Here's the page we think you wanted. See search results instead:

Toggle Menu

Chat Live

Confirm Your Country or Area

Please Confirm

Confirm your country to access relevant pricing, special offers, events, and contact information.

What are you looking for?

MXG Signal Generator UXA Signal Analyzer UXM for Wi-Fi 7 PXA Signal Analyzer Find a solution Get technical support Take a class Find us at events Premium used equipment KeysightCare Buy online

No product matches found - System Exception

Visual Studio Code Python Extension Remote Code Execution

Strike ID:

E20-mx8m1

CVSS:

8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

False Positive:

Variants:

Year:

2020

Description

This strike exploits a virtualenv variable path loading vulnerability inside Microsoft Visual Code Studio. Specifically, the vulnerability is due to how VSCode selects and loads the virtualenv from a project folder. This project folder can be loaded without user interaction only requiring for the user to click on the python .py file to execute the code. By adding a malicious folder to the workspace and opening a python file inside the project the added code to execute inside the extension will run. The project zip package included in this strike will prompt the user to install an extension to run. Once installed clicking the python file will execute the calculator app on macOS.

References

https://blog.doyensec.com/2020/03/16/vscode_codeexec.html

Welcome

What are you looking for?

Visual Studio Code Python Extension Remote Code Execution

Description

References