Potential Security Vulnerability
There is a bug IKVM's implementation of java.lang.reflect.Field.set(). The dynamic method that is generated doesn't properly cast the value to the type of the field. This is obviously a bug, but it could also lead to a type safety vulnerability. It is not directly exploitable, because the unverifiable dynamic method will do a full trust security demand and when there is partially trusted code on the stack, that will fail.
However, if you have any code that indirectly exposes Field.set() to untrusted code, it may be exploitable. In particular, the following scenarios warrant careful attention:
- Having an assembly in the GAC that has the AllowPartiallyTrustedCallerAttribute and exposes Field.set() functionality to partially trusted callers and uses a security assert to stop the stack walk.
- If you load partially trusted code in your application and your code uses Field.set() on values controlled by the partially trusted code, without any partially trusted code being directly on the stack.
- If you process data or a (lightweight) scripting language that somehow exposes Field.set() functionality to untrusted data/code.
IKVM.NET version 0.38, 0.40, 0.42 and 0.44 are affected. Version 0.36 and earlier are not affected.
There is an update of IKVM.NET 0.42, earlier versions will not be updated and there will be a new 0.44 release candidate later today.
IKVM.NET 0.42 Update 2
- Updated version to 0.42.0.7.
- Fixed Field.set() bug #3033769.
Binaries available here: ikvmbin-0.42.0.7.zip
Sources: ikvm-0.42.0.7.zip, openjdk6-b16-stripped.zip
Thanks to Dawid Weiss for reporting this issue.