Don't Clone That Repo: Visual Studio Code^2 Execution

栏目: IT技术 · 发布时间: 4年前

内容简介:This is the story of how I stumbled upon a code execution vulnerability in theSome time ago I was reviewing a client’s Python web application when I noticed a warning

This is the story of how I stumbled upon a code execution vulnerability in the Visual Studio Code Python extension, bundled by default within the IDE. It currently has 16.5M+ installs reported in the extension marketplace.

The bug

Some time ago I was reviewing a client’s Python web application when I noticed a warning

Don't Clone That Repo: Visual Studio Code^2 Execution

Fair enough, I thought, I just need to install pylint .

To my surprise, after running pip install --user pylint the warning was still there. Then I noticed venv-test displayed on the lower-left of the editor window. Did VSCode just automatically select the Python environment from the project folder?! To confirm my hypothesis, I installed pylint inside that virtualenv and the warning disappeared.

Don't Clone That Repo: Visual Studio Code^2 Execution

This seemed sketchy, so I added os.exec("/Applications/Calculator.app") to one of pylint sources and a calculator spawned. Easiest code execution ever!

VSCode behaviour is dangerous since the virtualenv found in a project folder is activated without user interaction. Adding a malicious folder to the workspace and opening a python file inside the project is sufficient to trigger the vulnerability. Once a virtualenv is found, VSCode saves its path in .vscode/settings.json . If found in the cloned repo, this value is loaded and trusted without asking the user. In practice, it is possible to hide the virtualenv in any repository.

The behavior is not in VSCode core, but rather in the Python extension which is bundled by default with the editor. We contacted Microsoft on the 2nd October 2019, however the vulnerability is still not patched at the time of writing. Given that the industry-standard 90 days expired and the issue is exposed in a GitHub issue , we have decided to disclose the vulnerability.

PoC || GTFO

You can try for yourself! This innocuous PoC repo opens Calculator.app on macOS:

git clone git@github.com:doyensec/VSCode_PoC_Oct2019.git
test.py

This repo contains a “malicious” settings.json which selects the virtualenv in totally_innocuous_folder/no_seriously_nothing_to_see_here .

In case of a bare-bone repo like this noticing the virtualenv might be easy, but it’s clear to see how one might miss it in a real-life codebase. Moreover, it is certainly undesirable that VSCode executes code from a folder by just opening a Python file in the editor.

Disclosure Timeline

  • 2nd Oct 2019 : Issue discovered
  • 2nd Oct 2019 : Security advisory sent to Microsoft
  • 8th Oct 2019 : Response from Microsoft, issue opened on vscode-python bug tracker #7805
  • 7th Jan 2020 : Asked Microsoft for a resolution timeframe
  • 8th Jan 2020 : Microsoft replies that the issue should be fixed by mid-April 2020
  • 16th Mar 2020 : Doyensec advisory and blog post is published

以上就是本文的全部内容,希望本文的内容对大家的学习或者工作能带来一定的帮助,也希望大家多多支持 码农网

查看所有标签

猜你喜欢:

本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们

顾客要买什么

顾客要买什么

[美]迈克尔·西尔 / 方海萍 / 中国人民大学出版社 / 2006-10 / 38.00元

《顾客要买什么》告诉我们全球的中产阶级如何正在改造着消费品市场:对低价的产品和服务进行趋低消费,对于高端的产品和服务要趋优消费,而对于日趋乏味、价值降低的中档商品则避而远之。这些消费者大多是女性,教育程度高,可支配收入多,买东西的时候也更会精打细算。她们选购、使用商品和服务的时候都是有目的的,有一种大权在握的感觉。消费对她们来说并不是非做不可的麻烦事,也不是什么无法避免的琐事,而是如何明智地花钱的......一起来看看 《顾客要买什么》 这本书的介绍吧!

XML 在线格式化
XML 在线格式化

在线 XML 格式化压缩工具

RGB HSV 转换
RGB HSV 转换

RGB HSV 互转工具

RGB CMYK 转换工具
RGB CMYK 转换工具

RGB CMYK 互转工具