So, What Was Wrong with That Code Anyway?

Thursday, December 7, 2006

WWWTC #9 ranks 10 out of 10 on the "difficult and subtle" scale. Let's say we write the following code to call the method Jill wrote:

Sub ExploitIt(ByVal path As String, ByVal data As Byte())

    
Dim j As New JillsObject
    
Try
        ' setup an environment that will force
        ' an exception after impersonation starts,
        ' than call into the method

        j.WriteToSensitiveFile(path, data)

    
Catch When RunMaliciousCode() = True
        ' ...
    End Try

End
Sub

Function
RunMaliciousCode() As Boolean

    ' here is your chance to execute code as an admin...

End Function

The problem is that the exception filter (RunMaliciousCode) has a chance to execute before Jill's method turns off impersonation in the finally clause.

I planned on going into more detail, but Jonas provided two links in the comments that point to a pair of excellent posts by Shawn Farkas. See:

Safely Impersonating Another User
Impersonation and Exception Filters in v2.0


Comments
Skup Friday, December 8, 2006
Really interesting... This feature doesn't exist in C#, it's really hard to figure out this kind of problem ! Once you know it you know how to avoid it.
Comments are now closed.
by K. Scott Allen K.Scott Allen
My Pluralsight Courses
The Podcast!