In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-01-16 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)05/31 Report--
This article will explain in detail how to break into the Github warehouse of Microsoft VS Code. The content of the article is of high quality, so the editor shares it for you as a reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.
Overview
Just this month, a security researcher revealed how he infiltrated Microsoft Visual Studio Code's official GitHub repository.
It is understood that there is a security vulnerability in Microsoft Visual Studio Code's problem management function, and there is a lack of corresponding authentication detection mechanism, which will allow researchers and network attackers to obtain push access and write it to the code base.
As a result of the researcher responsibly reported the details of the vulnerability to the Microsoft development team, the researcher also received an unknown amount of vulnerability bonus.
Regular expressions with security problems, no authentication, code injection in CI scripts!
It is reported that RyotaK, a security researcher, accidentally discovered a vulnerability in Microsoft Visual Studio Code's continuous integration (CI) script while riding on the train, which allowed him to infiltrate Microsoft Visual Studio Code's official GitHub repository and submit documents to it.
"I was so bored on the train that I was going to read the source code of Microsoft Visual Studio Code," RyotaK said in an interview with BleepingComputer. After a while, I found that VS Code had a separate repository of scripts for CI called [vscode-github-triage-actions]. "
Soon, the security researcher found a very interesting line of code in the script that could be used to implement code injection attacks:
Exec (`git-C. / repo merge-base-- is-ancestor ${commit} ${release} `, (err) = > {
RyotaK added: "of course, this is a command injection vulnerability, but the exploitation of this vulnerability requires us to gain control of the 'commit' variable or' release' variable."
Researcher RyotaK quickly realized that attackers are likely to be able to control the commit variable for two reasons:
Lack of effective authentication mechanism in closedWith command
The regular expression used to verify that the closedWith command (specified in the closing comment) has a security problem
The closedWith command can be used to associate a commit hash with a problem before commit shuts down.
However, regular expressions with security issues are used to validate closed comments, and there is no authentication mechanism in the CI script, so any user can continue to associate commit with a problem and inject code into the closedWth value. The details are as follows:
Const closingHashComment = / (?:\\ |\ /) closedWith (\ S*) /
Because Visual Studio Code's security-defective CI workflow is executed once a day, researchers can pre-inject a copy of PoC exploit code at midnight to avoid making any dangerous mistakes at night.
To this end, the researchers browsed the project's GitHub Actions code file to learn about continuous integration and continuous delivery (CI/CD) workflows.
"fortunately, GitHub Actions's workflow files are published on GitHubs, so I can still know something about GitHub Actions," the researchers told BleepingComputer. Because actions/checkout is executed before using vulnerable workflow files, we were able to obtain a GitHub token with write access to the code base, which we will use later. "
By injecting our PoC exploit code into Visual Studio Code's CI script, which runs around midnight, the researchers managed to get a reverse Shell.
In addition, the researchers also obtained a GitHub authorization token for the Visual Studio Code code base, which will allow the researchers to obtain write access to the code base.
Finally, after getting the token, the researchers released a PoC commit to the code base:
The researchers say that although the main branch of this code base has account-based branch protection, GitHub Actions tokens cannot bypass these protections, but you can use this token to push files to the publishing branch.
It is worth noting that RyotaK not only complied with Microsoft's vulnerability reward program to submit vulnerabilities, but also carried out this PoC attack in accordance with Microsoft's "Safe Harbor" guidelines.
Researcher RyotaK wrote in his report: "Microsoft allows vulnerabilities to be diagnosed and debugged through 'Safe Harbor'.
The security problems in this code base may be applied to software supply chain attacks.
This type of security vulnerability will allow attackers to invade other secure software code bases, thus laying the foundation for more complex software supply chain attacks.
There is no doubt that SolarWinds supply chain attacks have made headlines in the security world. In targeted supply chain attacks, attacks on source code editors and IDE can have devastating consequences for their users, developers, and clients that receive applications built using problem IDE.
On how to break into the Microsoft VS Code Github warehouse to share here, I hope that the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.