MULTIPLE VULNERABILITY REPORT: Multiple DLL Hijacking Vulnerability in CygWin setup-x86_64.exe

Brian Inglis Brian.Inglis@SystematicSW.ab.ca
Wed Feb 7 04:53:47 GMT 2024 

On 2024-02-06 15:10, Kaz Kylheku via Cygwin wrote:
> On 2024-02-04 21:22, Suman Chakraborty via Cygwin wrote:
>> 1. Executive Summary:
>>
>> The vulnerability pertains to not finding
>> the profapi.dll, CFGMGR32.dll, edputil.dll,  urlmon.dll, SspiCli.dll,
>> Wldp.dll, MPR.dll, ServicingCommon.dll, TextShaping.dll, CRYPTBASE.DLL,
>> PROPSYS.dll and insecure loading of dynamic link libraries (DLLs),
>> specifically profapi.dll. If exploited, this vulnerability could allow an
>> attacker to execute arbitrary code on a victim's machine, potentially
>> leading to data breaches, system compromise, and other malicious activities.
> 
> By what means is setup.exe probing these DLLs?
> 
> I don't see any references to profapi.dll in its source tree
> (git grep -i profapi turns up nothing).
> 
> If these DLL's being missing doesn't stop the program from running,
> doesn't that mean it's just probing for them with LoadLibrary or
> LoadLibraryEx explicitly, and then handling the failure gracefully?
> 
> Setup itself doesn't use LoadLibrary or LoadLibraryEx.
> 
> The MinGW toolchain must be introducing that somehow?
> 
> It is curious.

Could be any one of the proprietary DLLs pulled into Cygwin Setup:

$ upx -dqqqot ~/mirror/x86_64/setup-x86_64.exe
$ grep -ao '%%%\ssetup-version\s[0-9]\+\.[0-9]\+' t
%%% setup-version 2.929
$ cygcheck ./t
...\t
   C:\WINDOWS\system32\KERNEL32.DLL
     C:\WINDOWS\system32\ntdll.dll
     C:\WINDOWS\system32\KERNELBASE.dll
   C:\WINDOWS\system32\ADVAPI32.dll
     C:\WINDOWS\system32\msvcrt.dll
     C:\WINDOWS\system32\SECHOST.dll
       C:\WINDOWS\system32\RPCRT4.dll
   C:\WINDOWS\system32\COMCTL32.dll
     C:\WINDOWS\system32\GDI32.dll
       C:\WINDOWS\system32\win32u.dll
     C:\WINDOWS\system32\USER32.dll
   C:\WINDOWS\system32\ole32.dll
     C:\WINDOWS\system32\combase.dll
   C:\WINDOWS\system32\PSAPI.DLL
   C:\WINDOWS\system32\SHELL32.dll
     C:\WINDOWS\system32\msvcp_win.dll
   C:\WINDOWS\system32\SHLWAPI.dll
   C:\WINDOWS\system32\WININET.dll
   C:\WINDOWS\system32\WS2_32.dll

OP:
Which version and date of setup-x86_64.exe are you checking?
Do you have any A/V or EPP installed on your system which could be injecting 
these interlopers into the call chain?

-- 
Take care. Thanks, Brian Inglis              Calgary, Alberta, Canada

La perfection est atteinte                   Perfection is achieved
non pas lorsqu'il n'y a plus rien à ajouter  not when there is no more to add
mais lorsqu'il n'y a plus rien à retirer     but when there is no more to cut
                                 -- Antoine de Saint-Exupéry

More information about the Cygwin mailing list