Opening calc.exe from the S&Box C# sandbox
4 hours ago
- #C# Security
- #Vulnerability
- #S&Box
- S&Box uses C# for game scripting but attempts to secure it by scanning and blocking unsafe APIs like File.Open, similar to Space Station 14.
- The sandbox whitelist was found to be insufficient; by bypassing compile-time checks, unsafe code could be executed, leading to game crashes.
- A method was developed to access restricted .NET runtime internals using Unsafe.As and vtable manipulation, allowing retrieval of Assembly objects despite sandboxing.
- By manipulating MethodTable structures and delegates, it was possible to load and execute arbitrary .NET assemblies, ultimately opening calc.exe in the game client.
- The vulnerability stemmed from the client-side recompilation step omitting the initial whitelist, allowing unsafe code execution, and was reported and rewarded via HackerOne.