Cyber Security News

RCE Vulnerability (CVE-2024-30052) Allow Attackers To Exploit Visual Studio via Dump Files

The researcher investigated the potential security risks associated with debugging dump files in Visual Studio by focusing on vulnerabilities that could be exploited without relying on memory corruption or specific PDB file components. 

After analyzing various libraries used during debug sessions, they discovered a method to execute arbitrary code when debugging managed dump files, which highlights the importance of addressing security vulnerabilities in debugging tools to prevent potential attacks.

Microsoft introduced the Portable PDB format for managed modules, replacing the traditional MSF format for cross-platform support and optimization. 

.NET core DLL compiled with an embedded PDB Source : YNWARCS

Embedded PDBs, created using the -debug:embedded switch, store compressed PDB data within the executable, referenced by a Debug Directory Entry, which allows for debugging older versions or dump files without needing external PDBs.

Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool: Try for Free

Additionally, source files can be embedded into PDBs using methods like EmbedAllSources or -embed, facilitating debugging by storing source information directly within the executable.

Visual Studio trusts embedded source files within dump files, leading to potential vulnerabilities. If a malicious source file with a specific extension is embedded, VS might attempt to open it using an associated external program. 

By carefully selecting the extension and manipulating the file’s contents, an attacker could potentially execute arbitrary code when debugging the dump file, posing the importance of carefully validating and sanitizing embedded source files to mitigate such risks.

webp file being opened in Paint Source : YNWARCS


They crafted a proof-of-concept to exploit a vulnerability in Visual Studio’s handling of embedded source files in portable PDBs.

By replacing the legitimate source file with a PDF file and modifying the PDB’s structure, the researcher tricked Visual Studio into treating the PDF as a valid source file. 

When debugging a memory dump containing this modified PDB, Visual Studio incorrectly opened the PDF file using an external editor, demonstrating the potential for attackers to execute arbitrary code or expose sensitive information.

The three file extensions (CHM, HTA, and PY) have been identified that could potentially be used to execute arbitrary code on a Windows system, where CHM files, typically used for help files, can contain embedded Visual Basic (VB) code. 

VS won’t let the user manually fall into the trap Source : YNWARCS

HTA files, similar to HTML, can also include VB code, and PY files associated with Python scripts can directly execute Python code.

While CHM files are compiled, HTA and PY files can be modified to include non-printable characters without affecting their functionality, making them suitable for injecting malicious code.

They also crafted a C# program to automate the creation of exploit dumps for various file formats, which when debugged in Visual Studio trigger the execution of calc.exe due to an ACE vulnerability. 

The analysis by YNWARCS revealed a new check in the CVsUIShellOpenDocument::OpenStandardEditor function that prevents the exploitation by returning an error code if the highest bit of the flags argument is set, which effectively blocks the execution of embedded sources during debugging sessions, rendering the previous exploit ineffective.

Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Registration

Aman Mishra

Recent Posts

Node.js systeminformation Package Vulnerability Exposes Millions of Systems to RCE Attacks

A critical command injection vulnerability in the popular systeminformation npm package has recently been disclosed, exposing millions…

1 day ago

Skuld Malware Using Weaponized Windows Utilities Packages To Deliver Malware

Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer through…

2 days ago

BellaCiao, A new .NET Malware With Advanced Sophisticated Techniques

An investigation revealed an intrusion in Asia involving the BellaCiao .NET malware, as the initial…

2 days ago

Malicious Apps On Amazon Appstore Records Screen And Interecpt OTP Verifications

A seemingly benign health app, "BMI CalculationVsn," was found on the Amazon App Store, which…

2 days ago

Lazarus Hackers Using New VNC Based Malware To Attack Organizations Worldwide

The Lazarus Group has recently employed a sophisticated attack, dubbed "Operation DreamJob," to target employees…

2 days ago

New Python NodeStealer Attacking Facebook Business To Steal Login Credentials

NodeStealer, initially a JavaScript-based malware, has evolved into a more sophisticated Python-based threat that targets…

2 days ago