On 2025-01-09 23:52, Marco Atzeri wrote: > On 10/01/2025 08:33, Andrey Repin via Cygwin wrote: >> Greetings, Kaz Kylheku! >> >>> Hi all, >> >>> I'm reading an article on attacks that are evidently possible against some >>> Windows >>> programs in the area of command line parsing. See below. >> >>> Does the Cygwin run-time rely on GetCommandLineA to get the char-based >>> command >>> line that is parsed into argv[]? >> >> You can answer this question yourself. The code is open. > > Specifically on https://cygwin.com/git/newlib-cygwin.git > > /pub/Cygwin/git/newlib-cygwin > $ grep -rH GetCommandLineA . > ./winsup/CVSChangeLogs.old/cygwin/ChangeLog-2013: (cygwin_GetCommandLineA): > Ditto. > ./winsup/cygwin/cygwin.din:GetCommandLineA@0 = cygwin_GetCommandLineA@0 > NOSIGFE > ./winsup/cygwin/include/cygwin/version.h: 268: Export GetCommandLineA, > GetCommandLineW > ./winsup/cygwin/kernel32.cc:/* Cygwin replacement for GetCommandLineA. > Returns a concatenated string > ./winsup/cygwin/kernel32.cc:cygwin_GetCommandLineA (void)
I see that the kernel32.cc function uses RtlUnicodeStringtoAnsiString. The article I linked to mentions this specific function. The function does the "BestFit" thing, converting Unicode characters to ASCII pseudo-equivalents. If Cygwin relies on this function for converting the process command line into main() arguments, it is likely susceptible to argument injection. -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation: https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
