mingw-w64 produces a executable Windows files without a relocations table by default, which breaks compatibility with ASLR.
ASLR is an exploit mitigation technique used by modern Windows platforms. For ASLR to function, Windows executables must contain a relocations table. Despite containing the "Dynamic base" PE header, which indicates ASLR compatibility, Windows executables produced by mingw-w64 have the relocations table stripped from them by default. This means that executables produced by mingw-w64 are vulnerable to return-oriented programming (ROP) attacks.
Windows executables generated by mingw-w64 claim to be ASLR compatible, but are not. Vulnerabilities in such executables are more easily exploitable as a result.
The CERT/CC is currently unaware of a practical solution to this problem. Please consider the following workaround:
Force mingw-w64 to retain the relocations table
mingw-w64 can be coerced into producing an executable with the relocations table intact by adding the following line before the main function in a program's source code:
Red Hat, Inc.
Arista Networks, Inc.
MontaVista Software, Inc.
Slackware Linux Inc.
This vulnerability was reported by Will Dormann of the CERT/CC.
This document was written by Will Dormann.
|Date First Published:||2018-08-03|
|Date Last Updated:||2018-08-03 12:50 UTC|