Whilst JArnold’s blog is 100% correct, there’s an important distinction from a security perspective: what (s)he (sorry JArnold, I don’t know who you are! ) does is fail to initialise the parent class in a constructor. This is clearly against the rules of the CLR and will cause your code to be unverifiable. It will not run from a partially-trusted location such as an internet web site.
I’ll omit the source and IL code for this post, but in the following example “noconstructor” is the base C# executable (100% “pure” code) and “noconstructorhack” is the hand-tweaked IL version that doesn’t call the base class’ constructor:
Master of everything Raymond Chen has a comment that gives another example of how you can do it without tweaking IL, but again serialisation requires privileges that are not granted to code in the Internet zone:
The attack I posted yesterday would succeed even in the Internet zone, assuming that a highly-trusted assembly had been produced by a compiler that generated public static constructors.