Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
Securing Developer Tools: Argument Injection in Visual Studio Code
Thomas Chauchefoin - Sonar SourcePosted 3 Years Ago- Visual Studio Code is a text editor from Microsoft with many awesome plugins. The authors decided to audit the Git plugins.
- Visual Studio Code has two URI handlers called deep links:
vscode://andvscode-insiders://. For this to work, a simple interface forhandleUri()needs to be implemented. If a vulnerability is found in this handler, it is a major security issue because this can be exploited with one click on the link. - One of the implementations was putting the URL in the input for a
clonecall directly into anexec()for a system call. If this URL has dashes, then it will be understood as a positional argument. Neat! - Command injection are trivial to exploit. However, argument injection is dependent on the tool where the arguments can be set. In this case, we control two inputs for the injection but cannot use spaces, since they will be URL encoded.
- In the URL, the authors decided to use the flag
--upload-pack. Normally, this is done to learn what objects the remote side is missing, and sends them after packing it. However, this can be used to execute a specific command while it communicates with the remote end. As the URL, an attacker would put-u$({open,-a,calculator}) - The final trick is putting a
:xat the end of the URL. This is to ensure that thePROTO_LOCALin order to use the upload pack command mentioned above. Not much information is provided on this requirement besides this. - Overall, interesting post on URI handling and argument injection.
