I’m going to pick on a post that I saw on the forum recently, “Root kits for .NET framework been found” [sic]. Now, I believe this person was just doing due diligence and reporting something they thought might honestly be important. So, “sharpy” (if that is your real name!), this is not meant as a dig on you. The post points to another forum discussion at dslreports.com, which then has some other links I’ll let you explore yourself.

In short, the author of some paper or exploit is claiming they have hacked the .NET Framework such that they can bypass strong-name validation, or replace code in mscorlib.dll, etc. I’ll publish the first line of the first reply to the post on dslreports:

“The ‘exploit’ starts with the modification of a framework dll (assembly) from outside the runtime using administrative privileges.”

Spot the refutal? I put it in bold 🙂 It’s like Raymond Chen has blogged about on at least one occasion:

“Surprisingly, it is not a security vulnerability that administrators can add other users to the Administrators group.”

Here’s a pop quiz. If you have administrator access to someone else’s machine, which of the following would you do?

Format the hard drive. Steal data, then format the hard drive. Display a dialog box saying, “Gotcha!”, and then format the hard drive. Decompile mscorlib.dll, inject extra code into the IL for the Assembly.Load() method, recompile the new IL into a new mscorlib.dll, replace the existing mscorlb.dll with your hacked version, edit the system configuration to bypass verification, remove the optimized “NGEN” version of mscorlib.dll, delete the pertinent log entries to cover your tracks, and then wait an undetermined amount of time to see that someone launching Paint.NET or their NVIDIA Control Panel gets a formatted hard drive instead.



“When the looting begins remember to consider the weight/value ratio. Here we have a few examples of high value, low effort.” http://www.safenow.org

I don’t know about you, but I’d probably just go with #1 or #3. I have all the data I need already, thankyouverymuch. No need to take a graduate course in compilers in order to do the job via #4.

Everything being done in #4 is possible for someone with administrator privilege. They’re only doing what they already have access to do. However, if a non-administrator can do this, then it’s an elevation of privilege issue. If it’s trivial to trick or mislead an administrator into doing it, then it could be called an “admin attack”. But all this is a discussion for another time.

So in conclusion, I wouldn’t be worried about this. The moment you see something about an attack or exploit requiring administrator privilege, or in some cases even just physical access, feel free to relax. (After all, if you have physical access to the computer, just hit the reset button and install Linux, right?)

* Disclaimer … Note that this is a slightly cynical post, and it’s by no means comprehensive.