| www.delorie.com/archives/browse.cgi | search |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| X-SWARE-Spam-Status: | No, hits=1.4 required=5.0 tests=AWL,BAYES_00 |
| X-Spam-Check-By: | sourceware.org |
| From: | Andrew McGill <list2009 AT lunch DOT za DOT net> |
| To: | cygwin AT cygwin DOT com |
| Subject: | Write access for BUILTIN\USERS - cygwin privilege escalation vulnerability for Windows 2008 default installation |
| Date: | Mon, 21 Sep 2009 10:41:16 +0200 |
| User-Agent: | KMail/1.12.1 (Linux/2.6.24-19-generic; KDE/4.3.1; i686; ; ) |
| MIME-Version: | 1.0 |
| Message-Id: | <200909211041.17032.list2009@lunch.za.net> |
| X-IsSubscribed: | yes |
| Mailing-List: | contact cygwin-help AT cygwin DOT com; run by ezmlm |
| List-Id: | <cygwin.cygwin.com> |
| List-Subscribe: | <mailto:cygwin-subscribe AT cygwin DOT com> |
| List-Archive: | <http://sourceware.org/ml/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs> |
| Sender: | cygwin-owner AT cygwin DOT com |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| Delivered-To: | mailing list cygwin AT cygwin DOT com |
Hi,
I ran setup.ext to install cygwin in c:\cygwin on a (fairly) fresh
installation of Windows Server 2008. On this server, the permissions of C:\
were set to allow new files to be created in subdirectories by BUILTIN\Users.
The cygwin folder inherited from the default permissions on C:\ the following
ACL:
[C:\cygwin] icacls c:\cygwin
c:\cygwin NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(F)
BUILTIN\Users:(I)(OI)(CI)(RX)
BUILTIN\Users:(I)(CI)(AD) <<<<<<< AAAAAAAARGH!
BUILTIN\Users:(I)(CI)(WD) <<<<<<< AAAAAAAARGH!
ZEROTOOL\Administrator:(I)(F)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
This allows ANY member of BUILTIN/Users, including nt authority\network
service to create files. I can pwn the box from IIS by writing content to
these files -- and not much creativity is needed to think of many more:
c:/cygwin/home/Administrator/.ssh/authorized_keys
c:/cygwin/home/Administrator/.bashrc
c:/cygwin/home/Administrator/.bash_logout
c:/cygwin/home/Administrator/.bash_profile
c:/cygwin/home/Administrator/.vimrc
This permission was default on the system - it seems to be there on Windows
2003 as well, and maybe before that. Folders like c:\windows and c:\inetpub
have explicit permissions for builtin/users. Perhaps this is some kind of
secret best practice that cygwin is missing out on? If not, it's merely a
series of unfortunate events that adds up to a privilege escalation
vulnerability, and you really should understand windows ACL's before running
cygwin.
Feature request: The cygwin installer should set permissions on c:\cygwin to
be the same as %windir%, and not trust the operating system to do the "right
thing".
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |