DLL shared sections have long been infamous for introducing security problems. A few months ago I decided to take a look if one can still find applications that use PE modules with shared sections in an insecure way (or using them at all). Today I'm releasing research notes, some tools and a demo of a Cygwin local privilege escalation (it's already fixed).

Btw, keep in mind that DLL/PE shared sections and shared memory (CreateFileMapping etc) are two different IPC mechanisms.

Research notes

TL;DR: It's hard (though possible) to find apps that use DLL shared sections; it's even harder to find an interesting and used variable in such section. So I guess the bug class is not dead yet, but it's nothing exciting or commonly encountered. The Cygwin bug was in a shared section in cygwin1.dll - there was a UNICODE_STRING object there that was copied (unbounded copy) to a buffer on the stack on application start, with no stack cookies in sight.

DLL shared sections: a ghost of the past (PDF EN; Update 1)


I've created and released two small tools:
* FindShared can be used to locate all PE files with a shared+writable section on the disk
* StressShared is a naive fuzzer for shared sections

Project page on code.google.com (link)
DLLSharedSections-2012.05.19.zip (Win32 EXE + SRC)

Cygwin exploitation demo

Details about the bug as well as the timeline are in the second part of the research notes.

That's that.


2012-05-20 20:00:43 = Infern0_
Very interesting things. Your researches are amazing. Good job!

Add a comment:

URL (optional):
Math captcha: 7 ∗ 2 + 8 =