Skip to content

jason-ntu/CVE-2021-26700

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

14 Commits

.vscode

.vscode

 
 

.gitignore

.gitignore

 
 

README.md

README.md

 
 

calc.bat

calc.bat

 
 

deployagent.ps1

deployagent.ps1

 
 

install-extension.bat

install-extension.bat

 
 

install-vscode.bat

install-vscode.bat

 
 

npm-extension.vsix

npm-extension.vsix

 
 

package.json

package.json

 
 

Repository files navigation

CVE-2021-26700

(Note: this manual is valid for DSNS lab's members only.)

Intruduction

This is a remote code execution (RCE) vulnerability that resided in an extension of Visual Studio Code (VS Code) called npm, which was developed by Microsoft and was aimed to support running the npm scripts defined in the package.json file.

To exploit this vulnerability, the attacker might upload some malicious script hidden in files onto his public GitHub repository, with some minor adjustment in the configuration used by the npm extension. If someone downloads this repository and opens it in a VS Code environment that has installed the specified extension, as soon as he(she) views the package.json file, the malicious script will be executed. In my scenario, the malicious script is a batch file called calc.bat and it will execute a deployagent.ps1 program, which will then establish a DNS tunneling to DSNS lab's Caldera server on http://192.168.1.29:8888.

Prerequisite

Since this CVE was found at 2021 and the Microsoft team had fixed it in latter versions, we need to find a way to download an older version ([v0.3.13](https://eg2.gallery.vsassets.io/_apis/public/gallery/publisher/eg2/extension/vscode-npm- script/0.3.13/assetbyname/Microsoft.VisualStudio.Services.VSIXPackage)) of the npm extension. Instead, I have included it on GitHub for convenience. Also included is a script for install VS Code on Windows.

Quickstart

  1. On Windows system (e.g. APT3 in DSNS lab), run the command to get this repository

    git clone https://github.com/jason-ntu/CVE-2021-26700.git

    (You can also download and extract the repository through GUI). The following steps are assumed to be executed inside of the repository (i.e. the cloned CVE-2021-26700 directory).

  2. To install VS Code on Windows, run .\install-vscode.bat

  3. Set up the command code as a shortcut to open VS Code by adding the following configuration into settings.json of VS Code.

  4. To install the required version of npm extension, run .\install-extension.bat

  5. To exploit the CVE, you need to open the repository in VS Code and view the package.json file. After seconds of waiting, a DNS connection from Caldera at http://192.168.1.29:8888 to the victim should has been established. The RCE is done!

Reference: jackadamson's github

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages