A critical remote code execution vulnerability has been discovered recently by the cybersecurity researchers at Shielder security firm, in Visual Studio Development Extension.
The uncertain crash of Visual Studio Code Remote Development Extension 1.50 caused it to not clean the host field properly before utilizing it as a contention of the “ssh” command.
And this situation allows any threat actor to run arbitrary code/commands on the compromised systems, by infusing the ProxyCommand option.
The Visual Studio Code Remote Development enables the users to:-
- Borrow a container.
- Remote machine.
- Use WSL as a full-featured development environment.
While apart from this, here is the list of things that you can do with the help of Visual Studio Remote Development Extension:-
- Exhibit on the corresponding operating system, that you expand to or use larger or more specific hardware.
- Remember to separate your development context to withdraw local machine configurations that are affecting.
- To get started and to keep everyone in regular context, as it will help to make new contributors easily.
- Remember to use the tools as well as runtimes that are not accessible on your local OS or one can easily manage several versions.
- Always expand the Linux-deployed application that is utilizing the Windows Subsystem for Linux.
- Access a current development context from various machines or locations.
- Debug an application that is running on the customer site or in the cloud.
Flaw profile
- CVE ID: CVE-2020-17148
- Description: Visual Studio Code Remote Development Extension Remote Code Execution Vulnerability.
- Released: Dec 8, 2020
- CVSS Score: 3.0 7.8 / 6.8
Root cause analysis
The security analysts claimed that the argument injection is already in the “Remote – SSH” extension, which is being used and installed by the “Remote Development.”
However, all this extension utilizes the SSH binary of the host so that they can set up the connection with the remote host. There is one way that will trigger the SSH connection that uses the vscode:// URI scheme.
There is a specified format that we have mentioned below:-
vscode://vscode-remote/ssh-remote+$REMOTE_HOST+$PATH_OF_PROJECT_ON_THE_REMOTE_HOST
Proof of concept
Here we have mentioned the Proof of concept for this vulnerability below:-
- Install Visual Studio Code
- Install the “Remote Development” extension (https://marketplace.visualstudio.com/items?itemName=ms-vscode-remote.vscode-remote-extensionpack)
- Open a browser
- Visit the following URL: vscode://vscode-remote/ssh-remote+-oProxyCommand=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -c msg %username% command_injection” “[email protected]+/a
- Confirm to open VSCode
- Select a random OS (Linux / Windows / MacOS)
- Notice the pop-up executed by Powershell with the message “command_injection”
Impact & Remediation
While now if we talk about the impact, then the threat actor is able to overpower a victim into hitting a malicious link that could perform arbitrary commands on their system.
But, it has remediation, that the users need to Upgrade the Visual Studio Code Remote Development Extension to version 1.51 or higher.
This type of attack is quite hyper in nature, as it puts a lot of impact on victims, and therefore analysts asserted that users must keep their version up-to-date, as it will help them to bypass such unwanted attacks to take place.
You can follow us on Linkedin, Twitter, Facebook for daily Cyber security and hacking news updates.
