Zero-day flaw discovered in .NET Core allows hackers to evade malware detection
Security researchers have discovered a zero-day vulnerability .NET Core that allows hackers to break any Antivirus and evade the Malware detection. According to the research, it was found that the vulnerability exists due to a Microsoft bug that allows users with lower privileges to load malicious DLLs. The .NET Core uses a ‘garbage collector’ to allocate and free up system memory used by a .NET Core application. However, it is possible for users to create custom garbage collectors in the form of DLLs that will be loaded by a .NET core application.
.NET Core, though, allows any user, including those with low privileges, to load a custom garbage collector DLL, even those containing malicious code. The hackers interested in exploiting this vulnerability would first require access to any level on the target system, so the attack requires an existing exploit. To exploit the vulnerability, the attacker must create a malicious junk file collector to run on the vulnerable device and subsequently set an environment variable for .NET Core to use the custom DLL.
[Image source: Bleeping computer]
Once the attacker successfully loads the custom DDL, the malicious code will be executed by the legitimate .NET Core process, dotnet.exe, under the impression that the DLL is simply a custom garbage collector. And once the garbage collector DLL is loaded by the .NET Core framework, the payload begins execution, which in this cause is a reverse TCP shell.
“Paul Laîné in his proof of concept used the technique process hollowing to inject code into a legitimate process since the process is created in a suspended state, memory regions are not mapped to a file and are replaced by the actual shellcode,” explains the Pentest Laboratories blog post.
This attack variant was reported to Microsoft, although in response to the report, the company considered this not a vulnerability: “We do not consider this to be a security vulnerability; its exploitation requires attackers to modify the security of the environment, which means that other security checks must be compromised in advance,” the Microsoft Security Response Center (MSRT) report says.
For more news on tech and cybersecurity stay tuned on Android Rookies by subscribing to our newsletter from here.