Skip to content

Remote Code Execution after cloning a malicious repository [ VSCode Extension ]

HackerOne report #1094381 by rapt00r on 2021-02-04, assigned to @dcouture:

Report | Attachments | How To Reproduce

Report

Summary

Hi there! I've found a critical vulnerability on the VSCode Extension gitlab that allows an attacker to execute malicious binary on the victim's machine after they cloning a repository.

Description

The vulnerability occurs because the gitlab extension for VSCode doesn't specify where the binary git.exe on the windows, must be called. This will make the Windows search for the git.exe inside of the current directory after cloning a repository, allowing a custom git.exe binary to be executed after the clone.

Why this happen?

When a user execute a command, Windows first will check on the current directory, then it's will verify each path in the %PATH% variable and finally checks the system locations, for example %WINDIR%.

By knowing this, when a user clone a new repository, Windows will check if the git.exe file exists on the current directory (cloned repository) and if found, it will be executed. As the malicious repository have the git.exe file and any 'allowed paths' are not defined, Windows will check the repository and will execute, allowing to execute our binaries.

Steps to Reproduce

  1. Create a new Repository.
  2. Rename a Window's binary to git.exe and upload to the repository (in this example, I used the calculator.exe)
  3. Open the VSCode and install the gitlab extension.
  4. Clone the repository
  5. The binary will be executed after the clone.

Demo

  1. Creating a new repository:
    gitlab-00.png

  2. Upload the calculator binary inside of the repository (remember to renamee it to git.exe before upload):
    gitlab-04.png

  3. Clone the repository (can be via VSCode directly too):
    gitlab-05.png

  4. Open the repository in the VSCode:
    gitlab-07.png

  5. The calculator binary will be executed:
    gitlab-08.png

Video PoC:
gitlab-rce.mp4

Impact

Attackers can run malicious binary on user's machine that cloned the malicious repository

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

How To Reproduce

Please add reproducibility information to this section: