Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
Remote Command Execution in Visual Studio Code Remote Development Extension
Abdel Adim - shielderPosted 4 Years Ago- The Visual Studio Code Remote Development Extension is used for developing on remote machines from a local one. The command executed is
ssh -T -D $RANDOM_PORT "$REMOTE_HOST" bash, where theREMOTE_HOSTis controlled by our user. - The host field was not sanitized when using the
sshcommand. As a result, aProxyCommandargument could be injected into SSH to run arbitrary commands on the local machine. - This bug can even be triggered through the
vscode://URI! It appears that the vscode URI unescapes all of the '+'s and other encoded characters for us. This allows for arbitrary characters to be sent to the CLI, making this much more exploitable. - Putting this altogether, the following could be used on a Windows System to execute a command in Powershell:
vscode://vscode-remote/ssh-remote+-oProxyCommand=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -c msg %username% command_injection" "a@127.0.0.1+/a.
