The researcher investigated the potential security risks associated with debugging dump files in Visual Studio by focusing on vulnerabilities that could be exploited without relying on memory corruption or specific PDB file components.
After analyzing various libraries used during debug sessions, they discovered a method to execute arbitrary code when debugging managed dump files, which highlights the importance of addressing security vulnerabilities in debugging tools to prevent potential attacks.
Microsoft introduced the Portable PDB format for managed modules, replacing the traditional MSF format for cross-platform support and optimization.
Embedded PDBs, created using the -debug:embedded switch, store compressed PDB data within the executable, referenced by a Debug Directory Entry, which allows for debugging older versions or dump files without needing external PDBs.
Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool: Try for Free
Additionally, source files can be embedded into PDBs using methods like EmbedAllSources or -embed, facilitating debugging by storing source information directly within the executable.
Visual Studio trusts embedded source files within dump files, leading to potential vulnerabilities. If a malicious source file with a specific extension is embedded, VS might attempt to open it using an associated external program.
By carefully selecting the extension and manipulating the file’s contents, an attacker could potentially execute arbitrary code when debugging the dump file, posing the importance of carefully validating and sanitizing embedded source files to mitigate such risks.
They crafted a proof-of-concept to exploit a vulnerability in Visual Studio’s handling of embedded source files in portable PDBs.
By replacing the legitimate source file with a PDF file and modifying the PDB’s structure, the researcher tricked Visual Studio into treating the PDF as a valid source file.
When debugging a memory dump containing this modified PDB, Visual Studio incorrectly opened the PDF file using an external editor, demonstrating the potential for attackers to execute arbitrary code or expose sensitive information.
The three file extensions (CHM, HTA, and PY) have been identified that could potentially be used to execute arbitrary code on a Windows system, where CHM files, typically used for help files, can contain embedded Visual Basic (VB) code.
HTA files, similar to HTML, can also include VB code, and PY files associated with Python scripts can directly execute Python code.
While CHM files are compiled, HTA and PY files can be modified to include non-printable characters without affecting their functionality, making them suitable for injecting malicious code.
They also crafted a C# program to automate the creation of exploit dumps for various file formats, which when debugged in Visual Studio trigger the execution of calc.exe due to an ACE vulnerability.
The analysis by YNWARCS revealed a new check in the CVsUIShellOpenDocument::OpenStandardEditor function that prevents the exploitation by returning an error code if the highest bit of the flags argument is set, which effectively blocks the execution of embedded sources during debugging sessions, rendering the previous exploit ineffective.
Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Registration
