Never trust solutions from unknown sources !

Would you run an EXE file downloaded from the net without running it through an Anti Virus ?

I guess the answer is no.

Would you open a source code i.e. Visual Studio Solution downloaded from the net in Visual Studio ?

I guess the answer is yes.

Well Think Again or just download this source code and double click the .sln file.

What you will witness is a Visual Studio exploit that enables a hacker to execute arbitrary code on your station as soon as you open the .sln file.

Following is the full explanation of the exploit:

If a UserControl is used in A windows Formular (Designer). Visual Studio execute the _Load function inside the User_Control. It is possible to add malware code inside this _Load function. Sample attack scenario: I send a solution file (.sln) to my victim which have visual studio installed. He opens the solution and the sample formular. Visual Studio execute the backdoor inside the _Load function and I have access to his computer.

So what is there to to do ?

1. Never trust solution from unknown source.
2. Immediately change the CS editor from 'CSharp Form Editor' to 'CSharp Editor' (i.e. from the form editor to the text editor) - Right click on cs file in the solution explorer and choose 'Open With' choose the 'CSharp Editor' and click 'Set as default' and then on the OK button.

Please note : The action proposed here is not the ideal as it will not eliminate the attack but only prevent the automatically execution of the code.


This exploit isn’t new and was reported sometime around January but as it was presented today at the Israel Security UG by Nimrod Luria I’ve decided to have a post on this issue in order to have people aware of its existence.

Check here the original report by Team Priestmasters Security Research and download their vs exploit sample

1 Comment

  • The links to "Team Priestmasters Security Research" are broken.
    Seems as doesn't exist anymore (Jun 2009).

    I know it is an old post, but maybe you want to update it though.


Comments have been disabled for this content.