Presentation Title Silverlight: A Way to Surf .NET Holes
Silverlight is developed in .NET, it is thus based on Microsoft nameshake framework but also embeds its own virtual machine and its own security model. Accordingly, its attack surface is quite board:
– .NET framework itself.
– The heart of Silverlight.
– The native Windows libraries used by Silverlight.
An attack is carried out as with traditional security models of the plugins and browsers, client side: a malicious Web site takes advantage of a vulnerability to host a malicious Silverlight application and compromise all customers who connect to the site by having a Microsoft .NET or Silverlight vulnerable plugin.
In the first part, we will introduce quickly the security model of Silverlight without going into details, as well as the different layers on which the application is to identify various sources of potential attacks. Then we will study a .NET framework vulnerability directly impacting Silverlight. This is the CVE-2010-1898. This type of vulnerability is specific to the Microsoft VM, we will tell the audience the origin of this vulnerability and its danger.
In a third section, we will show how to exploit a vulnerability of this type. We wrote an exploit for code execution on the machine, and we will see that the protections of Windows are bypassed naturally (ASLR,DEP). And we will show how it is very simple to write an .NET exploit starting with a proof of concept for this type of vulnerability.
About Thomas Caplin
Thomas Caplin has been working in the Sogeti ESEC R&D lab since mid-2010. His domains of interest cover reverse engineering, vulnerability research and exploitation methods on Windows and Linux systems.