(Note: this manual is valid for DSNS lab's members only.)
This is a remote code execution (RCE) vulnerability that resided in an extension of Visual Studio Code (VS Code) called npm, which was developed by Microsoft and was aimed to support running the npm scripts defined in the package.json
file.
To exploit this vulnerability, the attacker might upload some malicious script hidden in files onto his public GitHub repository, with some minor adjustment in the configuration used by the npm extension. If someone downloads this repository and opens it in a VS Code environment that has installed the specified extension, as soon as he(she) views the package.json
file, the malicious script will be executed. In my scenario, the malicious script is a batch file called calc.bat
and it will execute a deployagent.ps1
program, which will then establish a DNS tunneling to DSNS lab's Caldera server on http://192.168.1.29:8888.
Since this CVE was found at 2021 and the Microsoft team had fixed it in latter versions, we need to find a way to download an older version ([v0.3.13](https://eg2.gallery.vsassets.io/_apis/public/gallery/publisher/eg2/extension/vscode-npm- script/0.3.13/assetbyname/Microsoft.VisualStudio.Services.VSIXPackage)) of the npm extension. Instead, I have included it on GitHub for convenience. Also included is a script for install VS Code on Windows.
-
On Windows system (e.g. APT3 in DSNS lab), run the command to get this repository
git clone https://github.com/jason-ntu/CVE-2021-26700.git
(You can also download and extract the repository through GUI). The following steps are assumed to be executed inside of the repository (i.e. the cloned CVE-2021-26700 directory).
-
To install VS Code on Windows, run
.\install-vscode.bat
-
Set up the command
code
as a shortcut to open VS Code by adding the following configuration intosettings.json
of VS Code. -
To install the required version of npm extension, run
.\install-extension.bat
-
To exploit the CVE, you need to open the repository in VS Code and view the
package.json
file. After seconds of waiting, a DNS connection from Caldera at http://192.168.1.29:8888 to the victim should has been established. The RCE is done!
Reference: jackadamson's github