Eric has recently done a series on script security, and one of the things he very briefly mentions is how you can use GetObject with a moniker to get an instance of an object. This reminds me of one of the “cool” bugs we found before the first version of the CLR was released. I say “cool” because it was a pretty creative bug (well, perhaps not compared to the real hackers, but for us it was creative!). It was a fun time in the final months leading up to the release of the CLR because we were all working long days, long nights, weekends, etc. doing everything we could to bang out the last of the problems and getting ready to ship.
We (some members of the VSA team, including Eric and myself) were in this mode of terrified excitement every time we found what we thought was a problem. It’s a weird feeling when you discover a potentially ship-stopping critical security bug because on the one hand you’ve just caused a lot of pain for a whole bunch of people and it seems like the sky is falling, but on the other hand you feel like an 1337 h4x0r from some Hollywood movie desperately fighting against the clock (and the bad guys) to help save the world.
It’s fun 🙂
[Yeah, I’m kind of sick like that. I used to walk around the corridors with my coffee cup in hand and a silly grin on face, telling everyone who’d listen, “Guess what? We’re completely hosed!!!!” and then jump into some end-of-the-world scenario involving a new bug one of us had just found. I still get to do that every now and then, although (thankfully) it tends to be long before we ship the product (and hopefully before we even write the code). I love this job!]
Anyway, most of the bugs we thought we found turned out to be not so bad in practice; we’d find some dangerous call back method or some nasty-looking unsealed class and grep through the ILDASM-ed CLR binaries to see if we could find ways to exploit them through the built-in libraries, but nine times out of ten we would end up with nothing to show for our efforts.
Hmmmm, I was going to write a lot of stuff about a
class of bug we found, but I’ll leave that for another day (or maybe
will beat me to it!). Or, perhaps I’ll show you one instance of the bug and you can tell me what the root cause of the bug was, and how we fixed it.
In the tradition of Slashdot, here’s how you could get FullTrust from within a simple web page on a pre-RTM version of the CLR:
1) Write a nasty .NET component
2) Host it on a web site
Of course the cool bit is always in step #3, but in this case we actually figured out what it was. It was deadly simple, and you could do it in a single line of JScript .NET code living on a web page (ie, from within the Internet Zone). It required using the afore-mentioned GetObject method in conjunction with some “classic” JScript (or VBScript) code inside a Windows Script Component, but there is nothing overly tricky about the coding used in the attack.
Can anyone guess how this attack works (errr, would have worked)? I’ll post the solution (along with some history and some hints on how you can avoid similar problems) in a few days. Have fun with your suggestions!