.NET Core vulnerability lets attackers evade malware detection

silversurfer

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,129
Content source
https://www.bleepingcomputer.com/news/security/net-core-vulnerability-lets-attackers-evade-malware-detection/
A vulnerability in the .NET Core library allows malicious programs to be launched while evading detection by security software.

This vulnerability is caused by a Path Traversal bug in Microsoft’s .NET Core library that allows malicious garbage collection DLLs to be loaded by users with low privileges.

This bug affects the latest stable release (3.1.x versions) of .NET Core. A fix is not currently available and could let attackers execute malicious code on a system without being readily detected by antivirus and EDR products. 1

Discovered by Paul Laîné of Context Information Security, the vulnerability is possible due to two main reasons:
  • .NET Core lets you use a custom DLL as its garbage collector
  • The environment variable “COMPlus_GCName” used for specifying a custom .NET garbage collector is not sanitized. Therefore any traversal characters (../) provided in the garbage collector path go unfiltered.
Click to expand...
 
  • Like
  • +Reputation
Reactions: Fel Grossi, Protomartyr, plat and 11 others
SeriousHoax

SeriousHoax

Level 47
Verified
Top Poster
Well-known
Mar 16, 2019
3,632
Not a vulnerability, says Microsoft

Because the exploitation of this mechanism requires that the attackers to have already the ability to set environment variables on the compromised system, Microsoft does not consider this a security vulnerability:


“Per MSRC, we do not consider this to be a security vulnerability. Exploiting this would require the adversary to modify the environment block, at which point they're already in control over other aspects of the application's execution.”, stated Microsoft’s representative in the GitHub issue reported by Laîné.


Laîné acknowledged in his original disclosure, “Having the ability to use a custom GC is a legitimate feature and should probably not be removed. However, the path traversal should be addressed in order to limit the use of a custom GC to only users with local administrator privileges, which should be the case for a server-side application or in a development environment.”


Given there is no trivial fix for this “legitimate” feature, there remains the potential for abuse in .NET heavy enterprise environments.
Click to expand...
🙄
 
  • Like
Reactions: Fel Grossi, Protomartyr, plat and 2 others
You must log in or register to reply here.

Similar threads

enaph
    • Like
    • +Reputation
Security News Mastodon vulnerability allows attackers to take over accounts
Replies
1
Views
961
Security News
Ink
Ink
Gandalf_The_Grey
    • Like
    • +Reputation
    • Thanks
Google Cloud Build bug lets hackers launch supply chain attacks
Replies
1
Views
1,325
News Archive
Sandbox Breaker
Sandbox Breaker
silversurfer
    • Like
    • +Reputation
RAT malware campaign tries to evade detection using polyglot files
Replies
0
Views
485
News Archive
silversurfer
silversurfer

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top