Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-26700 PoC — Visual Studio Code npm-script Extension Remote Code Execution Vulnerability

Source
https://github.com/june-in-exile/CVE-2021-26700
Associated Vulnerability
Title:Visual Studio Code npm-script Extension Remote Code Execution Vulnerability (CVE-2021-26700)
Description:Visual Studio Code npm-script Extension Remote Code Execution Vulnerability
Readme
# **CVE-2021-26700**

(Note: this manual is valid for DSNS lab's members only.)
## **Intruduction**
This is a remote code execution (RCE) vulnerability that resided in an extension of Visual Studio Code (VS Code) called npm, which was developed by Microsoft and was aimed to support running the npm scripts defined in the `package.json` file.

To exploit this vulnerability, the attacker might upload some malicious script hidden in files onto his public GitHub repository, with some minor adjustment in the configuration used by the npm extension. If someone downloads this repository and opens it in a VS Code environment that has installed the specified extension, as soon as he(she) views the `package.json` file, the malicious script will be executed. In my scenario, the malicious script is a batch file called `calc.bat` and it will execute a `deployagent.ps1` program, which will then establish a DNS tunneling  to DSNS lab's Caldera server on http://192.168.1.29:8888.

## **Prerequisite**

Since this CVE was found at 2021 and the Microsoft team had fixed it in latter versions, we need to find a way to download an older version ([v0.3.13](https://eg2.gallery.vsassets.io/_apis/public/gallery/publisher/eg2/extension/vscode-npm- script/0.3.13/assetbyname/Microsoft.VisualStudio.Services.VSIXPackage)) of the npm extension. Instead, I have included it on GitHub for convenience. Also included is a script for install VS Code on Windows.

## **Quickstart**

1. On Windows system (e.g. APT3 in DSNS lab), run the command to get this repository
    ```
	git clone https://github.com/jason-ntu/CVE-2021-26700.git
    ```
    (You can also download and extract the repository through GUI). The following steps are assumed to be executed inside of the repository (i.e. the cloned CVE-2021-26700 directory).

2. To install VS Code on Windows, run `.\install-vscode.bat`

3. Set up the command `code` as a shortcut to open VS Code by adding the following configuration into `settings.json` of VS Code.

4. To install the required version of npm extension, run `.\install-extension.bat`

5. To exploit the CVE, you need to open the repository in VS Code and view the `package.json` file. After seconds of waiting, a DNS connection from Caldera at http://192.168.1.29:8888 to the victim should has been established. The RCE is done!

Reference: [jackadamson's github](https://github.com/jackadamson/CVE-2021-26700)
File Snapshot

 [4.0K]  /data/pocs/71b2e25b858c2a5eaa39691934736d6440fd50c1
├── [  82]  calc.bat
├── [ 622]  deployagent.ps1
├── [  53]  install-extension.bat
├── [ 291]  install-vscode.bat
├── [165K]  npm-extension.vsix
├── [   2]  package.json
└── [2.4K]  README.md

0 directories, 7 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →