Attacking .NET Framework through CLR - Xing Shikang (presenter) and Yu Hong(redrain), 360-CERT Analysis Team
The Common Language Runtime CLR, the virtual machine component of Microsoft's .NET
Framework, manages the execution of .NET programs, which runs the code and provides
services that make the development process easier. Microsoft also integrated CLR for its
products, E.g SQL Server, Office etc. We have studied CLR since last month. And we found these
features could lead to several attack surface. In this talk, we first introduce managed execution
environment and managed code under .NET Framework and discuss the security weaknesses
of this code execution method . After that, we show a exploit for SQL Server through CLR and
we would like to make our automate tools about this exploitation. Next then, we would like to
introduce a backdoor with administrator privilege based on CLR hijacking arbitrary .NET
Application. In addition, we extend our CLR security study to Microsoft Office used VSTO. The
result shows that we could convert a document's level customizations into a program's level
customizations and execute arbitrary code quietly.