VSCode exploit for ipynb integration (CVE-2022-41034) #18998
Conversation
|
Hey @h00die, thanks for the module. Testing worked great on Windows 10, no issues. I was experimenting with getting this working on Linux. I saw lots of the same errors I'm sure you ran into: I noticed on Linux, when you go to open a file, the 'Open File' window doesn't let you paste in a URL like it does on Windows - did you notice this as well? : So if this were to work on Linux you would need to transfer the I got the exploit working on Linux using the above technique but the user experience isn't the greatest, having to transfer two files onto the target. Do you think it'd be worth adding support to exploit Linux targets like that for sake of compatibility? |
Yup! |
Better than nothing. Send me a PR, and I'll see if I can figure out any way around that. |
|
Thanks for the update, will either check it out tomorrow or in 2 weeks. |
(I swear its Jupyter, not Jypiter but its spelled this way 5 times in GHSA-pw56-c55x-cm9m)
VSCode when opening an Jypiter notebook (.ipynb) file bypasses the trust model.
On versions v1.4.0 - v1.71.1, its possible for the Jypiter notebook to embed
HTML and javascript, which can then open new terminal windows within VSCode.
Each of these new windows can then execute arbitrary code at startup.
During testing, the first open of the Jypiter notebook resulted in pop-ups
displaying errors of unable to find the payload exe file. The second attempt
at opening the Jypiter notebook would result in successful exeuction.
Successfully tested against VSCode 1.70.2 on Windows 10.
Verification
use modules/exploits/multi/misc/vscode_ipynb_remote_dev_execset lhost [ip]run