The Common Language Runtime (CLR), the virtual machine component of Microsoft’s .NET Framework, manages the execution of .NET programs, which runs the code and provides services that make the development process easier. Microsoft also integrated CLR for its products, E.g SQL Server, Office etc. We have studied CLR since last month. And we found these features could lead to several attack surface.
In this talk, we first introduce managed execution environment and managed code under .NET Framework and discuss the security weaknesses of this code execution method . After that, we show a exploit for SQL Server through CLR and our automated tools for this exploitation. We will introduce a backdoor with administrator privilege based on CLR hijacking arbitrary .NET Applications.
In addition, we extend our CLR security study to Microsoft Office used VSTO. The result shows that we could convert a document‐level customizations into a program‐level customizations and execute arbitrary code quietly.