This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Possible Type Confusion issue in .Net 1.1 (only works in Full Trust)"
(Reverting to last version not containing links to www.textriccnaracac.com) |
Bill Sempf (talk | contribs) |
||
Line 1: | Line 1: | ||
− | + | {{taggedDocument | |
+ | | type=historical | ||
+ | | link=:Category:OWASP_.NET_Project | ||
+ | }} | ||
+ | |||
+ | While doing my Rooting the CLR research I found something which I thing could be a 'Type Confusion issue' in .Net 1.1 (see more details about these issues in this great document on Java Security published by the LSD Research group http://lsd-pl.net/papers.html#java) [[Category:FIXME|link not working]] | ||
Here are my test: | Here are my test: |
Latest revision as of 01:43, 22 July 2014
This page contains content that is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were once valid but may now link to sites or pages that no longer exist.
Please use the newer Edition(s) like Category:OWASP_.NET_Project
While doing my Rooting the CLR research I found something which I thing could be a 'Type Confusion issue' in .Net 1.1 (see more details about these issues in this great document on Java Security published by the LSD Research group http://lsd-pl.net/papers.html#java)
Here are my test:
1) Compile this:
using System; namespace RootingTheClr { class classTest { public static void Main() { Console.WriteLine("\n\n classTest \n\n"); normalClass ncTest = new normalClass(); maliciousClass mcTest = (maliciousClass)new maliciousClass(); normalClass ncTestTarget = ncTest; Console.WriteLine("Public = " + mcTest.iPublicVar + " Private = " + mcTest.iPrivateVar ); } }
class normalClass { public int iPublicVar; private int iPrivateVar;
public normalClass() { iPrivateVar = 100; iPublicVar = 999; } }
class maliciousClass { public int iPublicVar; public int iPrivateVar;
public maliciousClass() { iPrivateVar = 1; iPublicVar = 9; } } }
2) and you should get this (note the value of Private):
csc classtest.cs Microsoft (R) Visual C# .NET Compiler version 7.10.3052.4 for Microsoft (R) .NET Framework version 1.1.4322 Copyright (C) Microsoft Corporation 2001-2002. All rights reserved.
classTest.cs(21,15): warning CS0169: The private field 'RootingTheClr.normalClass.iPrivateVar' is never used
classTest.exe
classTest
Public = 9 Private = 1
3) run ILDASM on the exe:
ildasm classTest.exe /out:classTest.il
// WARNING: Created Win32 resource file classTest.res
4) Notepad it and make this change:
notepad classTest.il
replace
IL_0010: newobj instance void RootingTheClr.maliciousClass::.ctor()
with
IL_0010: newobj instance void RootingTheClr.normalClass::.ctor()
5) Ilasm the file
ilasm classTest.il
Microsoft (R) .NET Framework IL Assembler. Version 1.1.4322.573 Copyright (C) Microsoft Corporation 1998-2002. All rights reserved. Assembling 'classTest.il' , no listing file, to EXE --> 'classTest.EXE' Source file is ANSI
Assembled method classTest::Main Assembled method classTest::.ctor Assembled method normalClass::.ctor Assembled method maliciousClass::.ctor Creating PE file
Emitting members: Global Class 1 Methods: 2; Class 2 Fields: 2; Methods: 1; Class 3 Fields: 2; Methods: 1; Resolving member refs: 8 -> 8 defs, 0 refs Writing PE file Operation completed successfully
6) execute it (note the value of Private)
classTest.exe
classTest
Public = 999 Private = 100
7) This means that we successuflly were able to cast an object of the class normalClass into an object of the class maliciousClass. The attack vector occours because iPrivateVar is a pubic var in maliciousClass and a private var in normalClass
class maliciousClass { public int iPublicVar; public int iPrivateVar;
...
class normalClass { public int iPublicVar; private int iPrivateVar;
...
---------
- 8) what is interresting is that this only works in Full Trust, if you try to run this in a partial trust environment like from a local network share) you will get the following error:
classTest.exe
Unhandled Exception: System.Security.VerificationException: Operation could destabilize the runtime. at RootingTheClr.classTest.Main()
This means that the CLR in partial trust does do some verification on the compliled Byte code which is not done in Full Trust (which will mean that Microsoft Security Response Team will say that this is not a vulnerabiltiy and occours by design :)