On October 24 of last year I reported an ASP.NET Medium Trust vulnerability. This eventually resulted in KB 2698981 where Microsoft essentially deprecated ASP.NET Partial Trust.
The problem I reported was that it is possible to abuse Thread.Abort()
to create an inconsistent TypedReference
that violates type safety.
TypedReference is an interesting type and I've been on the lookout for a way to abuse it for a long time. It's purpose is to allow type safe references to be used in a generic way. To implement this a TypedReference contains both a pointer and a type and all operations it allows make sure that type safety isn't violated. It's a primitive type, so the runtime knows about it and treats it specially. It can be used from partially trusted code and because it can contain a reference to a location on the stack, the runtime enforces that TypedReference values can only be used from a single thread (by disallowing boxing or storing it in arrays or fields).
However, by having one thread repeatedly overwriting a TypedReference location on the stack with two different values and a second thread aborting the first thread at the right moment, you can end up with a TypedReference that combines the pointer from one value and the type from another value and thus violating type safety.
The source of the PoC is available here.