Vulnerability Management

Bug in Mingw-w64 Windows app development environment results in exploitable executables

Mingw-w64, a 2005 update of the open-source MinGW software development environment for Microsoft Windows applications, has been found to produce executables that are incompatible with Address Space Layout Randomization (ASLR), a technology that reduces the effectiveness of malicious shellcode.

Consequently, vulnerabilities existing in these faulty executables can be exploited -- and there is no practical fix for the problem, warned the CERT Coordination Center (CERT/CC) at Carnegie Mellon's Software Engineering Institute, in a security advisory today.

"For ASLR to function, Windows executables must contain a relocations table," the advisory said. "Despite containing the 'Dynamic base' PE header, which indicates ASLR compatibility, Windows executables produced by mingw-w64 have the relocations table stripped from them by default. This means that executables produced by mingw-w64 are vulnerable to return-oriented programming (ROP) attacks."

The CERT/CC noted that vendors Arch Linux, CentOS, Debian GNU/Linux, Fedora Project, Gentoo Linux, Red Hat, SUSE Linux, Ubuntu and VideoLAN, while it is while it is unknown if the bug also impacts vendors Alpine Linux, Arista Networks, ASP Linux, CoreOS, ENEA and Geexbox.

A workaround to the issue is available, notes the CERT/CC: Users can force Mingw-w64 to produce an executable with an intact relocations table by adding "__declspec(dllexport)" before the main function in an application's source code. "This line will cause the following function to be exported," the advisory explained. "When generating an executable that exports a function name, mingw-w64 will not strip the relocations table."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.