CVE-2023-36794 - Visual Studio Remote Code Execution Vulnerability Explained

In September 2023, a critical security vulnerability—CVE-2023-36794—was disclosed by Microsoft. This flaw exposed millions of Visual Studio users to remote code execution (RCE) attacks. Understanding what this means can help you safeguard your development environment and avoid falling victim to malicious exploits. Below, we'll walk you through the vulnerability, show a code snippet for exploiting it, and give you resources to patch your systems.

What Is CVE-2023-36794?

CVE-2023-36794 affects Visual Studio, the popular development IDE from Microsoft. The bug allows attackers to execute arbitrary code on your system if you open a booby-trapped project or file in Visual Studio. The issue exists because Visual Studio doesn't correctly validate project files or package contents, leading to a classic case of remote code execution.

Microsoft severity: High
CVSS score: 7.8 (High)

How Does the Attack Work?

An attacker can craft a specially designed solution/project or a NuGet package. If a target (developer) opens this file in Visual Studio—often received by email, a public repository, or a shared drive—the exploit can trigger, and malicious code silently runs on the victim’s machine with current user permissions.

In short: Open a bad file, and you’re compromised—no further interaction needed.

Exploit Proof of Concept

Let's go through a basic example. Suppose an attacker creates a .csproj (C# project) file with a malicious pre-build event. Visual Studio runs this as part of the build, so opening and building the project launches the payload.

<Project Sdk="Microsoft.NET.Sdk">
  <PropertyGroup>
    <OutputType>Exe</OutputType>
    <TargetFramework>net6.</TargetFramework>
  </PropertyGroup>
  <Target Name="MaliciousPreBuildEvent" BeforeTargets="PreBuildEvent">
    <Exec Command="powershell.exe -Command &quot;Start-Process notepad.exe&quot;" />
  </Target>
</Project>

What’s happening?
When a user opens and builds this project, Notepad launches automatically. Instead of Notepad, a real attacker could run any harmful code—like downloading ransomware.

In the wild, attackers might share

- Malicious GitHub repositories: Open source projects loaded with hidden exploit code in their .csproj or .vbproj files.

Rogue NuGet packages: Packages that slip in harmful build events or tasks.

If you, or automation systems, build these projects, the attack executes invisibly!

References

- Microsoft Security Advisory
- NVD Database Entry
- Microsoft Visual Studio Release Notes

Review external projects:

Don’t open solutions from unknown sources. Inspect .csproj and similar files for suspicious targets/commands.

Conclusion

CVE-2023-36794 shows how developer tools can become attack vectors. Always patch Visual Studio, be cautious with unknown code, and keep security best practices in mind during your daily work.

If you want the technical deep dive, check Microsoft’s official advisory. For demonstration code and further reading, see the NVD entry.

Stay safe—your code (and your computer) depends on it!

Timeline

Published on: 09/12/2023 17:15:00 UTC
Last modified on: 09/12/2023 19:38:00 UTC