Wednesday, March 28, 2018

CVE-2018-7160 - Pwning (NodeJS) Developers

TL;DR:  NodeJS in debug mode did not check the Origin-Header of websocket connections. This could lead to arbitrary code execution on victims systems if they visited a malicious website while debugging NodeJS. Visual Studio Code 1.19 - 1.19.2 was running in debug mode by default and exposed all users to this vulnerability.

Due to my suspiciousness against 3rd party software (probably a side effect of being an information security professional) I regularly check my systems for open ports (either by directly using ss/netstat or with my cinnamon plugin (disclaimer: mostly written for my needs and I'm to lazy for the documentation)). In January 2018 I noticed that Visual Studio Code has opened TCP port 9333 listening on localhost (version 1.19.1 at that time).

It's not uncommon these days for code editors to open listeners (mostly for remote debugging, but also for live updating the website your currently developing or shared intellisense support). Nevertheless, I wanted to see why it's listening on this port as I wasn't debugging anything and also worked only on some python code.
As it turned out, it was actually a debug port! Not for some code I was developing, but to debug vscode itself...