A researcher identified a method to exploit Visual Studio by executing arbitrary code during the debugging of managed dump files, without needing memory corruption or specific PDB file components. By analyzing libraries used in these sessions, they uncovered vulnerabilities that could be exploited, emphasizing the need to address security flaws in debugging tools to prevent potential attacks.
CVE-2024-30052
Microsoft introduced the Portable PDB format for managed modules, replacing the traditional MSF for better cross-platform support and optimization.
Embedded PDBs, generated with the -debug switch, store compressed PDB data within the executable, allowing debugging of older versions or dump files without external PDBs.
Source files can be embedded into PDBs using methods like EmbedAllSources or -embed, making debugging easier by storing source information in the executable. However, Visual Studio trusts these embedded files, which creates a risk.
If a malicious file with a certain extension is embedded, Visual Studio could open it with an external program. This allows attackers to execute arbitrary code during debugging, highlighting the need to validate and sanitize embedded files to prevent such attacks.
The researcher developed a proof-of-concept to exploit a flaw in Visual Studio’s handling of embedded source files in portable PDBs. By replacing a legitimate source file with a PDF and altering the PDB structure, they tricked Visual Studio into opening the PDF as a source file during a memory dump debug. This showed how attackers could run arbitrary code or access sensitive information.
Three file types (CHM, HTA, and PY) were found to be risky, with CHM files, often used for help files, potentially containing embedded Visual Basic code for execution.
HTA and PY files can execute VB and Python code, respectively, and can be modified with non-printable characters to inject malicious code.
The researcher automated the creation of exploit dumps using a C# program, triggering calc.exe when debugged in Visual Studio due to an ACE vulnerability.
A new check in Visual Studio’s CVsUIShellOpenDocument function now prevents this exploitation by blocking embedded sources during debugging.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment