search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

mingw-w64 by default produces executables that opt in to ASLR, but are not compatible with ASLR

Vulnerability Note VU#307144

Original Release Date: 2018-08-03 | Last Revised: 2018-08-03

Overview

mingw-w64 produces a executable Windows files without a relocations table by default, which breaks compatibility with ASLR.

Description

ASLR is an exploit mitigation technique used by modern Windows platforms. For ASLR to function, Windows executables must contain a relocations table. Despite containing the "Dynamic base" PE header, which indicates ASLR compatibility, Windows executables produced by mingw-w64 have the relocations table stripped from them by default. This means that executables produced by mingw-w64 are vulnerable to return-oriented programming (ROP) attacks.

Impact

Windows executables generated by mingw-w64 claim to be ASLR compatible, but are not. Vulnerabilities in such executables are more easily exploitable as a result.

Solution

The CERT/CC is currently unaware of a practical solution to this problem. Please consider the following workaround:

Force mingw-w64 to retain the relocations table

mingw-w64 can be coerced into producing an executable with the relocations table intact by adding the following line before the main function in a program's source code:
__declspec(dllexport)

This line will cause the following function to be exported. When generating an executable that exports a function name, mingw-w64 will not strip the relocations table.

Vendor Information

307144
 
Expand all

Arch Linux Affected

Notified:  July 26, 2018 Updated: August 01, 2018

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CentOS Affected

Notified:  July 26, 2018 Updated: August 01, 2018

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Debian GNU/Linux Affected

Notified:  July 26, 2018 Updated: August 01, 2018

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Fedora Project Affected

Notified:  July 26, 2018 Updated: August 01, 2018

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Gentoo Linux Affected

Notified:  July 26, 2018 Updated: August 01, 2018

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Red Hat, Inc. Affected

Notified:  July 26, 2018 Updated: August 01, 2018

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

SUSE Linux Affected

Notified:  July 26, 2018 Updated: August 01, 2018

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Ubuntu Affected

Notified:  July 26, 2018 Updated: August 01, 2018

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

VideoLAN Affected

Notified:  July 23, 2018 Updated: August 01, 2018

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

ASP Linux Unknown

Notified:  July 26, 2018 Updated: July 26, 2018

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

    Alpine Linux Unknown

    Notified:  July 26, 2018 Updated: July 26, 2018

    Status

    Unknown

    Vendor Statement

    We have not received a statement from the vendor.

    Vendor References

      Arista Networks, Inc. Unknown

      Notified:  July 26, 2018 Updated: July 26, 2018

      Status

      Unknown

      Vendor Statement

      We have not received a statement from the vendor.

      Vendor References

        CoreOS Unknown

        Notified:  July 26, 2018 Updated: July 26, 2018

        Status

        Unknown

        Vendor Statement

        We have not received a statement from the vendor.

        Vendor References

          ENEA Unknown

          Notified:  July 26, 2018 Updated: July 26, 2018

          Status

          Unknown

          Vendor Statement

          We have not received a statement from the vendor.

          Vendor References

            Geexbox Unknown

            Notified:  July 26, 2018 Updated: July 26, 2018

            Status

            Unknown

            Vendor Statement

            We have not received a statement from the vendor.

            Vendor References

              HomeSeer Unknown

              Notified:  July 26, 2018 Updated: July 26, 2018

              Status

              Unknown

              Vendor Statement

              We have not received a statement from the vendor.

              Vendor References

                Micro Focus Unknown

                Notified:  July 26, 2018 Updated: July 26, 2018

                Status

                Unknown

                Vendor Statement

                We have not received a statement from the vendor.

                Vendor References

                  MontaVista Software, Inc. Unknown

                  Notified:  July 26, 2018 Updated: July 26, 2018

                  Status

                  Unknown

                  Vendor Statement

                  We have not received a statement from the vendor.

                  Vendor References

                    Openwall GNU/*/Linux Unknown

                    Notified:  July 26, 2018 Updated: July 26, 2018

                    Status

                    Unknown

                    Vendor Statement

                    We have not received a statement from the vendor.

                    Vendor References

                      Slackware Linux Inc. Unknown

                      Notified:  July 26, 2018 Updated: August 01, 2018

                      Status

                      Unknown

                      Vendor Statement

                      We have not received a statement from the vendor.

                      Vendor Information

                      We are not aware of further vendor information regarding this vulnerability.

                      Tizen Unknown

                      Notified:  July 26, 2018 Updated: July 26, 2018

                      Status

                      Unknown

                      Vendor Statement

                      We have not received a statement from the vendor.

                      Vendor References

                        Turbolinux Unknown

                        Notified:  July 26, 2018 Updated: July 26, 2018

                        Status

                        Unknown

                        Vendor Statement

                        We have not received a statement from the vendor.

                        Vendor References

                          View all 22 vendors View less vendors


                          CVSS Metrics

                          Group Score Vector
                          Base 0 AV:--/AC:--/Au:--/C:--/I:--/A:--
                          Temporal 0 E:ND/RL:ND/RC:ND
                          Environmental 0 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

                          References

                          Acknowledgements

                          This vulnerability was reported by Will Dormann of the CERT/CC.

                          This document was written by Will Dormann.

                          Other Information

                          CVE IDs: CVE-2018-5392
                          Date Public: 2013-06-09
                          Date First Published: 2018-08-03
                          Date Last Updated: 2018-08-03 12:50 UTC
                          Document Revision: 12

                          Sponsored by CISA.

                          Download PGP Key

                          Read CERT/CC Blog

                          Learn about Vulnerability Analysis