

http://security-objectives.com/

LEGAL

Permission is granted for electronic distribution of this advisory.
It may not be edited without the written consent of Security Objectives.

The information contained in this advisory is believed to be accurate based on 
currently available information and is provided "as is" without warranty of 
any kind, either expressed or implied, including, but not limited to, the 
implied warranties of merchantability and fitness for a particular purpose. 
The entire risk as to the quality and performance of the information is with 
you.