So, What Was Wrong with That Code Anyway?

Thursday, December 7, 2006

WWWTC #9 ranks 10 out of 10 on the "difficult and subtle" scale. Let's say we write the following code to call the method Jill wrote:

Sub ExploitIt(ByVal path As String, ByVal data As Byte())

Dim j As New JillsObject
        ' setup an environment that will force
        ' an exception after impersonation starts,
        ' than call into the method

        j.WriteToSensitiveFile(path, data)

Catch When RunMaliciousCode() = True
        ' ...
    End Try


RunMaliciousCode() As Boolean

    ' here is your chance to execute code as an admin...

End Function

The problem is that the exception filter (RunMaliciousCode) has a chance to execute before Jill's method turns off impersonation in the finally clause.

I planned on going into more detail, but Jonas provided two links in the comments that point to a pair of excellent posts by Shawn Farkas. See:

Safely Impersonating Another User
Impersonation and Exception Filters in v2.0

Skup Friday, December 8, 2006
Really interesting... This feature doesn't exist in C#, it's really hard to figure out this kind of problem ! Once you know it you know how to avoid it.
Comments are closed.

My Pluralsight Courses

K.Scott Allen OdeToCode by K. Scott Allen
What JavaScript Developers Should Know About ECMAScript 2015
The Podcast!