PRB: Potential Security Vulnerability When Class Overrides Internal or Private Virtual Method (313499)


The information in this article applies to:

  • Microsoft JScript .NET
This article was previously published under Q313499

SYMPTOMS

If you use the Intermediate Language (IL) byte code language to write a class, that class might override virtual class methods that are marked internal or private. Although the C# compiler and the Visual Basic compiler warn you about this potential security vulnerability, the JScript compiler does not.

RESOLUTION

To avoid this kind of attack, make sure that all public classes that manipulate security-sensitive data protect themselves from a hostile override. To do this, use one or more of the following methods:
  • Seal the class.
  • Put an inheritance demand on the class.
  • Make the class internal to the package.
  • Make the methods final.
  • Do not use AllowPartiallyTrustedCallersAttribute on the assembly.
Preferably, use as many of the preceding methods as possible.

STATUS

This behavior is by design.

MORE INFORMATION

Consider the following JScript library file, MyLibrary.js: 
import System;
package MyLibrary
{
    public class DatabaseAccessor
    {
        public function FetchLatestData() : String
        {
            var username : String = FetchUserNameFromEncryptedStore();
            var password : String = FetchPasswordFromEncryptedStore();
            return GetDataFromDatabase(username, password);
        }
        private function FetchUserNameFromEncryptedStore() : String
        { /* Retrieve User Name here. */ }
        private function FetchPasswordFromEncryptedStore() : String
        { /* Retrieve Password here. */ }        
        private function GetDataFromDatabase(username : String, password : String)
        { /* Use the earlier User Name and Password to retrieve data from database. */ }
    }
}
The preceding code appears to keep the user name and the password private. However, the user name and the password are not private. An attacker might use the IL assembler to write a derived class that overrides the GetDataFromDatabase method. When the attacker creates an instance of the derived class and calls the public base class FetchLatestData method, the FetchLatestData method calls the derived GetDataFromDatabase method. This call passes the user name and the password to the code of the attacker. In other words, the preceding code does not keep the strings private.

The preceding code also does not guarantee that the user name and the password that are passed to GetDataFromDatabase are, in fact, those from the encrypted store. The attacking class might also use this same attack to substitute other user names and passwords and to bypass the code that points to the encrypted store. The attacker might override the FetchUserNameFromEncryptedStore and the FetchPasswordFromEncryptedStore methods and have these methods return strings that the attacker chooses. This data manipulation in code might have negative results if the attacker reads or substitutes the user name or the password string.
Modification Type:MajorLast Reviewed:4/18/2002
Keywords:kbprb KB313499
©2002 Microsoft Corporation. All rights reserved.