Friday, November 1, 2024
HomeCVE/vulnerabilityRCE Vulnerability (CVE-2024-30052) Allow Attackers To Exploit Visual Studio via Dump Files

RCE Vulnerability (CVE-2024-30052) Allow Attackers To Exploit Visual Studio via Dump Files

Published on

Malware protection

The researcher investigated the potential security risks associated with debugging dump files in Visual Studio by focusing on vulnerabilities that could be exploited without relying on memory corruption or specific PDB file components. 

After analyzing various libraries used during debug sessions, they discovered a method to execute arbitrary code when debugging managed dump files, which highlights the importance of addressing security vulnerabilities in debugging tools to prevent potential attacks.

Microsoft introduced the Portable PDB format for managed modules, replacing the traditional MSF format for cross-platform support and optimization. 

- Advertisement - SIEM as a Service
.NET core DLL compiled with an embedded PDB Source : YNWARCS

Embedded PDBs, created using the -debug:embedded switch, store compressed PDB data within the executable, referenced by a Debug Directory Entry, which allows for debugging older versions or dump files without needing external PDBs.

Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool: Try for Free

Additionally, source files can be embedded into PDBs using methods like EmbedAllSources or -embed, facilitating debugging by storing source information directly within the executable.

Visual Studio trusts embedded source files within dump files, leading to potential vulnerabilities. If a malicious source file with a specific extension is embedded, VS might attempt to open it using an associated external program. 

By carefully selecting the extension and manipulating the file’s contents, an attacker could potentially execute arbitrary code when debugging the dump file, posing the importance of carefully validating and sanitizing embedded source files to mitigate such risks.

 webp file being opened in Paint Source : YNWARCS


They crafted a proof-of-concept to exploit a vulnerability in Visual Studio’s handling of embedded source files in portable PDBs.

By replacing the legitimate source file with a PDF file and modifying the PDB’s structure, the researcher tricked Visual Studio into treating the PDF as a valid source file. 

When debugging a memory dump containing this modified PDB, Visual Studio incorrectly opened the PDF file using an external editor, demonstrating the potential for attackers to execute arbitrary code or expose sensitive information.

The three file extensions (CHM, HTA, and PY) have been identified that could potentially be used to execute arbitrary code on a Windows system, where CHM files, typically used for help files, can contain embedded Visual Basic (VB) code. 

VS won’t let the user manually fall into the trap Source : YNWARCS

HTA files, similar to HTML, can also include VB code, and PY files associated with Python scripts can directly execute Python code.

While CHM files are compiled, HTA and PY files can be modified to include non-printable characters without affecting their functionality, making them suitable for injecting malicious code.

They also crafted a C# program to automate the creation of exploit dumps for various file formats, which when debugged in Visual Studio trigger the execution of calc.exe due to an ACE vulnerability. 

The analysis by YNWARCS revealed a new check in the CVsUIShellOpenDocument::OpenStandardEditor function that prevents the exploitation by returning an error code if the highest bit of the flags argument is set, which effectively blocks the execution of embedded sources during debugging sessions, rendering the previous exploit ineffective.

Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Registration

Latest articles

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on...