# Monday, 25 June 2012
« MS12-038 and IKDASM | Main | Experimental WinRT Support in IKVM.Refle... »
Why ASP.NET Medium Trust Isn't

On October 24 of last year I reported an ASP.NET Medium Trust vulnerability. This eventually resulted in KB 2698981 where Microsoft essentially deprecated ASP.NET Partial Trust.

The problem I reported was that it is possible to abuse Thread.Abort() to create an inconsistent TypedReference that violates type safety.

TypedReference is an interesting type and I've been on the lookout for a way to abuse it for a long time. It's purpose is to allow type safe references to be used in a generic way. To implement this a TypedReference contains both a pointer and a type and all operations it allows make sure that type safety isn't violated. It's a primitive type, so the runtime knows about it and treats it specially. It can be used from partially trusted code and because it can contain a reference to a location on the stack, the runtime enforces that TypedReference values can only be used from a single thread (by disallowing boxing or storing it in arrays or fields).

However, by having one thread repeatedly overwriting a TypedReference location on the stack with two different values and a second thread aborting the first thread at the right moment, you can end up with a TypedReference that combines the pointer from one value and the type from another value and thus violating type safety.

The source of the PoC is available here.

Monday, 25 June 2012 10:26:33 (W. Europe Daylight Time, UTC+02:00)  #    Comments [3]