A vulnerability in the .NET Core library allows malicious programs to be launched while evading detection by security software.
This vulnerability is caused by a Path Traversal bug in Microsoft’s .NET Core library that allows malicious garbage collection DLLs to be loaded by users with low privileges.
This bug affects the latest stable release (3.1.x versions) of .NET Core. A fix is not currently available and could let attackers execute malicious code on a system without being readily detected by antivirus and EDR products. 1
Discovered by Paul Laîné of Context Information Security, the vulnerability is possible due to two main reasons:
- .NET Core lets you use a custom DLL as its garbage collector
- The environment variable “COMPlus_GCName” used for specifying a custom .NET garbage collector is not sanitized. Therefore any traversal characters (../) provided in the garbage collector path go unfiltered.