Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Terminal profile elevation of privilege vulnerability #160827

Closed
Tyriar opened this issue Sep 13, 2022 · 3 comments · Fixed by #160845
Closed

Terminal profile elevation of privilege vulnerability #160827

Tyriar opened this issue Sep 13, 2022 · 3 comments · Fixed by #160845
Assignees
@Tyriar
Labels
security terminal-profiles
Milestone
August 2022 Recov...

Comments

@Tyriar
Copy link
Member

Tyriar commented Sep 13, 2022

An elevation of privilege vulnerability exists in VS Code v1.71.0 and earlier versions where on a shared Windows machine, a low-privileged attacker can create a bash.exe executable in a location where terminal profiles are detected. This detected profile is then exposed in the terminal profiles list and can be run easily by the vulnerable user. The paths in question were:

  • C:\Cygwin64\bin\bash.exe
  • C:\Cygwin\bin\bash.exe
  • C:\ProgramData\scoop\apps\git-with-openssh\current\bin\bash.exe

Patches

The fix is available starting with VS Code 1.71.1. The fix (0b356bf) mitigates this attack by removing those paths completely from the terminal profile detection feature.

Workarounds

Avoid running terminal profiles that are not expected to be installed on the machine. An administrator may be able to lock down the folders in question.

References
@Tyriar Tyriar added this to the September Patch Tuesday milestone Sep 13, 2022
@Tyriar Tyriar self-assigned this Sep 13, 2022
@Tyriar
Copy link
Member Author

Tyriar commented Sep 13, 2022

Fixed in 1.71.1

@Tyriar Tyriar closed this as completed Sep 13, 2022
@mjbvz mjbvz modified the milestones: September Patch Tuesday, August 2022 Recovery 1 Sep 13, 2022
@Tyriar Tyriar mentioned this issue Sep 13, 2022
Merged
Tyriar referenced this issue Oct 7, 2022
@mjbvz @Tyriar
Reapply microsoft/vscode-distro#456
ea7afae
Tyriar added a commit to microsoft/vscode-docs that referenced this issue Oct 7, 2022
@Tyriar
Add Cygwin setup to terminal profiles
e98e17a 
Part of microsoft/vscode#160827
@Tyriar
Copy link
Member Author

Tyriar commented Oct 7, 2022

I added docs to the website for how to set up Cygwin manually in microsoft/vscode-docs@e98e17a

@github-actions github-actions bot locked and limited conversation to collaborators Oct 28, 2022
@Tyriar
Copy link
Member Author

Tyriar commented Nov 30, 2022

Tracking adding these "unsafe" profiles back via a confirmation step in #167721

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@Tyriar Tyriar

Labels
security terminal-profiles
Projects
None yet
Milestone
August 2022 Recovery 1
Development

Successfully merging a pull request may close this issue.

Fix terminal profiles issue in main microsoft/vscode
2 participants
@Tyriar @mjbvz