Visual Studio's built-in malware execution functionality (EvilSln)

Visual Studio contains a serious security issue that could result in a complete compromise of your machine without you even knowing!

Full credit to cjm00nw & edwardzpeng (https://github.com/cjm00n) for discovering this issue.

Exploit Scenario

You’ve found a free and open-source project on GitHub related to something you’re working on that could save you weeks worth of work!

Being cautious, you browse every folder and file, reviewing the code as you go.
You stumble across a file named .suo in one of the subfolders that doesn’t appear to contain anything, so you do some searching and discover an official Microsoft reference titled Solution User Options (.suo) File (https://learn.microsoft.com/en-us/visualstudio/extensibility/internals/solution-user-options-dot-suo-file?view=vs-2022) which states:

‘The solution user options (.suo) file is a structured storage, or compound, file stored in a binary format. You save user information into streams with the name of the stream being the key that will be used to identify the information in the .suo file. The solution user options file is used to store user preference settings, and is created automatically when Visual Studio saves a solution.’

Being satisfied that you’ve thoroughly ensured the repo is clean, you download the project, open it in Visual Studio and complete your work…

Unfortunately, your machine has now been compromised. The seemingly benign .suo file contained an exploit that triggered immediately upon opening the project in Visual Studio and without requiring any user interaction to execute!

Hasn’t this been reported to Microsoft?

Yes…
As per cjm00nw & edwardzpeng (https://github.com/cjm00n/EvilSln) this issue has been reported to Microsoft, who replied with:

‘After investigation, our team decided the issue is not a vulnerability. Opening a Visual Studio project is an insecure operation, as documented here: https://devblogs.microsoft.com/visualstudio/improving-developer-security-with-visual-studio-2022/'

Proof-of-concept testing

If this seems unbelieveable, we tested the payload on a fully updated Windows 10 test machine with the latest version of Visual Studio (https://visualstudio.microsoft.com/downloads) as follows:

  1. Download the EvilSln proof-of-concept from https://github.com/cjm00n/EvilSln
  2. Open the App1.sln file with Microsoft Visual Studio 2022

  1. Observe the calculator appears upon opening the project, indicating successful execution of the payload

Obviously an attacker has no interest in popping the calculator on their victim’s machine. If this issue remains as is and is not addressed by Microsoft, we’ll explore interesting, real-world exploit payloads in future posts.

Note: The payload will only trigger on the first open. To quote cjm00n ‘due to Visual Studio’s behavior of saving new content into the .suo file upon closing, the payload content is cleared, providing a natural concealment to this exploit technique.’ - https://github.com/cjm00n/EvilSln/tree/main#exploitation

How to prevent being exploited

Unfortunately there’s no easy ‘quick-fix’ solution, but implementing the steps below should reduce the likelihood of being exploited:

  1. Enable ‘Hidden items’ in Windows Explorer so that .suo files are visible. This is a crucial step!
  2. Delete .suo files prior to opening any new projects. In the proof-of-concept above, the .suo file is located in the EvilSln-main\.vs\App1\v17 folder.
  3. In Visual Studio, Tools > Options > Trust Settings ensure “Require a trust decision before opening content” is enabled.
  4. Before accepting trust decisions for new projects, double-check the project folders ensuring .suo files have been deleted.
  5. Never extract new projects into a previously trusted folder. The trust settings may be inherited leading to the trust warning not appearing.
  6. Periodically check your trusted folders in Visual Studio, Tools > Options > Trust Settings and remove any that are no longer current.

For more information, or customised testing (including potentially malicious payloads) and remediation assistance for your environment, feel free to email us.