Vulnerability Note VU#307144

mingw-w64 by default produces executables that opt in to ASLR, but are not compatible with ASLR

Original Release date: 03 Aug 2018 | Last revised: 03 Aug 2018

Overview

mingw-w64 produces a executable Windows files without a relocations table by default, which breaks compatibility with ASLR.

Description

ASLR is an exploit mitigation technique used by modern Windows platforms. For ASLR to function, Windows executables must contain a relocations table. Despite containing the "Dynamic base" PE header, which indicates ASLR compatibility, Windows executables produced by mingw-w64 have the relocations table stripped from them by default. This means that executables produced by mingw-w64 are vulnerable to return-oriented programming (ROP) attacks.

Impact

Windows executables generated by mingw-w64 claim to be ASLR compatible, but are not. Vulnerabilities in such executables are more easily exploitable as a result.

Solution

The CERT/CC is currently unaware of a practical solution to this problem. Please consider the following workaround:

Force mingw-w64 to retain the relocations table

mingw-w64 can be coerced into producing an executable with the relocations table intact by adding the following line before the main function in a program's source code:
__declspec(dllexport)

This line will cause the following function to be exported. When generating an executable that exports a function name, mingw-w64 will not strip the relocations table.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Arch LinuxAffected26 Jul 201801 Aug 2018
CentOSAffected26 Jul 201801 Aug 2018
Debian GNU/LinuxAffected26 Jul 201801 Aug 2018
Fedora ProjectAffected26 Jul 201801 Aug 2018
Gentoo LinuxAffected26 Jul 201801 Aug 2018
Red Hat, Inc.Affected26 Jul 201801 Aug 2018
SUSE LinuxAffected26 Jul 201801 Aug 2018
UbuntuAffected26 Jul 201801 Aug 2018
VideoLANAffected23 Jul 201801 Aug 2018
Alpine LinuxUnknown26 Jul 201826 Jul 2018
Arista Networks, Inc.Unknown26 Jul 201826 Jul 2018
ASP LinuxUnknown26 Jul 201826 Jul 2018
CoreOSUnknown26 Jul 201826 Jul 2018
ENEAUnknown26 Jul 201826 Jul 2018
GeexboxUnknown26 Jul 201826 Jul 2018
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base 0.0 AV:--/AC:--/Au:--/C:--/I:--/A:--
Temporal 0.0 E:ND/RL:ND/RC:ND
Environmental 0.0 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Credit

This vulnerability was reported by Will Dormann of the CERT/CC.

This document was written by Will Dormann.

Other Information

  • CVE IDs: CVE-2018-5392
  • Date Public: 09 Jun 2013
  • Date First Published: 03 Aug 2018
  • Date Last Updated: 03 Aug 2018
  • Document Revision: 9

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.