Presented at
DEF CON 31 (2023),
Aug. 11, 2023, 4 p.m.
(45 minutes).
Developers are threat actors' targets of choice because of their access to business-critical services. After compromising a single developer, they could push code changes or obtain sensitive information. For instance, a recent campaign attributed to North Korea set up social network profiles to social engineer and infect prominent figures of the developer community with malicious Visual Studio projects and browser exploits.
At the same time, modern development tools offer increasingly advanced features and deep integration with ecosystems, sometimes at the cost of basic security measures. Code editors tried to counterbalance it by introducing new lines of defense (e.g., "Workspace Trust"), leading to a cat-and-mouse game to restrict access while keeping most features available by default.
In this talk, we present the state of the art of Visual Studio Code's security. We go in-depth into its attack surface, how its extensions work, and the technical details of two vulnerabilities we found in Visual Studio Code. These findings, CVE-2021-43891 and CVE-2022-30129, led to a $30.000 bounty with an unexpected twist. We also present 1-days discovered by other researchers to develop the audience's intuition. These concepts apply to most IDEs of the market so everybody will now think twice before opening third-party code!
REFERENCES:
https://blog.electrovolt.io/posts/vscode-rce/
https://www.sonarsource.com/blog/securing-developer-tools-git-integrations/
https://www.sonarsource.com/blog/securing-developer-tools-argument-injection-in-vscode/
https://blog.doyensec.com/2022/10/27/jupytervscode.html
https://iwantmore.pizza/posts/cve-2019-1414.html
https://github.com/justinsteven/advisories/blob/master/2017_visual_studio_code_workspace_settings_code_execution.md
https://github.com/doyensec/VSCode_PoC_Oct2019
https://github.com/microsoft/vscode/issues/107951
https://www.youtube.com/watch?v=Olq6XnZ4Pwo
https://github.com/google/security-research/security/advisories/GHSA-pw56-c55x-cm9m
Presenters:
-
Thomas Chauchefoin
- Vulnerability Researcher at Sonar
Thomas Chauchefoin (@swapgs) is a Vulnerability Researcher in the Sonar R&D team. With a strong background in offensive security, he helps uncover and responsibly disclose 0-days in major open-source software. He also participated in competitions like Pwn2Own or Hack-a-Sat and was nominated for two Pwnies Awards for his research on PHP supply chain security.
-
Paul Gerste
- Vulnerability Researcher at Sonar
Paul Gerste (@pspaul95) is a Vulnerability Research in the Sonar R&D team. In the last months, he has been hunting bugs in popular JavaScript and TypeScript applications, yielding critical vulnerabilities in projects such as Rocket.Chat, NodeBB, and Blitz.js. Paul has also been a CTF player and organizer for some years and loves to hack all web-related things.
Links:
Similar Presentations: