Hacker News new | past | comments | ask | show | jobs | submit login
RCE in Visual Studio Code's Remote WSL for Fun and Negative Profit (parsiya.net)
327 points by gmemstr on Dec 21, 2021 | hide | past | favorite | 102 comments



In a sense Microsoft forgot its own learnings. Because of exactly things like this they prevent UWP apps from connecting to localhost by default and make it very annoying to circumvent and from my experience, the circumvention is not exactly a stable setup. So they really don't want you to do that, and somebody thought enough to make it extra difficult. So, they have UWP, all those well thought-out policies, then make an editor ecosystem out of web technology and throw everything out of the window. No surprise from a $T company with more teams than countries on Earth that not everything is coordinated, but they should have a guy with the required knowledge and sensibilities on any major product team. Apps installed from their "store" are relatively safe, but then they put a (extension) store inside their app again, which is unsafe :/


Apps installed from the Microsoft Store are no longer guaranteed safe, as Win32 apps can be added to the store now and installed via winget. There’s static analysis and they run the installer, but if it does something stupid after the install they can’t automatically detect it.


And it was unsafe for a few years prior to this event too, with the introduction of Desktop Bridge apps (packaged Win32 hybrid apps running with full trust).


Don’t the win32 apps restrict the calls in that subsystem that one can access?

I recall looking into this a while back with the intention of leveraging it for an ancient win32/mfc app. I don’t remember the specifics, but I seem to recall that MS restricted or prevented access to a rather substantial subset of win32.


Not anymore. Microsoft gave up on trying to sandbox Windows Store installs for Win32 apps.


That's good to know. It was still locked down when I looked into it last time.


Issues like this have been repeated countless times in various IDEs, debugger interfaces and local services using browser as UI. Developers need to stop using network sockets as IPC channels for local services unless browsers significantly increase the restrictions on cross site requests. Similar situation with regular CSRF attacks. And it needs to be opt out not opt in. As long it's a responsibility of developer to implement proper authentication checks for something they consider a local service vulnerabilities like this will keep appearing.


> Browsers need to stop connecting to anything other than what's typed into the navigation bar.

Yes, indeed!


A web browser that doesn’t support links isn’t much of a web browser


... Or images? I suppose one might enforce a draconian same-origin policy.. But that would no longer be "the web" I think.


Explicitly clicking on a link is almost like typing it in the url bar, so that can be an exception


oh how i would love this future.


At this point of time, I give it 10min before we get a magic_proxy nginx module, then your script src will be /magic_proxy/www.evilthirdpary.com/slow_multi_megabyte_script.js

You can still import all nasty third parties required by marketing department, bypassing first party protections and leading to even worse security. Or maybe maintain allow lists, basically that's a Content Security Policy.

Future is now old man.


This already here, but made with a subdomain that CNAMEs to a tracker domain:

https://arxiv.org/abs/2102.09301


sure, but as other person stated -servers deals with that, and all legal implications about data protection apply to them - it's harder to weasel out of it that way.


At least then the server has to deal with the security implications of talking directly to the advertiser, instead of pushing the risk wholly to the client.


In the end the script is running on client, dealing with user data, not server data. Client is still taking the risk.

On moral/legal issues, integrating script from third or first party hostname sounds like technical detail. If you select partner to run their code on your pages, you should be responsible checking user consent when applicable and taking responsibility. British Airways has been fined £20m even if that script was not on their servers.


Unfortunately, the companies that control today's web have a different view, and they are the ones in charge.


In this case the application used websockets, which is supported by browsers natively - but another thing to keep in mind is that any website can send somewhat controlled HTTP requests (not subject to CORS/preflight) to just about anything, regardless of if that's an HTTP server or not. If the receiving side is permissive enough, things might happen. Possibly unwanted things.


What if browsers learned to connect to Unix sockets? And windows named pipes? And users could control these endpoints by the usual filesystem permissions?

One can dream.


Isn't this more or less the idea behind plan 9?


You don't even need Windows named pipes. Windows supports AF_UNIX since 10.


More scope creep?

Browser are already way too big.


> And it needs to be opt out not opt in

In this case it's an extension that's not installed by default.


I am talking about default behavior of browsers and network libraries used to implement services listening to network requests.

Not whether installing an extension whose purpose is interacting between locally running IDE and locally running VM can be considered opting in it interacting with network in any way.


The problem isn’t using one tech or another, but the fact that malicious extensions can be installed and we cannot detect it.


Also, using browser as UI should not mean downloading JS ever.


> Does it fix the issues? Yes.

> Do I think there are other security issues here and we can bypass this? Also, yes.

> Do I want to spend more time doing free work for a company with a 2.5 TRILLION market cap? Hell, no.

Troubling.


Not really all that troubling, all the author is saying is that he wants to get paid for their work.

Either Microsoft or other future vendors can actually honor an established bug bounty program, or the author can sell his findings to the highest bidder. Or the author can simply not spend time and energy finding bugs in the first place.


Don't miss the middle statement; the author thinks there are further attacks here, even with the fix. Others can also find and then choose to report/sell at their own discretion.


Highest bidder is unethical and illegal.

But does not change the monetary reality


Pass a law that requires companies to pay black market value for bug bounties. It’s also unethical for big corporations to exploit the US oligarchy to get these fixes for free.


There’s no exploitation going on.


How is it illegal?


Could someone with insight give an estimate for how much you could sell an exploit like this, which let's you RCE a fair bunch of developer machines?

It feels that paired with a good blog (ironically about WLS) this could be very profitable, compared to the $0 MS awarded them.


Just say "supply chain attacks" and the price can reach millions.


I just asked around, I immediately had someone who I've sold exploits to tell me I could field 45k for a bug like this. There's a lot of conditions to selling exploits -- the biggest being that you don't get to blog about what you sell. But it is real money.


Your feeling is correct, although as other comments have mentioned it depends greatly on how you market it and to whom. Probably well above $5-10k though.

Bug bounty is good in some respects, but the people who profit the most from it are the companies and platforms. IMO it feels dirty to exploit people’s good intentions and ethics (reporting vs selling) for profits, but that’s corporations for you.


Fortunately, demand for such bugs is pretty low ^, so, $1~2k I guess.

^ this is both a good and a sad indicator, it means the bar of post-exploitation for such a bug (on developers' boxes) is "sufficiently high" that your favorite ransomware gangs are not eager to get on. OTOH it means they have way more "easier" enterprise-y targets...


The "Your editor has DRM" section alone [0] is enough for me to continue to advocate for a better user-friendly FOSS IDE, in addition to the wonderful giants of emacs & vim, and to avoid the VS Code "kool aid".

[0] https://parsiya.net/blog/2021-12-20-rce-in-visual-studio-cod...


Emacs' TRAMP is remote-access like VSCode server - except in addition to being completely open-source, it also doesn't require that you install anything on the server, which ranges from being annoying to a show-stopper in corporate environments.

However...I love Emacs, but as much as I hate to admit it, VSCode's out-of-the-box experience is significantly better than even starter kits like Doom and Spacemacs ):

VSCode is far more "user-friendly" than Emacs or Vim at this point in time. That's definitely something that can be changed, but let's not delude ourselves...


VSCodium is a FOSS build of the MIT VSCode repo, with an alternate FOSS compliant extension source. Note that some fancy extensions are missing, but otherwise works 100%. I have been using VSCodium as my main IDE for about a year now.

https://vscodium.com/


One of those extensions is the one that implements C# debugging, so for C# debugging, VSCodium is a fancy editor, not an IDE.


Tried this today. Cannot use with Remote-WSL extension & others.


Yep, the WSL extensions are closed source and hard locked to the proprietary Microsoft build of VSCode.


VS Code is MIT Licensed - https://github.com/Microsoft/vscode

Arguably the MIT license gives you more Freedom than the GPL'd Linux kernel or GNU utilities. Trying to draw a distinction between "evil user-unfriendly Microsoft stuff" and "Holy Saviour FOSS" is not meaningful anymore.


Some parts of VSCode are MIT Licensed - not all of it, and in particular, parts of the standard VSCode that almost everybody downloads are straight-up proprietary, per the article[1].

[1] https://parsiya.net/blog/2021-12-20-rce-in-visual-studio-cod...


> "Some parts of VSCode are MIT Licensed - not all of it"

The source code, the editor are. This is like Oracle releasing a proprietary plugin for EMACS and distributing it on Oracle Linux, and someone saying "this is bad, we need FOSS editors!". That wouldn't make EMACS not-FOSS.

(Is it trolling of me to point out that of course the thing people actually want is not the FOSS bit? There are dozens of editors, people want features not ideology)


Kudos to the author for a fantastic write up. The structure made reading it a really pleasant learning experience - a solid table of contents, an up-front summary, and a sensible list of prerequisites and instructions for following along.


Microsoft has the best bounty hunter program: go fuck yourself.

If you find a way to take over MS accounts, or force email swaps, or even gamertag shanaigans, there is too much money to be made, there is not even a point for a bug bounty.

It's like a $40 reward for returning a purse filled with $250k.

I agree with OP: no more free bugs.


It's not just Microsoft. What most bug bounties pay isn't even close to the amount you can get from selling it on the black market (assuming you have the right connections). It's why selling exploits to nation states and vendors who work with them is so lucrative.


I do agree that bug bounties are too small, but isn't selling bugs on the black market illegal?

I would much rather get $40 dollars for a bug and some public acknowledgement (which I could use to get a better paying job) than to sell it for criminal use.


Assuming you live in a place where you can get a high paying job and/or leave the country to get one.

Taking a US centric view on this is a great way to ensure nation states have compromised your security.


So if you take a non-US centric view and assume there's no legal repercussions and the person finding the bug has no moral compass, what exactly would prevent them from sharing the bug with a nation state and you at the same time? Sure they may get slightly less from the nation state because the bug would have a shorter shelf life, but it would still make it into the wild long before every system could be patched.

Paying more money isn't going to make someone do the right thing.


The legal/ethical question is important, but I was just stressing OP's point about the disparity between bug bounties and what the actual exploits are worth. IANAL, but for the specific cases I mentioned (nation states and vendors who work with them), I think the legal aspect would be very different from selling it to regular black market cybercriminals (I used the generic "black market" in the first part of the original comment but I was mostly talking about those two cases).


How about selling legally to a state actor for 100k ?

Bug bounties need to be higher, because the black market is not the only alternative.


> but isn't selling bugs on the black market illegal?

Noob question: is there any specific law that punishes describing how to get into a software/electronic system but not actually doing it? Something that is just not purely US-centric.


Here is UK specific answer, and as they point out, if you sell to some one knowing they are going to commit a crime with it, you can be considered an accomplice in many jurisdictions.

https://law.stackexchange.com/questions/11552/is-it-illegal-...


Sounds like a market opportunity for middlemen in other jurisdictions.


Or, sell it on the black market, and use that connection to get a better job on the black market. Reputation is just as important for criminals, and crime pays better (until you get caught).


Bitcoin solves this!


It's probably illegal in many jurisdictions, no? Not to mention unethical. You are not just harming Microsoft here in this instance, but potentially millions of people.


If we’re looking at ethics, what’s the morality of Microsoft not paying market rate for exploits.


Bug bounties probably act as a price discovery mechanism on the part of bug finders. They should also have a negative price premium bye to decreased risk.


How does the black market price compare to the 'nation state' price?


x = y. Where do you think nation states purchase their tools?


Make bug bounties pay $250k and people will have their friend inside add some bugs for the outsider to find, and share the payday.

Pay-per-bug-found incentivises plenty of counterproductive things as well, especially if we're talking about people who happily sell to anyone on the black market.


You can do that today with blackmarket exploits, so why do you think actual bug bounties will cause this problem?


Because then you'll be able to do it without needing any black market connections or transactions, which will make it easier, more of it happens above board, there's less to trace or indicate any problem so it's less discoverable, the payment is from a trusted source.

Why would making it easier make it happen less often?


Not making websockets follow the same-origin policy was a mistake.


I suppose that case can be made, but in this case the direct cause of the vulnerability is the WebSocket server not checking the HTTP Origin header in direct violation of the standard (RFC6455), which is spells out at that doing so is a MUST. I could maybe understand whitelisting localhost and file URLs, but giving a carte blanche -on every single interface no less- is just absurdly negligent.


This websocket was also listening on external interfaces so a non-browser client could have sent whatever headers it wanted.


In fairness, couldn't the same things still be accomplished with cross-origin POST/GET requests? Not that there isn't some regretability to not making those strictly same-origin as well.


I've only been using VSC for about 6 months. During my the first week of use, I noted how insecure all the plugins and their communications with the main application were set up. Dismayed, I moving the workstation to an airgapped portion of my environment, and the piece of shit would not work without a net connection. So I use VCE inside a VM now. My career includes working for security companies with sensitive information and documents... VSC needs some serious redesigning with multiple experienced security engineers on the team.


Why not just use some other editor?


I've been trying several editors, but VSC has the best integrated debugging, after Visual Studio itself - I use the free Visual Studio Community version. I'm primarily a C++ developer, but over the last 6 month have been doing a deep dive on machine learning with Python, and that is why I even bothered with VSC. The available guidance on setting up a Python development environment in VSC is abundant, while the same in Visual Studio IDE is significantly less, with scant troubleshooting support. I tried Visual Studio IDE for my Python work at first, but switched to VSC after issues.


Sounds like he has. VCE, Visual Studio Enterprise


Visual Ctudio Enterprise?


If I'm reading this right, it assumes the machine's IP is publicly accessible over the internet; which I'm guessing -even with IPv6- is not the case in 99.999% of cases; who just exposes their development machine directly to the internet with a public IP?

Still bad, but not quite as bad as owning from the browser via localhost GET.


No, JavaScript running in your browser can connect to it. No remote access required. Of course, if you do allow remote access it is even worse.


Wait, the browser allows random http connections to localhost from JS fetched from any domain??

Edit: after reading tfa, it appears: no it can't , but it may due to browser security vulnerabilities.


It does, if the server accepts the connection there is nothing preventing it.

This is frequently used by apps which are installed on your machine but are accessed by links, such as zoom and discord. I think Zoom removed its server after receiving pressure[0] about it, but discord still does it: Head to https://discord.com/invite/test and it should open your local discord client, or checking the network requests will reveal up to 10 attempted local ports.

[0] https://www.zdnet.com/article/zoom-defends-use-of-local-web-...


Do browsers block access to 192.168/16 or 10/8 etc?


This guess would be incorrect both in the percentage, and in the assumption that this would be required for exploitability.


A bug like this shows that there is probably no security reviews done at all in the VS Code team. This would be flagged right away in a threat model review. Quite worrying.

Also, strange that this doesn't get a bug bounty payout - it's very severe.


What is the best alternative for TypeScript development? My favorite light-weight editor is Kakoune, but it really doesn't have enough plugins for the kind of work I do.


Sublime Text 4 with LSP-TypeScript is really nice. The official package that Microsoft ships with the TypeScript Language Server tends to stop working after a while... I'm not sure why but that's that.


Webstorm is quite good. Better than VsCode, in my opinion. I use PyCharm while working on a Django/React monolith and I would say even that is better for TS than VsCode.


Probably one of the JetBrains products, e.g. WebStorm or IDEA.


> Your editor has DRM

Lovely


I don't get the video https://parsiya.net/blog/2021-12-20-rce-in-visual-studio-cod... He goes to the hacker website and then calculator opens?


A common way to demonstrate an RCE exploit is to make the payload launch calc.exe, implying that you can run arbitrary executables. It's a bit of a meme.


I'd have taken a trip down to Buenos Aires and sold it.


While most of me likes the idea of being paid good money for my efforts, or even for doing nothing if I can get away with it, a rather pesky part of me (a nagging entity that calls itself “a conscience”) would take all the fun out of doing it by enabling harm to others (via selling information on possible exploits, for instance).

The other blockers of course being that I have neither the skills nor the time to find such flaws in the first place!

It is true that there are people out there who do have the skills, and the time, and would be fine with selling their results to third parties, so maintainers (particularly those publishing widely used projects), would do well to treat people who practise safe disclosure with sufficient inducement to keep doing so.


meh, if you don't do it someone else will.


I prefer to judge others by standards I keep myself, rather than slipping mine towards the lowest common denominator. Both because it is morally right IMO and, I must admit, because I like feeling a little superior.


It is generally held that "Defect" is not the optimal strategy in the Prisoner's dilemma, and that seems to be what you're arguing for here, or something analagous to it.

Follow the golden rule.


Only if everyone takes that attitude.


Individual Humanism will return.

It's long overdue.


I am not 100% sure, but wouldn't that be a crime under the laws of many countries? If someone left their car unlocked with keys next to your house. Will you also steal it and sell it to somebody?


The crime here would be more along the lines of selling the information that you leave your car unlocked with the keys next to your house.


Is this specific to WSL or does it work with other Remote types (SSH)?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: