On October 24 of last year I reported an ASP.NET Medium Trust vulnerability. This eventually resulted in KB 2698981 where Microsoft essentially deprecated ASP.NET Partial Trust.
The problem I reported was that it is possible to abuse Thread.Abort() to create an inconsistent TypedReference that violates type safety.
Thread.Abort()
TypedReference
TypedReference is an interesting type and I've been on the lookout for a way to abuse it for a long time. It's purpose is to allow type safe references to be used in a generic way. To implement this a TypedReference contains both a pointer and a type and all operations it allows make sure that type safety isn't violated. It's a primitive type, so the runtime knows about it and treats it specially. It can be used from partially trusted code and because it can contain a reference to a location on the stack, the runtime enforces that TypedReference values can only be used from a single thread (by disallowing boxing or storing it in arrays or fields).
However, by having one thread repeatedly overwriting a TypedReference location on the stack with two different values and a second thread aborting the first thread at the right moment, you can end up with a TypedReference that combines the pointer from one value and the type from another value and thus violating type safety.
The source of the PoC is available here.
Remember Me
I apologize for the lameness of this, but the comment spam was driving me nuts. In order to be able to post a comment, you need to answer a simple question. Hopefully this question is easy enough not to annoy serious commenters, but hard enough to keep the spammers away.
Anti-Spam Question: What method on java.lang.System returns an object's original hashcode (i.e. the one that would be returned by java.lang.Object.hashCode() if it wasn't overridden)? (case is significant)
Powered by: newtelligence dasBlog 2.3.12105.0
© Copyright 2021, Jeroen Frijters
E-mail