This is the mail archive of the
cygwin-developers
mailing list for the Cygwin project.
RE: cygwin1.dll up to 1.5.22 overflow
- From: "Dave Korn" <dave dot korn at artimi dot com>
- To: <cygwin-developers at cygwin dot com>
- Date: Tue, 20 Nov 2007 10:24:45 -0000
- Subject: RE: cygwin1.dll up to 1.5.22 overflow
- References: <1195553439.4742b29fbf2cd@mail.isecauditors.com>
On 20 November 2007 10:11, Jesus wrote:
> Hello developers,
Hola Jesus.
> cygwin1.dll is vulnerable a dangerous buffer overflow that can be exploited
> remotelly.
> Exception: STATUS_ACCESS_VIOLATION at eip=6109008D
> eax=6167343A ebx=5959595A ecx=6167343C edx=04A96F89 esi=6E6C0055
> edi=59595957 ebp=6E6C006C esp=0022E51B program=C:\sshd\bin\scp.exe
> cs=001B ds=0023 es=0023 fs=0038 gs=0000 ss=0023
> I think the version is 1.5.7-1 and prior:
>
> sha0:~# strings /root/backup2/cygwin/bin/cygwin1.dll | grep -i cygwin\-
> /netrel/src/cygwin-1.5.7-1/winsup/cygwin/cygheap.cc
> /netrel/src/cygwin-1.5.7-1/winsup/cygwin/dir.cc
> ...
>
> It seems that the problem is at getppid(), but this debuger is inside
> cygwin, maybe debugging from outside will see diferent things.
Thanks, this would explain why I could not reproduce with 1.5.21. I'll have
a go at 1.5.7 later this evening and make sure I can fully diagnose what's
going on.
cheers,
DaveK
--
Can't think of a witty .sigline today....