This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Full Trust CLR Verification issue: Exploiting Passing Reference Types by Reference

From OWASP
Jump to: navigation, search

This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.


1) create a file called byValueTypeTest.cs and compile it using csc byValueTypeTest.csc 

using System;
using System.Text;
namespace Owasp
{
   class byValueTypetest
   {
       public static void Main()
       {
           // this will compile:
           object objString = (object)"I'm a String";
           // this will not compile:
               // string objString = "I'm a String";
           // it will throw the error:
           /*
               byValueTypeTest.cs(14,4): error CS1502: The best overloaded method match for
               'Owasp.byValueTypetest.byRefObject(ref object)' has some invalid arguments
                   byValueTypeTest.cs(14,20): error CS1503: Argument '1': cannot convert from 'ref
                   string' to 'ref object'
           */
           // which is why we need to do it directly in IL
           // values before call
           Console.WriteLine("\nbefore: " + objString + "\n  type: " + objString.GetType());
           // this method will allocate a StringBuilder variable to objString
           byRefObject(ref objString);
           // values after call
           Console.WriteLine("\nafter: " + objString + "\n type: " + objString.GetType());
       }       
       public static void byRefObject(ref object oVar)
       {                   
           StringBuilder sb = new StringBuilder("I'm a StringBuilder");
           oVar = sb;
//            Console.WriteLine(oVar);
       }
   }

}

2) execute it just to see what it does: 

before: I'm a String
 type: System.String

after: I'm a StringBuilder
type: System.Text.StringBuilder


3) then ILDASM it 

ildasm byValueTypeTest.exe /out:_byValtest.il

4) make this change in the IL code 

// change from
//      .locals init ( object V_0,
//                       object[] V_1)
// to
     .locals init (  string V_0,
                       object[] V_1)

5) ILASM it 

ilasm _byValTest.il

6) execute it, and the result will be 


before: I'm a String
  type: System.String

after: I'm a StringBuilder
 type: System.Text.StringBuilder

7) Open assembly in reflector to confirm that the IL manipulation was successfull 

public static void Main()
{
     Console.WriteLine("\n\n staticInvokeTest\n\n");
     string text1 = "I'm a String";
     object[] objArray1 = new object[] { "\nbefore: ", text1, "\n  type: ", text1.GetType() } ;
     Console.WriteLine(string.Concat(objArray1));
     byValueTypetest.byRefObject(ref text1);
     objArray1 = new object[] { "\nafter: ", text1, "\n type: ", text1.GetType() } ;
     Console.WriteLine(string.Concat(objArray1));
}

8) compare with with the output and you will see that we were able to change the type of text1 (using reflector's variable name) from System.String to System.Text.StringBuilder

Retrieved from "https://wiki.owasp.org/index.php?title=Full_Trust_CLR_Verification_issue:_Exploiting_Passing_Reference_Types_by_Reference&oldid=178493"