VSCode Remote Code Execution advisory

by

Author: Ammar Askar
Published: May 30, 2023
Source: http://blog.ammaraskar.com/vscode-rce/

Summary

Security researcher Ammar Askar disclosed a remote code execution vulnerability in Visual Studio Code that could be triggered simply by opening an untrusted folder. The flaw stemmed from an undocumented core setting, _workbench.experimentsUrl, which was never registered as a “restricted” configuration. Because of this oversight, a malicious workspace could redirect VSCode’s experimentation framework to an attacker-controlled server, deliver a spoofed in-editor prompt, and ultimately execute arbitrary commands — including silently installing a malicious extension with full Node.js API access. The same primitive applied to the web-based editors GitHub.dev and VSCode.dev, where it escalated into theft of repository-scoped OAuth tokens.

Technical Details

VSCode’s Workspace Trust model is designed to prevent untrusted folders from changing security-sensitive settings. Workspace-level settings live in .vscode/settings.json, and settings that should not be honored from untrusted workspaces must be explicitly marked. For extension-contributed settings this is done via a restrictedConfigurations declaration with 'restricted': true. The problem was that _workbench.experimentsUrl — a built-in core setting that controls where VSCode fetches its experiments configuration — was undocumented and never registered with the restricted flag, so an untrusted workspace was permitted to override it.

VSCode’s experiment service (experimentService.ts) reads the URL via configurationService.getValue<string>('_workbench.experimentsUrl') and pulls down a JSON document describing experiments. Experiments can define action2-style prompts that render markdown inside the editor with VSCode’s own trusted look and feel, and crucially they support a codeCommand field that invokes VSCode commands. By pointing the experiments URL at an attacker-hosted JSON file, an attacker could surface an official-looking prompt and wire its action to a command of their choosing.

The full chain was: (1) the attacker ships a .vscode/settings.json that overrides _workbench.experimentsUrl; (2) that URL serves a crafted experiments document containing a prompt with a codeCommand; (3) the victim opens the folder; (4) VSCode fetches and renders the malicious prompt with trusted styling; (5) user interaction triggers the command, which installs an attacker-controlled extension; (6) the extension runs with Node.js API access, yielding arbitrary code execution.

Impact

Exploitation gave an attacker remote code execution on a developer’s machine through nothing more than opening a repository — a common and low-friction action. On the browser-based variants GitHub.dev and VSCode.dev, the same flaw was more damaging: it could be used to exfiltrate the user’s repo-scoped OAuth token, enabling unauthorized access to, and modification of, the victim’s repositories and further credential theft. Microsoft rated the issue “Moderate” severity with a “Spoofing” security impact classification, an assessment the researcher disputed given the code-execution outcome. Microsoft’s MSRC also marked the report ineligible for a bug bounty, citing that only “important or critical” severity issues qualify.

Mitigation

Microsoft fixed the issue in VSCode commit 800142c7dd47b5cf6047ef2c8f4c8440c6e244f6 (May 24, 2023), which registers the _workbench.experimentsUrl setting properly so that it is no longer honored from untrusted workspaces. Users should ensure they are running a patched build of VSCode and continue to rely on Workspace Trust by opening unfamiliar repositories in Restricted Mode. Experiments can also be disabled entirely via VSCode settings for users who wish to reduce this class of exposure.

References

Leave a Comment