[CVE-2021-43908] VSCode RCE
In our lab walkthrough series, we go through selected lab exercises on our INE Platform. Subscribe or sign up for a 7-day, risk-free trial with INE and access this lab and a robust library covering the latest in Cyber Security, Networking, Cloud, and Data Science!
Technical difficulty: Beginner
Introduction
During the last quarter of 2021, an interesting RCE vulnerability affecting VSCode was made public. This vulnerability affected the application even when opening a folder in the restricted mode provided by VSCode. This vulnerability was assigned the CVE ID of CVE-2021-43908 and was patched in November 2021 (version 1.63) of the VSCode application.
This bug was discovered by the researchers going by the aliases TheGrandPew and s1r1us. The researchers have documented their research in [this blog post](https://blog.electrovolt.io/posts/vscode-rce/), covering the complete attack chain to trigger this RCE vulnerability!
The gist of the vulnerability, as stated by the authors, is:
Remote Code execution can be achieved when a victim opens a markdown file in a maliciously crafted VSCode Project or a folder even in VSCode Restricted Mode.
In this lab, we will learn to exploit the RCE vulnerability in VSCode by opening a malicious project sent by the attacker to the victim user.
Lab Environment
In this lab environment, the user is going to get access to a Kali GUI instance along with two sessions to a Windows machine with student and Administrator user accounts. The Windows machine is available on the following domain name: demo.ine.local
Objective: Exploit the RCE vulnerability affecting VSCode (CVE-2021-43908).
Note: During exploitation, you might need to relax the VSCode settings to enable content loading over http served from localhost. This is unnecessary, as you will find in the solution, but it's the quick way to check the PoC for this RCE vulnerability. The other route is more involved, but it is mentioned in the solution for those interested in learning the practicalities of this attack.
Tools
The best tools for this lab are:
- Nmap
- NodeJS
- Python
- Zip
- A web browser
- Visual Studio Code (or VSCode for short)
Step 1: Open the lab link.
In this lab, we receive two machine instances:
1. Kali Machine: A Kali GUI instance containing the exploit server files and the malicious project files that when opened, trigger the VSCode RCE vulnerability.
2. Attacker Machine: A Windows machine with a student account used to start the exploit server and deliver the exploitation payload.
3. Target Machine: The same Windows machine as above with the Administrator account, used to simulate a victim where you would open a malicious project inside VSCode in restricted mode.
The Kali machine contains all the files relevant for exploitation, and the Windows student machine would be the one where we will run our exploit server. We will open a malicious markdown file on the same Windows machine with an Administrator account in the VSCode application.
The end goal would be to spawn a calculator instance.
Step 2: Check the availability of the target Windows machine.
The target Windows machine is located at the domain demo.ine.local:
Command:
ping -c3 demo.ine.local
The target Windows machine is reachable.
Step 3: Scan the target Windows machine for open ports.
Command:
nmap -sS -sV demo.ine.local
Step 4: Check the VSCode version in the Target Machine.
Navigate to the Target Machine:
Open VSCode from the taskbar:
Click on Help > About:
That would show a dialog box containing the VSCode version information:
Version: 1.61.0 (system setup)
Commit: ee8c7def80afc00dd6e593ef12f37756d8f504ea
Date: 2021-10-07T18:13:09.652Z
Electron: 13.5.1
Chrome: 91.0.4472.164
Node.js: 14.16.0
V8: 9.1.269.39-electron.0
OS: Windows_NT x64 10.0.17763
The VSCode version seems quite old - it was last updated almost a year ago, as of this writing!
Step 5: Search for information on VSCode RCE CVE-2021-43908.
Search Query:
VSCode RCE CVE-2021-43908
Open the ElectroVolt.io blog page:
URL: https://blog.electrovolt.io/posts/vscode-rce/
Note: It is advised to read the original post of the researchers to understand the complete attack and then use this lab as a supplement to try their research firsthand with this hands-on lab. This will be much more beneficial as, to avoid repetition, we have kept this manual short to cover the exploitation of the vulnerability!
Notice the summary of the vulnerability:
Remote Code execution can be achieved when a victim opens a markdown file in a maliciously crafted VSCode Project or a folder even in VSCode Restricted Mode.
Navigate back to the search results:
Open the MSRC portal page:
URL: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43908
Open the Release Notes:
URL: https://code.visualstudio.com/updates/v1_63
Notice the VSCode version, when this vulnerability was fixed, is mentioned on this page:
The patched version was: November 2021 (version 1.63).
This means the provided VSCode version (1.61.0) is vulnerable to the aforementioned RCE vulnerability.
Step 6: Inspect the provided exploitation files.
The exploit PoC is referenced from the following GitHub repository:
URL: https://github.com/Sudistark/vscode-rce-electrovolt/
The exploit files are provided in the challenge-files directory located on the Desktop:
Commands:
ls -al ~/Desktop/challenge-files/
ls -al ~/Desktop/challenge-files/vscode-rce-poc/
The exploit.md file is what initiates the complete exploitation chain by sending a request to the attacker server to leak the extension ID and receive the payload.
The rce.html file contains the JS payload to open a calculator app.
The code directory contains the code run by the attacker to steal the extension ID and send the payload to the VSCode app.
Command:
ls -al ~/Desktop/challenge-files/vscode-rce-poc/code/
Navigate to the directory of the provided files and check the provided VSCode settings file:
Commands:
cd ~/Desktop/challenge-files/vscode-rce-poc/
ls -al
cat .vscode/Settings.json
Remove the highlighted line:
Command:
cat .vscode/Settings.json
Step 7: Alter the IP address and paths in the exploitation files and package the Zip for the target Windows machines.
Check the contents of the exploit.md and rce.html files:
Command:
cat exploit.md
cat rce.html
Notice the highlighted URL:
URL: https://felineintelligentbytes.kacegi6947.repl.co/
We have to alter this as any public URLs are not accessible from the lab instance. Instead, we will put http://localhost:3000 in its place since we would run the exploit server locally on the target Windows machine as a low-privileged user account (student).
Check the contents of the code/main.js file:
Command:
cat code/main.js
We need to modify the URL and the installation path of the VSCode.
The installation path for VSCode can be found from the Windows machine:
Installation Path:
C:\Program Files\Microsoft VS Code\resources\app
Replace backslash (\\) with forward slash (/) and encode the spaces (as %20):
Installation Path:
C:/Program%20Files/Microsoft%20VS%20Code/resources/app
Now we can place this value in the code/main.js file.
After URL and VSCode installation path modifications, the exploit.md and code/main.js files should look like this:
Command:
cat exploit.md
Command:
cat code/main.js
Archive the exploit files to be opened in VSCode:
Commands:
zip -r evil-repo.zip exploit.md rce.html .vscode
unzip -t evil-repo.zip
Archive the exploit files run by the attacker (student user in this case):
Command:
zip -r exploit-code.zip code
Step 8: Transfer the exploitation files to the target Windows machine and exploit the VSCode app.
Check the IP address of the Kali GUI instance:
Command:
ip addr
The IP address of the Kali GUI instance is 10.10.27.2.
Note: The IP address of your Kali GUI instance would be different, so make sure to check its IP and use that to download the files to the target Windows machine!
Start a Python-based HTTP server to transfer files to the Windows machine:
Command:
python3 -m http.server 80
Open the Firefox browser in the Attacker Machine and open the following URL:
URL: http://10.10.27.2
Note: The IP address of your Kali GUI instance would be different, so make sure to check its IP and use that to download the files to the target Windows machine!
Download the exploit-code.zip file.
Extract the downloaded file:
Navigate to the extracted folder and start the exploit server:
Commands:
cd .\Downloads\exploit-code\code\
ls
node .\main.js
The exploit server has started and listens on port 3000 on the Windows machine.
Notice that we have used the student account to launch the exploit server.
Head over to the Target Machine and open the following URL in the Firefox browser:
URL: http://10.10.27.2
Note: The IP address of your Kali GUI instance would be different, so make sure to check its IP and use that to download the files to the target Windows machine!
Download the evil-repo.zip file.
Extract the downloaded file:
Open the extracted folder in VSCode:
Select No, I don't trust the authors to open this folder in restricted mode:
Open exploit.md file:
Recall the .vscode/Settings.json file. It contained an entry for \*.md files. What the file meant, in essence, was to show all the markdown files are shown in preview mode by default.
So opening the exploit.md file would show the markdown preview:
On the right side, you can see Some content has been disabled in this document.
Click on that warning and select Allow insecure local content Enable content loading over http served from localhost.
Why have we done so?
This has been done because, by default, only content loaded from an HTTPS site is considered secure, but since we have served the exploit over HTTP on localhost, VSCode shows this warning. Since we are trying to reproduce the issue and see how we can leverage VSCode to pop a calculator, we had to select this insecure setting. An alternative way would have been to host this NodeJS server over HTTPS, but that would have required using certificates trusted by the VSCode app.
Once we have relaxed the security for localhost, the markdown file gets rendered, and the exploitation starts:
Note: You might see an error in the window where the NodeJS exploit server was running about being htmlPOC not defined. That happened because VSCode does not trust the localhost over HTTP. If you experience issues with the exploitation even after relaxing the VSCode security settings, you can restart the NodeJS exploit server.
After a few seconds (3 to be precise), you should see an iframe:
Soon after that, a calculator would pop up:
Open the Attacker Machine where the exploit server was running:
Notice the extension ID was successfully stolen by the server, and that's how the exploit proceeded.
If you let the server run and keep the exploit.md file open, you would notice that the calculator keeps popping up as the exploit never stops.
Stop the exploit server by pressing CTRL+C to avoid multiple calculator instances from being popped up.
Navigate back to the Target Machine and press CTRL+P:
Type the following in the input box that shows up:
>developer: open webview
Select the only entry that shows up and that should up the browser-like console:
This window would help inspect the exploit in action.
Now start back the exploit server in the Attacker Machine:
Head back to the Target Machine and reopen (close and open) the exploit.md file.
Notice the requests made to the exploit server to steal the extension ID:
Next, the iframe is opened:
Next, the rce.html gets triggered that pops up a calculator instance:
If you keep the exploit server running and the exploit.md file opened, you notice that the calculator instances keep popping up:
You can also inspect more details by checking the Network tab or utilizing the breakpoints and seeing how things work in this exploit.
With that, we conclude this lab on VSCode RCE (CVE-2021-43908).
References
- Visual Studio Code - Remote Code Execution in Restricted Mode (CVE-2021-43908)
- Visual Studio Code Spoofing Vulnerability: CVE-2021-43908
- VSCode Updates: November 2021 (version 1.63)
Try this exploit for yourself! Subscribe or sign up for a 7-day, risk-free trial with INE to access this lab and a robust library covering the latest in Cyber Security, Networking, Cloud, and Data Science!
