The program uses a weak class reference, which might allow an attacker to execute unauthorized code.
The program references a user-defined class that is not uniquely identified. When .NET loads this weakly identified class, the CLR type loader searches for the class in the following locations in the specified order:
- If the assembly of the type is known, the loader searches the configuration file's redirect locations, GAC, the current assembly using configuration information, and the application base directory.
- If the assembly is unknown, the loader searches the current assembly, mscorlib, and the location returned by the TypeResolve event handler.
This CLR search order can be modified with hooks such as the Type Forwarding mechanism and the AppDomain.TypeResolve event.
If an attacker exploits the CLR search order by creating an alternative class with the same name and placing it in an alternative location that the CLR will load first, the CLR will unintentionally execute the attacker-supplied code.
Example 1: The <behaviorExtensions/>
element of the WCF configuration file below instructs WCF to add a custom behavior class to a particular WCF extension.
<system.serviceModel>
<extensions>
<behaviorExtensions>
<add name="myBehavior" type="MyBehavior" />
</behaviorExtensions>
</extensions>
</system.serviceModel>
[1] Standards Mapping - OWASP Top 10 2010 - (OWASP 2010) A1 Injection
[2] Standards Mapping - OWASP Top 10 2007 - (OWASP 2007) A2 Injection Flaws
[3] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A6 Injection Flaws
[4] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3510 CAT I, APP3570 CAT I
[5] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 95
[6] Standards Mapping - SANS Top 25 2009 - (SANS 2009) Insecure Interaction - CWE ID 116
[7] Microsoft Developer Network (MSDN)
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 6.3.1.1, Requirement 6.5.2
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 6.5.1
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.6
[11] Standards Mapping - FIPS200 - (FISMA) SI