James Forshaw, a researcher at Google Project Zero, discusses the "trapped object bug class" in object-oriented remoting technologies such as DCOM and .NET Remoting. These technologies allow for the development of object-oriented interfaces that can cross process and security boundaries, but this flexibility has downsides, including the potential for privilege escalation or remote-code execution.Not all objects that can be remoted are safe to do so, and some objects, such as XML libraries, can execute arbitrary script code in the context of an XSLT document. If an XML document object is made accessible over the boundary, a client could execute code in the context of the server process.There are several scenarios that can introduce this bug class, including sharing an unsafe object inadvertently, using asynchronous marshaling primitives, and abusing built-in mechanisms to lookup and instantiate objects. For example, the Windows Runtime libraries introduced a bug by adding code to the existing XML DOM Document v6 COM object, which exposed the runtime-specific interfaces and allowed a malicious client to query for the old IXMLDOMDocument interface and use it to run an XSLT script.Another example is the FileInfo and DirectoryInfo .NET classes, which can be marshaled both by value and by reference, and can be used to create a new instance of the object in the server's process. An attacker can leverage this by sending a serialized form of the object to the server, which will create a new instance of the object, and then read back the created object, which will be marshaled back to the attacker by reference.The final scenario mentioned is abusing the built-in mechanisms to lookup and instantiate objects to create an unexpected object. For example, in COM, an attacker can use the CoCreateInstance API to create an arbitrary COM object in the context of the server and get it returned to the client. This can be exploited by getting an XML DOM Document object created in the server, returned to the client marshaled by reference, and then using it to execute arbitrary code in the context of the server.These scenarios highlight the importance of carefully considering the security implications of using object-oriented remoting technologies and ensuring that only safe objects are shared across security boundaries.