• Welcome to the world's largest Chinese hacker forum

    Welcome to the world's largest Chinese hacker forum, our forum registration is open! You can now register for technical communication with us, this is a free and open to the world of the BBS, we founded the purpose for the study of network security, please don't release business of black/grey, or on the BBS posts, to seek help hacker if violations, we will permanently frozen your IP and account, thank you for your cooperation. Hacker attack and defense cracking or network Security

    business please click here: Creation Security  From CNHACKTEAM

Microsoft VSCode Python扩展-代码执行漏洞


This Wind

Recommended Posts

发布内容作者:Doyensec                                          漏洞危害等级:critlow_4.gif〔严重〕

 

# VSCode Python Extension Code Execution<font></font>
<font></font>
This repository contains the Proof-of-Concept of a code execution vulnerability discovered in the [Visual Studio Code](https://code.visualstudio.com/) Python extension.<font></font>
<font></font>
>TL;DR: VScode may use code from a virtualenv found in the project folders without asking the user, for things such as formatting, autocompletion, etc. This insecure design leads to arbitrary code execution by simply cloning and opening a malicious Python repository.<font></font>
<font></font>
You can read more about this vulnerability on our blog: [https://blog.doyensec.com/2020/03/16/vscode_codeexec.html](https://blog.doyensec.com/2020/03/16/vscode_codeexec.html).<font></font>
<font></font>
## HowTo<font></font>
<font></font>
- Clone the 'malicious' repository with `git clone https://github.com/doyensec/VSCode_PoC_Oct2019.git`<font></font>
- Add the cloned repo to a VSCode workspace on macOS. Note that the vulnerability affects all platforms, but the PoC is executing *Calculator.app*<font></font>
- Open `test.py` in VScode<font></font>
<font></font>
<font></font>
Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/48231.zip<font></font>
<font></font>
#  [2020-03-20]  #

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now