Cyber Security News

RCE Vulnerability (CVE-2024-30052) Allow Attackers To Exploit Visual Studio via Dump Files

The researcher investigated the potential security risks associated with debugging dump files in Visual Studio by focusing on vulnerabilities that could be exploited without relying on memory corruption or specific PDB file components. 

After analyzing various libraries used during debug sessions, they discovered a method to execute arbitrary code when debugging managed dump files, which highlights the importance of addressing security vulnerabilities in debugging tools to prevent potential attacks.

Microsoft introduced the Portable PDB format for managed modules, replacing the traditional MSF format for cross-platform support and optimization. 

.NET core DLL compiled with an embedded PDB Source : YNWARCS

Embedded PDBs, created using the -debug:embedded switch, store compressed PDB data within the executable, referenced by a Debug Directory Entry, which allows for debugging older versions or dump files without needing external PDBs.

Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool: Try for Free

Additionally, source files can be embedded into PDBs using methods like EmbedAllSources or -embed, facilitating debugging by storing source information directly within the executable.

Visual Studio trusts embedded source files within dump files, leading to potential vulnerabilities. If a malicious source file with a specific extension is embedded, VS might attempt to open it using an associated external program. 

By carefully selecting the extension and manipulating the file’s contents, an attacker could potentially execute arbitrary code when debugging the dump file, posing the importance of carefully validating and sanitizing embedded source files to mitigate such risks.

webp file being opened in Paint Source : YNWARCS


They crafted a proof-of-concept to exploit a vulnerability in Visual Studio’s handling of embedded source files in portable PDBs.

By replacing the legitimate source file with a PDF file and modifying the PDB’s structure, the researcher tricked Visual Studio into treating the PDF as a valid source file. 

When debugging a memory dump containing this modified PDB, Visual Studio incorrectly opened the PDF file using an external editor, demonstrating the potential for attackers to execute arbitrary code or expose sensitive information.

The three file extensions (CHM, HTA, and PY) have been identified that could potentially be used to execute arbitrary code on a Windows system, where CHM files, typically used for help files, can contain embedded Visual Basic (VB) code. 

VS won’t let the user manually fall into the trap Source : YNWARCS

HTA files, similar to HTML, can also include VB code, and PY files associated with Python scripts can directly execute Python code.

While CHM files are compiled, HTA and PY files can be modified to include non-printable characters without affecting their functionality, making them suitable for injecting malicious code.

They also crafted a C# program to automate the creation of exploit dumps for various file formats, which when debugged in Visual Studio trigger the execution of calc.exe due to an ACE vulnerability. 

The analysis by YNWARCS revealed a new check in the CVsUIShellOpenDocument::OpenStandardEditor function that prevents the exploitation by returning an error code if the highest bit of the flags argument is set, which effectively blocks the execution of embedded sources during debugging sessions, rendering the previous exploit ineffective.

Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Registration

Aman Mishra

Recent Posts

Google Announces Vanir, A Open-Source Security Patch Validation Tool

Google has officially launched Vanir, an open-source security patch validation tool designed to streamline and automate…

12 hours ago

New Transaction-Relay Jamming Vulnerability Let Attackers Exploits Bitcoin Nodes

A newly disclosed transaction-relay jamming vulnerability has raised concerns about the security of Bitcoin nodes,…

14 hours ago

Raspberry Pi 500 & Monitor, Complete Desktop Setup at $190

Raspberry Pi, a pioneer in affordable and programmable computing, has once again elevated its game…

14 hours ago

Qlik Sense for Windows Vulnerability Allows Remote Code Execution

Qlik has identified critical vulnerabilities in its Qlik Sense Enterprise for Windows software that could…

16 hours ago

QNAP High Severity Vulnerabilities Let Remote attackers to Compromise System

QNAP Systems, Inc. has identified multiple high-severity vulnerabilities in its operating systems, potentially allowing attackers…

18 hours ago

Healthcare Security Strategies for 2025

Imagine this: It's a typical Tuesday morning in a bustling hospital. Doctors make their rounds,…

19 hours ago