Visual Studio Code is why I have (Workspace) Trust issues

Presented at DEF CON 31 (2023), Aug. 11, 2023, 4 p.m. (45 minutes)

Developers are threat actors' targets of choice because of their access to business-critical services. After compromising a single developer, they could push code changes or obtain sensitive information. For instance, a recent campaign attributed to North Korea set up social network profiles to social engineer and infect prominent figures of the developer community with malicious Visual Studio projects and browser exploits. At the same time, modern development tools offer increasingly advanced features and deep integration with ecosystems, sometimes at the cost of basic security measures. Code editors tried to counterbalance it by introducing new lines of defense (e.g., "Workspace Trust"), leading to a cat-and-mouse game to restrict access while keeping most features available by default. In this talk, we present the state of the art of Visual Studio Code's security. We go in-depth into its attack surface, how its extensions work, and the technical details of two vulnerabilities we found in Visual Studio Code. These findings, CVE-2021-43891 and CVE-2022-30129, led to a $30.000 bounty with an unexpected twist. We also present 1-days discovered by other researchers to develop the audience's intuition. These concepts apply to most IDEs of the market so everybody will now think twice before opening third-party code! REFERENCES: https://blog.electrovolt.io/posts/vscode-rce/ https://www.sonarsource.com/blog/securing-developer-tools-git-integrations/ https://www.sonarsource.com/blog/securing-developer-tools-argument-injection-in-vscode/ https://blog.doyensec.com/2022/10/27/jupytervscode.html https://iwantmore.pizza/posts/cve-2019-1414.html https://github.com/justinsteven/advisories/blob/master/2017_visual_studio_code_workspace_settings_code_execution.md https://github.com/doyensec/VSCode_PoC_Oct2019 https://github.com/microsoft/vscode/issues/107951 https://www.youtube.com/watch?v=Olq6XnZ4Pwo https://github.com/google/security-research/security/advisories/GHSA-pw56-c55x-cm9m

Presenters:

• Paul Gerste - Vulnerability Researcher at Sonar
  Paul Gerste (@pspaul95) is a Vulnerability Research in the Sonar R&D team. In the last months, he has been hunting bugs in popular JavaScript and TypeScript applications, yielding critical vulnerabilities in projects such as Rocket.Chat, NodeBB, and Blitz.js. Paul has also been a CTF player and organizer for some years and loves to hack all web-related things.
• Thomas Chauchefoin - Vulnerability Researcher at Sonar
  Thomas Chauchefoin (@swapgs) is a Vulnerability Researcher in the Sonar R&D team. With a strong background in offensive security, he helps uncover and responsibly disclose 0-days in major open-source software. He also participated in competitions like Pwn2Own or Hack-a-Sat and was nominated for two Pwnies Awards for his research on PHP supply chain security.

Links:

• https://forum.defcon.org/node/245747

Similar Presentations:

• DEF CON 31 (2023) / Legend of Zelda: Use After Free (TASBot glitches the future into OoT)
• DEF CON 31 (2023) / Spooky authentication at a distance
• DEF CON 29 (2021) / Offensive Golang Bonanza: Writing Golang Malware