Expert found RCE flaw in Visual Studio Code Remote Development Extension

Researchers from the Italian cybersecurity firm Shielder found a remote code execution vulnerability in Visual Studio Code Remote Development Extension.

Visual Studio Code Remote Development allows users to adopt a container, remote machine, or the Windows Subsystem for Linux (WSL) as a full-featured development environment.

Users can:

• Develop on the same operating system you deploy to or use larger or more specialized hardware.
• Separate your development environment to avoid impacting your local machine configuration.
• Make it easy for new contributors to get started and keep everyone on a consistent environment.
• Use tools or runtimes not available on your local OS or manage multiple versions of them.
• Develop your Linux-deployed applications using the Windows Subsystem for Linux.
• Access an existing development environment from multiple machines or locations.
• Debug an application running somewhere else such as a customer site or in the cloud.

Security experts from cybersecurity firm Shielder discovered that Visual Studio Code Remote Development Extension, version 1.50, fails to sanitize the host field passed as an argument of the ssh command. A threat actor could exploit this issue, tracked as CVE-2020-17148, to inject a ProxyCommand option that could result in the execution of arbitrary commands.

The security advisory published by Microsoft states that an attacker would have to convince a user with the Visual Studio Code Remote Development Extension installed to click on a specially crafted link.

“An attacker would have to convince a user with the Visual Studio Code Remote Development Extension installed to click on a specially crafted link.” reads the advisory published by Microsoft.

According to the security expert Abdel Adim `smaury` Oisfi, the argument injection resides in the “Remote – SSH” extension, which is used and installed by the “Remote Development” one.

The researcher pointed out that the extension uses the SSH binary of the host to setup the connection with the remote host.

“One of the ways to trigger the SSH connection is to use the 

vscode:// URI scheme. Specifically, the format is the following: vscode://vscode-remote/ssh-remote+$REMOTE_HOST+$PATH_OF_PROJECT_ON_THE_REMOTE_HOST

Once a user browses an URI as the previous one, VSCode is opened and the extension tries to connect to the $REMOTE_HOST.” reads the advisory published by Shielder.

“While connecting the following command is executed: ssh -T -D $RANDOM_PORT "$REMOTE_HOST" bash

As no sanitization is performed on the $REMOTE_HOST user-supplied input it is possible to inject arbitrary arguments to the SSH binary.

SSH has an option called ProxyCommand, which specifies a command which is executed before performing the actual SSH connection.”

The expert also published a Proof of concept for this vulnerability:

1. Install Visual Studio Code
2. Install the “Remote Development” extension (https://marketplace.visualstudio.com/items?itemName=ms-vscode-remote.vscode-remote-extensionpack)
3. Open a browser
4. Visit the following URL: vscode://vscode-remote/ssh-remote+-oProxyCommand=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -c msg %username% command_injection" "a@127.0.0.1+/a
5. Confirm to open VSCode
6. Select a random OS (Linux / Windows / MacOS)
7. Notice the pop-up executed by Powershell with the message “command_injection”

The attack works also on Linux and MacOS by editing the ProxyCommand.

Microsoft addressed the flaw with the release of Visual Studio Code Remote Development Extension version 1.51 or higher.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, RCE)

[adrotate banner=”5″]

[adrotate banner=”13″]