CVE CyberSecurity Database News

CVE-2024-35264 - Unpacking the .NET and Visual Studio Remote Code Execution Vulnerability

Poster -

In June 2024, Microsoft patched a critical vulnerability tracked as CVE-2024-35264. This bug could let attackers execute code remotely on your system if you're running applications built with .NET and using Visual Studio. Let's dig into what happened, see how it works, and learn how you can stay safe.

What is CVE-2024-35264?

CVE-2024-35264 is a Remote Code Execution (RCE) vulnerability in the .NET framework and Visual Studio products. If a vulnerable component receives a specially crafted payload, it may process it in an unsafe way—letting the attacker run any code they like on the victim's computer.

Here's how Microsoft describes it

> "A remote code execution vulnerability exists when .NET and Visual Studio improperly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the current user."
> Official Microsoft Advisory

Have Visual Studio 2022 or previous supported versions installed.

- Deployed or work with applications that process untrusted data, such as web APIs or file upload tools.

It's important in cloud environments—like Azure—or in organizations using microservices, since exposure can be much wider. Attackers don't need to log in or crack passwords; they only need a way to feed bad input to your process.

Technical Details: What Causes the Bug?

Under the hood: The problem lies in how .NET's serialization functions (particularly in open network services) process input. The parser trusts certain metadata too much; if an attacker sends a poisoned payload, .NET might deserialize it and unintentionally execute its contents.

Imagine a .NET API that deserializes data like this

public IActionResult PostData([FromBody] DynamicInput input)
{
    // Dangerous if DynamicInput contains user-controlled types!
    ProcessInput(input);
    return Ok();
}

If the incoming DynamicInput contains custom types, and you don't restrict which types can be deserialized, the attacker may trigger code execution!

In vulnerable versions of .NET and Visual Studio, this could be abused in services exposed to the internet.

Real Example: Exploit Demo

Disclaimer: Don’t run or use these techniques on systems you don’t own! This is for educational purposes only.

Suppose a service deserializes objects from untrusted sources using System.Text.Json or Newtonsoft.Json with type handling enabled.

string maliciousJson = @"
{
  ""$type"": ""System.Windows.Data.ObjectDataProvider, PresentationFramework"",
  ""MethodName"": ""Start"",
  ""MethodParameters"": {
    ""MethodParameters"": [""calc.exe""]
  },
  ""ObjectInstance"": {
    ""$type"": ""System.Diagnostics.Process, System"",
  }
}";
var obj = JsonConvert.DeserializeObject(maliciousJson, settings);

*If TypeNameHandling.All is set, this will try to execute "calc.exe" on the server!*

In context of CVE-2024-35264, a similar bug in .NET’s binary or XML serialization could give near-identical results.

A likely attack path includes

1. Find an exposed endpoint (like an API, web service, or signalR hub) that deserializes user input.

Resources on Exploitation

- Deserialization Attacks in .NET
- Exploit Example: YSoSerial.Net tool

The best, fastest defense is to update

- .NET 6.: Latest Patch
- .NET 7.+: Latest Patch
- Visual Studio: Update

All supported versions got security updates. Make sure to patch running servers and developer workstations.

Check if your application ever deserializes objects (binary, JSON, XML) from user input.

- Avoid enabling features like .TypeNameHandling (in Newtonsoft.Json) or using BinaryFormatter (deprecated).

3. Network Segmentation

- Limit access to APIs/services that receive user data.

Summary

CVE-2024-35264 reminds us that serialization is *never* safe by default. Trusting user data is dangerous—especially when libraries can execute code by (mis)interpreting it.

Update your .NET frameworks and Visual Studio today. Review your code for dangerous deserialization. Protect your users, your servers, and your reputation.

References

- Microsoft Advisory for CVE-2024-35264
- .NET security updates (June 2024)
- Serialization best practices (OWASP)
- What’s new in .NET security
- YSoSerial.Net deserialization exploit tool

Timeline

Published on: 07/09/2024 17:15:18 UTC
Last modified on: 07/25/2024 23:22:47 UTC