Executive Summary

Summary
Title mingw-w64 by default produces executables that opt in to ASLR, but are not compatible with ASLR
Informations
NameVU#307144First vendor Publication2018-08-03
VendorVU-CERTLast vendor Modification2018-08-03
Severity (Vendor) N/ARevisionM

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:N/I:P/A:N)
Cvss Base Score5Attack RangeNetwork
Cvss Impact Score2.9Attack ComplexityLow
Cvss Expoit Score10AuthenticationNone Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#307144

mingw-w64 by default produces executables that opt in to ASLR, but are not compatible with ASLR

Original Release date: 03 Aug 2018 | Last revised: 03 Aug 2018

Overview

mingw-w64 produces a executable Windows files without a relocations table by default, which breaks compatibility with ASLR.

Description

ASLR is an exploit mitigation technique used by modern Windows platforms. For ASLR to function, Windows executables must contain a relocations table. Despite containing the "Dynamic base" PE header, which indicates ASLR compatibility, Windows executables produced by mingw-w64 have the relocations table stripped from them by default. This means that executables produced by mingw-w64 are vulnerable to return-oriented programming (ROP) attacks.

Impact

Windows executables generated by mingw-w64 claim to be ASLR compatible, but are not. Vulnerabilities in such executables are more easily exploitable as a result.

Solution

The CERT/CC is currently unaware of a practical solution to this problem. Please consider the following workaround:

Force mingw-w64 to retain the relocations table

mingw-w64 can be coerced into producing an executable with the relocations table intact by adding the following line before the main function in a program's source code:
__declspec(dllexport)

This line will cause the following function to be exported. When generating an executable that exports a function name, mingw-w64 will not strip the relocations table.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Arch LinuxAffected26 Jul 201801 Aug 2018
CentOSAffected26 Jul 201801 Aug 2018
Debian GNU/LinuxAffected26 Jul 201801 Aug 2018
Fedora ProjectAffected26 Jul 201801 Aug 2018
Gentoo LinuxAffected26 Jul 201801 Aug 2018
Red Hat, Inc.Affected26 Jul 201801 Aug 2018
SUSE LinuxAffected26 Jul 201801 Aug 2018
UbuntuAffected26 Jul 201801 Aug 2018
VideoLANAffected23 Jul 201801 Aug 2018
Alpine LinuxUnknown26 Jul 201826 Jul 2018
Arista Networks, Inc.Unknown26 Jul 201826 Jul 2018
ASP LinuxUnknown26 Jul 201826 Jul 2018
CoreOSUnknown26 Jul 201826 Jul 2018
ENEAUnknown26 Jul 201826 Jul 2018
GeexboxUnknown26 Jul 201826 Jul 2018
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

GroupScoreVector
Base0.0AV:--/AC:--/Au:--/C:--/I:--/A:--
Temporal0.0E:ND/RL:ND/RC:ND
Environmental0.0CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

  • https://sourceforge.net/p/mingw-w64/mailman/message/31034877/
  • https://sourceware.org/bugzilla/show_bug.cgi?id=17321
  • https://sourceware.org/bugzilla/show_bug.cgi?id=19011

Credit

This vulnerability was reported by Will Dormann of the CERT/CC.

This document was written by Will Dormann.

Other Information

  • CVE IDs:CVE-2018-5392
  • Date Public:09 Jun 2013
  • Date First Published:03 Aug 2018
  • Date Last Updated:03 Aug 2018
  • Document Revision:9

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/307144

CWE : Common Weakness Enumeration

%idName
100 %CWE-254Security Features

CPE : Common Platform Enumeration

TypeDescriptionCount
Application1

Alert History

If you want to see full details history, please login or register.
0
1
2
DateInformations
2018-10-12 21:22:11
  • Multiple Updates
2018-08-14 21:22:00
  • Multiple Updates
2018-08-03 17:18:31
  • First insertion