The tale of CVE-2021–34479 (VSCode XSS)
This April, I finally decided to take some time to study the Electron framework and the security considerations around it. After learning the basics, building a sample application myself, and reading a ton of old CVE write-ups, I decided it was time to assess a real-world project with my recently learned skills.
Visual Studio Code has been my editor of choice for a while now. It's fast, customizable, intuitive, has a massive collection of useful extensions, and is built using the Electron framework. I had to choose a target, so why not choose an app I was already pretty familiar with?
I started my code review process by cloning the vscode project from Github and searching for places where the nodeIntegration option was enabled.
In the case of extensionEditor.ts, to perform an XSS attack, an attacker would have to publish an extension whose details markdown contained a script tag with a nonce that matched the UUID generated by vscode. Synchronizing this attack is almost impossible. Therefore, although UUID should not be considered cryptographically secure, it is an effective solution for this specific case.
I continued my code review process, and eventually, the extensions/markdown-language-features/src/features/previewContentProvider.ts file caught my eye. Vscode allows you to edit and preview Markdown files in real-time, as shown in the picture below.
As can be seen, the generated nonce is also not cryptographically secure. Furthermore, the concatenation of getMilliseconds() adds no entropy to the nonce, as its results will match the last three characters of getTime() in virtually all cases. Therefore, if an attacker can constantly populate a Markdown file with script blocks with every possible nonce candidate for the next few seconds, a victim who previews the file using the built-in Visual Studio Code Markdown extension would be vulnerable to XSS.
For a proof-of-concept (PoC), I used the following NodeJS script to generate the malicious Markdown file.
I also used the following bash one-liner to constantly update the Markdown file with nonces for the next 2 seconds every 4 seconds. Generating too many nonces would freeze vscode, so I had to find a good balance between update interval and nonce count.
The following video demonstrates how to use the before-mentioned scripts to replicate the issue.
I reported the issue to Microsoft, and a fix was released as part of the July Patch Tuesday (2021). CVE-2021-34479 was assigned to the vulnerability.
Although this is not as exciting as an RCE, I learned a lot about Electron during the code review process and had the chance to exploit an interesting CSP bypass to achieve XSS. I wonder how widespread this type of vulnerability is, but that is a subject for another time.
Do Follow Techiepedia for more Interesting write-ups.