Research notes

Tools

Cygwin exploitation demo

DLL shared sections have long been infamous for introducing security problems. A few months ago I decided to take a look if one can still find applications that use PE modules with shared sections in an insecure way (or using them at all). Today I'm releasing research notes, some tools and a demo of a Cygwin local privilege escalation (it's already fixed).Btw, keep in mind that DLL/PE shared sections and shared memory (CreateFileMapping etc) are two different IPC mechanisms.TL;DR: It's hard (though possible) to find apps that use DLL shared sections; it's even harder to find an interesting and used variable in such section. So I guess the bug class is not dead yet, but it's nothing exciting or commonly encountered. The Cygwin bug was in a shared section in cygwin1.dll - there was a UNICODE_STRING object there that was copied (unbounded copy) to a buffer on the stack on application start, with no stack cookies in sight. DLL shared sections: a ghost of the past (PDF EN; Update 1)I've created and released two small tools:can be used to locate all PE files with a shared+writable section on the diskis a naive fuzzer for shared sections Project page on code.google.com (link) DLLSharedSections-2012.05.19.zip (Win32 EXE + SRC)Details about the bug as well as the timeline are in the second part of the research notes.That's that.