Mono 'loader.c' Library Loading Local Privilege Escalation Vulnerability

2010.11.20
Risk: Medium
Local: Yes
Remote: No
CWE: CWE-Other


CVSS Base Score: 6.9/10
Impact Subscore: 10/10
Exploitability Subscore: 3.4/10
Exploit range: Local
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-us) AppleWebKit/533.18.1 (KHTML, like Gecko) Version/5.0.2 Safari/533.18.5 http://www.mono-project.com/DllNotFoundException explains that the mono runtime searches the current working directory for DLLs. This opens a serious security hole. Malicious code can be given the same name as a DLL and left in a directory the user might visit. Also, it means that no mono application can safely set the current working directory. Microsoft themselves addressed this issue in Windows http://msdn.microsoft.com/en-us/library/ms682586(v=VS.85).aspx It's a well known "dummies" question for Unix why you must not have "." on your path http://www.unix.com/unix-dummies-questions-answers/22806-why-bad-idea-insert-dot-path.html Mono is exposing users to these same old hat problems. (As a related problem, many mono programs seem to *assume* that they will be run with the CWD set to their installed directory, and break if it isn't.) Reproducible: Always Steps to Reproduce: 1. 2. 3.

References:

https://github.com/mono/mono/commit/8e890a3bf80a4620e417814dc14886b1bbd17625
http://lists.ximian.com/pipermail/mono-patches/2010-October/177900.html
https://bugzilla.novell.com/show_bug.cgi?id=641915
http://www.securityfocus.com/bid/44810
http://www.mono-project.com/Vulnerabilities#Mono_Runtime_Insecure_Native_Library_Loading
http://secunia.com/advisories/42174
http://marc.info/?l=oss-security&m=128941802415318&w=2
http://marc.info/?l=oss-security&m=128939912716499&w=2
http://marc.info/?l=oss-security&m=128939873515821&w=2


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top