Security experts from cybersecurity firm Shielder discovered that Visual Studio Code Remote Development Extension, version 1.50, fails to sanitize the host field passed as an argument of the ssh command. A threat actor could exploit this issue, tracked as CVE-2020-17148, to inject a ProxyCommand option that could result in the execution of arbitrary commands.
The security advisory published by Microsoft states that an attacker would have to convince a user with the Visual Studio Code Remote Development Extension installed to click on a specially crafted link.
“An attacker would have to convince a user with the Visual Studio Code Remote Development Extension installed to click on a specially crafted link.” reads the advisory published by Microsoft.
According to the security expert Abdel Adim `smaury` Oisfi, the argument injection resides in the “Remote – SSH” extension, which is used and installed by the “Remote Development” one.
The researcher pointed out that the extension uses the SSH binary of the host to setup the connection with the remote host.
“One of the ways to trigger the SSH connection is to use the
vscode:// URI scheme. Specifically, the format is the following:
Once a user browses an URI as the previous one, VSCode is opened and the extension tries to connect to the $REMOTE_HOST.” reads the advisory published by Shielder.
“While connecting the following command is executed:
ssh -T -D $RANDOM_PORT "$REMOTE_HOST" bash
As no sanitization is performed on the
$REMOTE_HOST user-supplied input it is possible to inject arbitrary arguments to the SSH binary.
SSH has an option called ProxyCommand, which specifies a command which is executed before performing the actual SSH connection.”
The expert also published a Proof of concept for this vulnerability:
vscode://vscode-remote/ssh-remote+-oProxyCommand=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -c msg %username% command_injection" "email@example.com+/a
The attack works also on Linux and MacOS by editing the ProxyCommand.
Microsoft addressed the flaw with the release of Visual Studio Code Remote Development Extension version 1.51 or higher.
(SecurityAffairs – hacking, RCE)