This bug affects the latest stable release of .NET Core. A fix for the vulnerability is yet not available. It could let attackers execute malicious code on a system without being detected by antivirus and EDR products.
This vulnerability is discovered by Paul Laîné of Context Information Security, the vulnerability is possible due to two main reasons:
- .NET Core lets you use a custom DLL as its garbage.
- The environment variable “COMPlus_GCName” used for specifying a custom .NET garbage collector is not sanitised. Allowing any traversal characters provided in the garbage collector path to go unfiltered.
To exploit this flaw, the attacker needs some level of access to the system. The flaw would realistically be used in conjunction with an existing exploit. The main incentive for a hacker is to incorporate this track in their toolkit. To exploit this bug, the attacker first needs to create a custom garbage collector containing malicious code.
Once the garbage collector DLL is loaded by the .NET core framework. In a real-world scenario, an attacker with access to the compromised machine can use a simple batch script to have .NET core run their malicious DLL.
Explaining the issue, Laîné said, “Having the ability to use a custom GC is a legitimate feature and should probably not be removed. However, the path traversal should be addressed in order to limit the use of a custom GC to only users with local administrator privileges, which should be the case for a server-side application or in a development environment.”
The researchers at Pentest Laboratories further analysed this vulnerability. The researchers explain that the exploit uses a process called hollowing technique. The malicious code execution happens under a legitimate process. The exploitation of this mechanism requires the attackers to have the ability to set environment variables on the compromised system.