# Tuesday, 21 June 2011
« MS11-039 Vulnerability Details | Main | Excel 2010 Bait-and-Switch Sandbox Escap... »
How to Run Unpatched CLR Side-by-Side

If you want to investigate a CLR security patch, you can of course setup a VM where you don't install the patch or you can simply not install the patch until after the investigation is done. I've done both in the past, but when I was reverse engineering MS10-060 I decide to try something different.

One of the advantages (and disadvantages) of the .NET Framework over Java or Mono is that it "integrates" with the OS. This means that you can't simply install two different versions of .NET 2.0 (for example) on your machine, but you can install .NET 1.1, .NET 2.0 and .NET 4.0 side-by-side. So I assumed that it should also be possible to have multiple versions of .NET 2.0 "installed" on your system. To test this I created a Hello World app with the following app.config:

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
    <startup>
        <supportedRuntime version="v2.0.66666"/>
        <requiredRuntime version="v2.0.66666"/>
    </startup>
</configuration>

Then I fired up Process Monitor and started looking at what happened if I tried to run the Hello World app.

It turns out that this is enough to make mscoree.dll look for the CLR in the %windir%\Microsoft.NET\Framework\v2.0.66666 directory for the runtime version to use. When that fails it gives you a message box asking if you want to install the .NET Framework v2.0.66666.

The obvious next step is to xcopy /s the contents of the v2.0.50727 directory into the v2.0.66666 directory. Now the Hello World app runs using mscorwks.dll and mscorjit.dll from the v2.0.66666 directory, so the contents of the v2.0.66666 can be replaced with the unpatched versions.

For the MS11-039 patch, I also wanted the unpatched System.dll and at this point it was still being loaded from the GAC. Back to Process Monitor which showed that the CLR was looking for a file named fusion.localgac in the v2.0.66666 directory, so that looked promising. After creating this file (content doesn't matter), I started getting assembly load failures and after copying the unpatched framework assemblies into the application directory the app ran successfully.

Now I could comfortably develop and test the PoC on my main system, without being vulnerable (if someone knew that I have this unpatched version installed, they could try to attack me specifically, but that would fail as I've disabled running .NET code in the browser because Microsoft takes too long to patch publicly known vulnerabilities).

Tuesday, 21 June 2011 09:48:07 (W. Europe Daylight Time, UTC+02:00)  #    Comments [1]
Saturday, 25 June 2011 10:51:01 (W. Europe Daylight Time, UTC+02:00)
Great bit of work!
Alan McF
Name
E-mail
Home page

I apologize for the lameness of this, but the comment spam was driving me nuts. In order to be able to post a comment, you need to answer a simple question. Hopefully this question is easy enough not to annoy serious commenters, but hard enough to keep the spammers away.

Anti-Spam Question: What method on java.lang.System returns an object's original hashcode (i.e. the one that would be returned by java.lang.Object.hashCode() if it wasn't overridden)? (case is significant)

Answer:  
Comment (HTML not allowed)  

Live Comment Preview