Exploit for Vulnerability in Microsoft CVE-2021-26700

Name: Exploit for Vulnerability in Microsoft CVE-2021-26700
Rating: 5 (151 reviews)
2023-03-16 | CVSS 6.8
## https://sploitus.com/exploit?id=C6D26B0E-A569-5B2C-ADAA-D1FB35F24DC7
# **CVE-2021-26700**

(Note: this manual is valid for DSNS lab's members only.)
## **Intruduction**
This is a remote code execution (RCE) vulnerability that resided in an extension of Visual Studio Code (VS Code) called npm, which was developed by Microsoft and was aimed to support running the npm scripts defined in the `package.json` file.

To exploit this vulnerability, the attacker might upload some malicious script hidden in files onto his public GitHub repository, with some minor adjustment in the configuration used by the npm extension. If someone downloads this repository and opens it in a VS Code environment that has installed the specified extension, as soon as he(she) views the `package.json` file, the malicious script will be executed. In my scenario, the malicious script is a batch file called `calc.bat` and it will execute a `deployagent.ps1` program, which will then establish a DNS tunneling  to DSNS lab's Caldera server on http://192.168.1.29:8888.

## **Prerequisite**

Since this CVE was found at 2021 and the Microsoft team had fixed it in latter versions, we need to find a way to download an older version ([v0.3.13](https://eg2.gallery.vsassets.io/_apis/public/gallery/publisher/eg2/extension/vscode-npm- script/0.3.13/assetbyname/Microsoft.VisualStudio.Services.VSIXPackage)) of the npm extension. Instead, I have included it on GitHub for convenience. Also included is a script for install VS Code on Windows.

## **Quickstart**

1. On Windows system (e.g. APT3 in DSNS lab), run the command to get this repository
    ```
	git clone https://github.com/jason-ntu/CVE-2021-26700.git
    ```
    (You can also download and extract the repository through GUI). The following steps are assumed to be executed inside of the repository (i.e. the cloned CVE-2021-26700 directory).

2. To install VS Code on Windows, run `.\install-vscode.bat`

3. Set up the command `code` as a shortcut to open VS Code by adding the following configuration into `settings.json` of VS Code.

4. To install the required version of npm extension, run `.\install-extension.bat`

5. To exploit the CVE, you need to open the repository in VS Code and view the `package.json` file. After seconds of waiting, a DNS connection from Caldera at http://192.168.1.29:8888 to the victim should has been established. The RCE is done!

Reference: [jackadamson's github](https://github.com/jackadamson/CVE-2021-26700)