This is the mail archive of the cygwin@cygwin.com mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]

RE: The security of OpenSSH with cygwin.


Joe, 

Have you looked up the thread I referred you too? It explained the
issue. IN DETAIL.

> >  Right.  I cannot emphasize strongly enough that Cygwin is 
> NOT A SECURE
> >  ENVIRONMENT.  Do NOT trust it with sensitive data.  It is trivially
> >  easy to hack.
> >
> >  cgf
> 
> 
> My Windows programming days ended awhile ago, so pardon me if 
> this is incorrect 
> or doesn't make sense.
> 
> Under Windows 9x and Millenium, there is no (respectable) 
> security model,
....
Correct. 
 
> Now this brings me to another question:  what does this mean 
> in Windows 
> NT/2000?  I have no experience with these operating systems, 
> but here's 
> what I dare to assume:  the security model would disallow 
> this inter-process 
> mingling.

Please don't assume without at least reading the references you are
given. That wastes your time and ours.

No-one said _anything_ about the security model being the issue - they
said that 

Cygwin AS IT IS IMPLEMENTED TODAY has KNOWN PROBLEMS resulting in
TRIVIAL HACKS.

Please read the thread I referred you to. It explains the particular
issue I mentioned. A thumbnail sketch is that 1) if you have access to
duplicate a handle from a process and
2) that process has a handle to itself with full rights (the default
behaviour)
3) a simple brute force attack will get you a handle to the process with
full rights, which lets you write into that process's memory space.

> Are there any other issues, proven or otherwise, that anyone 
> is aware of?

I don't have a canonical list. Use the source Joe. 

For your stated purpose, (ssh + cygwin), via the stated attack above if
I can run a custom , or via bash appropriate shellcode I can get memory
write access to any cygwin linked process. If that process happens to be
running as SYSTEM or an administrator access account, then injecting
custom code into that will pretty much open the door to anything.

Rob

--
Want to unsubscribe from this list?
Check out: http://cygwin.com/ml/#unsubscribe-simple


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]