Exploiting Visual Studio via dump files - CVE-2024-30052
This blog post will talk about CVE-2024-30052, which allows arbitrary code execution when debugging dump files in Visual Studio. I reported this issue to Microsoft in August 2023 and they provided an update that addresses this issue in June 2024. Below I share some details about the vulnerability, as well as poc / exploit-ready code on my github.
At my day job, I find myself debugging dump files in Visual Studio quite often. These are invaluable for investigating low-repro crashes or program states that we want to prevent from happening. Quite often, the dump files will come from untrusted places - most large companies that deploy native applications on e.g. Windows will have an automated system for detecting crashes, in which case a dump file is gathered as part of telemetry and uploaded to a portal that developers can access in order to triage crashes. For example, Google uses a custom version of crashpad to capture and report crashes in Google Chrome.
This potentially exposes developers to attacks via dump files. If there’s a vulnerability in Visual Studio that can be triggered by opening a specifically crafted dump file, a malicious user could insert this dump file into the crash reporting system and simply wait until a developer opens it. It also wouldn’t be out of the ordinary for an end user to manually send a dump file in e.g. a support ticket, which would probably increase the chances of the developer opening the file. The main opportunity for an attack is via PDB files, that can be provided along with a dump file (under arbitrary extensions if needed), that VS will happily open during the debug session. In general, PDBs are rather unsafe:
