Home page logo
/

pen-test logo Penetration Testing mailing list archives

RE: C# Exceptions
From: "Patrick" <patrick () curioustechnology com>
Date: Mon, 28 Aug 2006 08:07:06 -0700

Hi Steve,

Do you have any reference P.O.C. code?  I'd love to see it-

Thanks!

Steven Scheffler wrote:

You should also keep in mind that the .NET framework is mainly a wrapper
over WIN32 API. Which means that if there is a buffer overrun in a win32
dll, it can be invoked and exploited from managed code as well. Like the
WMF file handling vulnerability in gdi32 going around few months ago.


-----Original Message-----
From: Patrick [mailto:patrick () curioustechnology com] 
Sent: Monday, August 28, 2006 2:21 AM
To: '3 shool'
Cc: pen-test () securityfocus com
Subject: RE: C# Exceptions

To my knowledge, no one has successfully executed code using a buffer
overrun in .Net.  The .NET CLR is not a good target for executing shell
code.  If you do manage to do this, pat yourself on the back, post on
bugtrack and be prepared to have made a significant impact on the
software
industry.  Please site me as your first detractor ;)

Crashing .net itself ain't hard.  I'm an example of the type of dev
who's
done it regularly!  As I mentioned before, I'm unaware of anyone having
successfully used a .net overrun to execute code.  It may be possible,
but
it's been 6 years since .NET came on the scene and so far MS has been
very
successful on delivering on the promised enhanced security that the
marketing folks have always referenced.

I alluded before to the [unsafe] keyword.  Read more on [unsafe] here:
http://www.codersource.net/csharp_unsafe_code.html.  The only known way
to
do code execution via the stack would be if the target app used
[unsafe].
Just a caveat- I don't believe that [unsafe] is provided in vb, so be
double
sure your app is built with the environment that you think it is if
you're
going to cross your fingers and go after an [unsafe] opportunity.

As far as your best opportunity for penetration, go back to targeting
the
environment rather than the application.  On the other hand, perhaps you
have dependencies on other applications that may lead you to an
executable/command line environment via the web services interfaces
they've
created.  I'm sure you've seen SQL injection attacks that reverse shell
out
a command line with xp_cmdshell.  I assume you've already exhausted this
end
of things though and if you're still struggling, I'd say it's time to
spend
time with your Nessus dumps and start thinking about service
configurations
or old versions of IIS.

Good luck!



-----Original Message-----
From: 3 shool [mailto:3shool () gmail com] 
Sent: Saturday, August 26, 2006 10:36 PM
To: Patrick
Cc: pen-test () securityfocus com
Subject: Re: C# Exceptions

Patrick, thanx for the detailed email.

We are able to crash the application over the network by intercepting
the traffic that goes in  to the target application from the
legitimate web serivces. We got these three different exceptions for
different type of fuzzed data. Now before we move forward we were
planning to see what would be our best option out of these three
exceptions or memory dump that could give us remote code execution or
at least best chance of penetration.

Since buffer overruns are not possible in a .Net applicaiton what if
we target a bufferoverrun in .Net itself? We got a couple of crashes
that crashed .Net instead of generating any exceptions.

If we were to pursue our best possibility of penetration what would it
be?


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------

This e-mail message is confidential and intended solely for the person to
whom or the entity to which it is addressed. All the contents and any
attachments remain the property of VR Services (Pty) Ltd unless so stated by
contract.
If you are not the intended recipient, you are prohibited from reading,
copying, using or disclosing this message to others. 
If you received this message in error, please notify the sender immediately
by replying to this e-mail or by telephoning +27 21 528 9300 and thereafter
delete the message. VR Services (Pty) Ltd does not accept liability for any
personal views expressed in this message.


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault