Full Report
Visual Studio Code is a text editor from Microsoft with many awesome plugins. The authors decided to audit the Git plugins. Visual Studio Code has two URI handlers called deep links: vscode:// and vscode-insiders://. For this to work, a simple interface for handleUri() needs to be implemented. If a vulnerability is found in this handler, it is a major security issue because this can be exploited with one click on the link. One of the implementations was putting the URL in the input for a clone call directly into an exec() for a system call. If this URL has dashes, then it will be understood as a positional argument. Neat! Command injection are trivial to exploit. However, argument injection is dependent on the tool where the arguments can be set. In this case, we control two inputs for the injection but cannot use spaces, since they will be URL encoded. In the URL, the authors decided to use the flag --upload-pack. Normally, this is done to learn what objects the remote side is missing, and sends them after packing it. However, this can be used to execute a specific command while it communicates with the remote end. As the URL, an attacker would put -u$({open,-a,calculator}) The final trick is putting a :x at the end of the URL. This is to ensure that the PROTO_LOCAL in order to use the upload pack command mentioned above. Not much information is provided on this requirement besides this. Overall, interesting post on URI handling and argument injection.
Analysis Summary
# Vulnerability: Argument Injection via Visual Studio Code Git Deep Link Handler
## CVE Details
- CVE ID: CVE-2022-30129
- CVSS Score: Not explicitly provided in the text, implied high severity due to RCE.
- CWE: CWE-88 (Improper Input Neutralization for Arguments to System Call) or CWE-78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')).
## Affected Systems
- Products: Visual Studio Code (VS Code)
- Versions: Prior to 1.67.1
- Configurations: Systems where VS Code Git plugin deep link handling is active and a user clicks a malicious link. Note: Workspace Trust feature did not fully mitigate this issue if the last focused window was trusted.
## Vulnerability Description
The vulnerability resides in the implementation of the URI handler for Git actions (`vscode://.../extensions/git`). When handling a `vscode://` deep link intended for cloning a repository, the URI input was directly used to construct and execute a system call (likely involving Git commands) without sufficient sanitization. Specifically, the exploit leveraged argument injection via user-controlled inputs within the URI. An attacker could inject arguments using flags recognized by the underlying Git tool, such as `--upload-pack`. The attacker could craft a URL command like `-u$({open,-a,calculator})` ending with `:x` (to satisfy a `PROTO_LOCAL` requirement for `upload-pack`), leading to the execution of arbitrary system commands (e.g., launching the Calculator application on macOS). Spaces could not be used as the URI input was URL encoded.
## Exploitation
- Status: PoC available (A successful demonstration launching the Calculator application on macOS was mentioned).
- Complexity: Low (One-click requirement via a malicious link).
- Attack Vector: Network (The victim must click a crafted URI link).
## Impact
- Confidentiality: High (Arbitrary command execution allows for data exfiltration or inspection).
- Integrity: High (Arbitrary command execution allows for modification of files or system state).
- Availability: High (Arbitrary command execution can lead to system denial of service or resource exhaustion).
## Remediation
### Patches
- Patched and released as part of **Visual Studio Code version 1.67.1 and higher**.
### Workarounds
- No specific workarounds were mentioned, as the patch was released relatively quickly. Minimally, discouraging users from clicking untrusted `vscode://` links would serve as a temporary measure.
## Detection
- Indicators of Compromise: Unusual external process executions triggered from the VS Code context or abnormal system interactions immediately following IDE interaction.
- Detection methods and tools: Monitoring system calls originating from the VS Code process for unusual arguments or command sequences related to Git operations (especially those involving `upload-pack` or unexpected flag usage).
## References
- Vendor advisory: hxxps://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30129
- Research Blog: hxxps://blog.sonarsource.com/securing-developer-tools-git-integrations