Attacking Language Server JSON RPC

Рет қаралды 55,593

Күн бұрын

While auditing a VSCode Extension + Language Server I noticed something interesting. This turned into the research question "can we attack the extension from the browser?". After a bit of preliminary research I decided to do it again on stream, and eventually made this video. This is how security research can look like.
What is a Server? • What is a Server? (Dee...
What is a Protocol? • What is a Protocol? (D...
GitLab 11.4.7 RCE • GitLab 11.4.7 Remote C...
Live Stream: • Attacking VSCode Exten...
My Font (advertisement): shop.liveoverflow.com/
Interested in more videos like this? • Security Research
Chapters:
00:00 - Why Security Research?
01:23 - What is a Language Server?
02:53 - Setup Example Code
04:00 - RCE in VSCode Extension?
05:25 - The Language Server Code
06:29 - Researching Communication
11:13 - Can a Browser Attack the VSCode Extension?
13:54 - Research Results
15:40 - Ad n' Outro
=[ ❤️ Support ]=
→ per Video: / liveoverflow
→ per Month: / @liveoverflow
2nd Channel: / liveunderflow
=[ 🐕 Social ]=
→ Twitter: / liveoverflow
→ Streaming: twitch.tvLiveOverflow/
→ TikTok: / liveoverflow_
→ Instagram: / liveoverflow
→ Blog: liveoverflow.com/
→ Subreddit: / liveoverflow
→ Facebook: / liveoverflow

Пікірлер: 111

@Dominik-K Жыл бұрын

There's no failed research, just fruitless attempts. And I learned a bit about the language server protocol too

@EstelonAgarwaen Жыл бұрын

When you find out that something doesnt work, you still get the knowledge about how not to attack stuff

@MechMK1 Жыл бұрын

This reminds me of a project I was involved in for the past couple of weeks. Review of source code, really did a deep dive into it. Thousands of class files, going from broad architecture all the way to functional implementation. The final verdict? "Looks good, ship it" Just because you try really hard to find a vuln doesn't always mean there is one to find.

@sadDota Жыл бұрын

that was awesome, ty showed me that research is not always/ doesn't need to always be fruitful, and now thinking about it I feel much better 😁

@tajsec498 Жыл бұрын

I love this video, it was great way of showing even failed research can teach us a lot.

@AndreasWilfer Жыл бұрын

Great and very realistic showcase about how (security) research goes. Good job!

@samalextij445 Жыл бұрын

Thank you for posting this type of process! Learned a lot, and hopefully will be able to do research myself one day, thanks for all the quality content.

@geraldschittenhelm7386 Жыл бұрын

It isn't even fruitless. You checked it, found no vulnerabilities, gained knowledge about VsCode Extensions. Nice work! 👍

@shayarand Жыл бұрын

great video! this was a really raw and honest demonstration of hard work.

@logiciananimal Жыл бұрын

Great work - I don't regard the *research* as a failure; merely one avenue for exploitation is not seemingly possible - and that itself is a good result to communicate or at least know about.

@alexanderdell2623 Жыл бұрын

It would be cool to do such content more often in live and upload recordings to the second channel. A good reminder that a research is when you fail significantly more times than you succeed

@notapplicable7292 Жыл бұрын

Oh this sparked my interest in vscode extensions. Definitely on my list of things to play around with some time.

@konfushon Жыл бұрын

Love the new fonts BTW ❤

@Isti115 10 ай бұрын

Wow, you just blew my mind with the solution to the problem at 13:20! 😃 I even paused to try and come up with my own idea, but didn't realize such a simple trick is enough...

@somesalmon5694 Жыл бұрын

In the on screen text at around 7:30 you wrote the word mess twice! Amazing video though, incredibly informative and deep information :) I appreciate your work!

@anon_y_mousse Жыл бұрын

Someone messed messed with his on screen text.

@dunste123 Жыл бұрын

It's pretty cool to learn how the protocol works

@till8413 Жыл бұрын

im currently writing vscode language support for my own language, so this is very interessting

@MattKAva Жыл бұрын

Amazing video, helped me a little with my imposter syndrome as I realized I knew a little more than I expected I would!

@znxster Жыл бұрын

Learning what fails is often as important as learning what succeeds.

@anthonation Жыл бұрын

Thank you, it is great, I do enjoy a lot over the journey. 👍

@muyiwaiyowu Жыл бұрын

This is amazing! Instant sub!

@user-qw9yf6zs9t Жыл бұрын

i love your videos man! every time i watch your videos i get a weird but amazing feeling.. as if i want to do cyber sec for the rest of my life haha, keep doing what youre doing :)

@mystic_monk55 Жыл бұрын

That was informative. Thank you 🙏

@pravupritamlenka9215 Жыл бұрын

Thanks a lot I'm also searching for this

@autozone5335 Жыл бұрын

Awesome talk!

@insulastudios Жыл бұрын

Awesome video, thank you

@RealCyberCrime Жыл бұрын

I’m thinking about making a similar video in documentary format

@AkashSingh-uk5ub Жыл бұрын

Congrats,your comment worked, i just subscribed. Make that video soon

@joshiy13 Жыл бұрын

+ sub im exited

@sudonick2161 Жыл бұрын

great video!

@anon_y_mousse Жыл бұрын

You tried Chrome for pipelining, but several other browsers still have it. Also, wouldn't multiplexing work just as well?

@vineet1 Жыл бұрын

Much needed Motivation

@kRySt4LGaMeR Жыл бұрын

7:13 "Can an attacker mess mess with it?" :P

@chhiethearith9525 Жыл бұрын

I have one question for u, If IDE use languages code server for checking code on IDE, I think if we close the internet when we write code , Why IDE can check code error or not ?

@smenigat Жыл бұрын

Would using WebSockets be an option? Or a custom http client being executed via WASM in a webworker?

@testtest-xz6ec Жыл бұрын

This is not the first video of this channel about language servers. The video "Google Paid Me to Talk About a Security Issue! " it is explained how a language server with hacker controlled code can be used to execute code.

@lextorn92 10 ай бұрын

@LiveOverflow Can't you include another Content-Length header k-v pair in the request body?

@sirishakotikalapudi9666 10 ай бұрын

This channel and your content is very helpful in understanding how to go about security research and finding bugs. I have one question though : Are there any tools to identify how client applications communicate with servers without looking at the code ?(Or if the client app code is not available )

@berndeckenfels Жыл бұрын

Isn’t LSP also used when VSCode is running in the browser, then it will use http and the LSP needs to be the server - or is a server side component doing that?

@1vader Жыл бұрын

Afaik in that case there is a separate VSCode server running somewhere else which among other things runs extensions and launches and connects to the LSP servers. It also works like this when you connect VSCode to a remote (though there also are extensions that run locally in that case, not sure how exactly that behaves in the browser, I guess maybe the local extensions can only be JS and run in the browser). Also keep in mind that the LSP "servers" aren't the kind of servers that run somewhere else in the cloud or something. If you run VSCode locally, they are just programs that will be started by VSCode on your PC.

@Donder1337 Жыл бұрын

It was very usefull 👍

@strager_ Жыл бұрын

14:13 Could you write the second message in the body of the first message? The first message's HTTP body would be: {initialize-response-stuff}Content-Length: 123 {malicious-request}

@Ashnurazg Жыл бұрын

I noticed the dog in the background at 14:22 for a few seconds :3

@ironnoriboi Жыл бұрын

4:20 This is actually false for Microsoft's own C# extension in vscode. That extension downloads the server and other tools (same ones that are used for visual studio and msbuild). They even auto-update by default.

@kubersroyal1 Жыл бұрын

Hey awesome research, just curious when you made it use socket instead of IPC (at 09:36) didn't you increased the attacks surface so that browser can be used? I mean if it just have used IPC it won't be vulnerable to this attack, right?

@kubersroyal1 Жыл бұрын

Nvm, you did it for extension not the server. 👍

@Speglritz Жыл бұрын

Wouldn't it be possible for a malicious website to serve a web assembly program dealing with the communication to the language extension server that the connected clients run?

@Sumonsheikh-pz6ln 10 ай бұрын

Awesome

@huntercybersecurity Жыл бұрын

Hi, may I know how do you know it's port 1219?

@mrpi230 Жыл бұрын

Thank you, Can you made a video series on " How to build Operating System" for example xv6 which is unix based open source project.

@LuLeBe Жыл бұрын

Maybe it was just me, but even half way through the video I still wasn't sure whether you're trying to figure out whether a malicious codebase opened in VSCode with your extension active, or the extension itself is the attack. So are you trying to protect users of your extension, or are you trying to figure out whether an extension itself can be malicious? Maybe I missed it but that made it harder for me to follow.

@LiveOverflow Жыл бұрын

I’m trying to figure out whether a malicious website can attack a VSCode extension that uses a language server via socket transport. Ultimately in the end I want to check whether my extension is safe against this potential attack

@user-ot8tb8jk3t Жыл бұрын

Curious. Is this video stretched in width? He looks wide.

@anion21 Жыл бұрын

I dont think it is failed research. It is a clue which indicates that an attacker can probably not attack you using this method. I think that's worth a lot.

@ilyasamarov Жыл бұрын

14:31 Isn’t it’s possible to overcome with web sockets? I think it’s possible to exchange messages on the same TCP connection. Also, all HTTP related tricks might not be needed. If I’m not wrong

@LiveOverflow Жыл бұрын

Websocket is a bit more complex protocol that requires the server to play along

@damiannowak3811 Жыл бұрын

i like working backwards straight from what can i change/what is the user input :)

@tg7943 Жыл бұрын

Push!

@_nikeee Жыл бұрын

Since pipelining did not work, have you tried relying on HTTP keep-alive? Since vscode won't close the connection, we only have to prevent the browser from closing it. If this works, you can just do two HTTP requests. Also, have you tried sending two payloads in the same message body (repeating the content-type for the second one)? I think VSC only reads only the number of bytes it needs to read to process the message (for perf reasons). So we maybe could just send two messages in a single request. Of course, this only works if the server doesn't expect anything from his first response in our second message.

@nassymalassane7278 Жыл бұрын

Nice

@sandiproy9361 Жыл бұрын

Language server protocol, the way you explaining its pretty intresting.. though I know this stuff awesome video

@tjgdddfcn Жыл бұрын

Why did that need to be from the browser anyway, since doing it from the user would require him to open the browser at the right time so attacking from the outside would be the only option, that could be possible since to my knowledge the messages aren’t encrypted and TCP spoofing could be possible, but since these connections will be made on loopback and cant be sniffed (by an outsider), it would require guessing the sequence number (which is technically possible i guess) and which open port is the server

@shadowpenguin3482 Жыл бұрын

Because code in the browser has a lower trust level, websites are sandboxed. If an application running on your machine communicates with other applications, it’s expected. If you allow a website to execute code on your machine it’s much worse.

@gcxs Жыл бұрын

Im gonna pick up the pieces and build a lego house

@GoLDnTRiXX Жыл бұрын

Let's be grateful that there's no security vulnerability to exploit in vs-code. So this is not a failure, but good news

@LostMekkaSoft Жыл бұрын

14:23 DOG!!!

@scuffed_content Жыл бұрын

G🐐A T E D

@Wanderer072 Жыл бұрын

I like when you talk fast and move your hands like you’re rapping 😂 I dare you to do a rap song about coding just for the lol’s 🤣🤣🤣

@dummypg6129 Жыл бұрын

multipart/x-mixed-replace ??

@___lzcat Жыл бұрын

wouldnt http streams work with this?

@wontcreep Жыл бұрын

if security research never failed, it would mean everything would be a vulnerability

@vaisakhkm783 Жыл бұрын

Thank you.... i always wanted to do this... i am currently interested in LSP as i wasted past year configuring nvim..... Maybe i may try the same in neovim lsp... if it works....

@korigamik Жыл бұрын

The LSP protocol is entirely different from this.

@luizzeroxis Жыл бұрын

Wait, could you not just send multiple requests through the fetch api in a website?

@ChrisBigBad Жыл бұрын

You said, it expects 2 messages. Can't you just post two of them as one block of POST? Faking ends and headers in the middle of your data if necessary? LG chris :)

@EvilSapphireR Жыл бұрын

Why was attacking it via a browser so important? Like you showed in python it's just a few lines of code.

@LiveOverflow Жыл бұрын

It’s easy for an attacker to make the victim open a malicious website. Getting python code execution on the local computer is already game over ;)

@akileswar114 9 ай бұрын

can we have an rpc deepdive?

@norude Жыл бұрын

So connecting between processes using TCP is not secure because a browser can be running in the background. Well you can certanly find antipatterns in programs using it. Thats really strange that TCP can be supported at all On the second thought using TCP and assuming data that comes from it is somehow safe is wrong at all times.

@dealloc Жыл бұрын

It's not that strange when you consider that it can be used remotely, e.g. for remote editor environments (like Visual Studio Code supports). Using TCP with TLS wouldn't make sense locally, because the request and responses would have to be encrypted and decrypted on the same machine anyway. In this case you can use TLS on top of the TCP connection that is established with a remote LSP.

@LevitskiSRGE Жыл бұрын

Pipes on windows or ports on mac? What? You mean pipes and ports everywhere?

@LiveOverflow Жыл бұрын

„mach ports“

@xBZZZZyt Жыл бұрын

07:13 2 mess?

@mayur9876 Жыл бұрын

Looking at how frequently the lsp server is called why did they choose to go with json as opposed to binary encoding? Seems like a bad choice.

@Uerdue Жыл бұрын

I don't think it would make much of a difference performance-wise. Since no bytes have to be transmitted over the (slow) network, the performance cost of a single call to the language server is probably not going to depend too much on the length of the data to be sent, but will just be some more or less constant amount of time spent in kernel code (for the underlying IPC mechanism). So, with performance not being an issue, it makes sense to just make the API for the language server as programmer-friendly as possible. And there, JSON just wins over binary encoding. Sadly. :D

@INVENTASHIF Жыл бұрын

Please explain CVE-2022-37421 with example/demo or reply please

@tommyhetrick Жыл бұрын

4:31 someone clip this 😂

@AJMansfield1 Жыл бұрын

It might not be a practical attack, but it's still a near-vulnerability, a la the swiss cheese risk model. And one straightforward measure that would stop any exploit dead would be forcing that initial status message to include an authentication token passed to the process in an environment variable.

@tjgdddfcn Жыл бұрын

or just require that a particular header is set that no website sends by default

@Verrisin Жыл бұрын

Who do we not trust? some extension? some external attacker getting RCE on a computer because LSP is running on it? - What's the intro? What's the context?

@LiveOverflow Жыл бұрын

A malicious website. That’s why we explore whether we can attack the extension from the browser

@Verrisin Жыл бұрын

@@LiveOverflow Yeah, eventually that was answered. But initially it was not clear. - Also, I think it's just what direction the search turned toward. Not the initial goal. - I guess the initial goal was "try to find any vulnerability" be it local escalation, or external access etc ... but that's a weird goal to have... but I guess it's just "how safe is it to let someone use VSCode+LSP" inside our reasonably trusted LAN etc ...

@LiveOverflow Жыл бұрын

You literally described the video :D I had to do a security review of a vscode extension. And in the video I take you along researching one particular attack surface. It’s just the story from start to research result ;)

@LiveOverflow Жыл бұрын

And yes, that’s research. „Initially the goal wasn’t clear“. Of course it’s not clear, that’s science and looking into the unknown;)

@Verrisin Жыл бұрын

@@LiveOverflow Yeah, my bad. I didn't know exactly what "security review" is, so I was confused the first 75% of the video, before I figured out what the objective was. - As a software developer, I usually start by defining an attack surface. Don't worry with anything in the "trusted" scope, trust "nothing" in the outside world. Only caring about that one well defined surface to not go crazy. Otherwise I would never get anything done. - That's why it was hard for me to go along and think about the problem when that was not clear upfront. - It would have been useful for me to mention near the start we are looking for a vulnerability at any possible "level" (except not really untrusted extensions themselves?). - With VSCode extensions, I would be much more worried about evil/hacked extensions, dependency running a hacked script etc ... than an existing "backdoor" using it for escalation, or website injecting a script in my build... - But the browser direction was interesting. I always assume only local things can open connections to loopback ports, so never considered worrying about it (except extensions, tools that are local servers, etc) ... I wonder if my assumption is even right ... I never considered CORS at development time running on localhost.... O.O Great video, though. Thanks!

@TheForge47 Жыл бұрын

3 sekunden ich wusste sofort der spricht deutsch 😂

@akashossain8468 10 ай бұрын

hellow everyone

@changeagent228 Жыл бұрын

Been offered a really cheap deal for 1Gbps fiber but it's CGNAT only should I take it anyone? Yes or No? Answers appreciated.

@NLozar22 Жыл бұрын

Am I completely off the mark for seeing this as quite a major at least privacy if not also security hazard? The JSON RPC language server can effectively read all the code you're writing. Also you were able to read TCP traffic in cleartext using Wireshark. What's stopping a MITM in this case?

@tropicbliss1198 Жыл бұрын

If malicious code is able to read raw tcp requests like that, it’s effectively game over for the system, and there’s no need to exploit vscode to achieve what the hacker wants. And in reality not all communication within the system needs to be encrypted. One concern which is valid is privacy concerns, and unfortunately if you install an app on your system, you’re essentially giving it free reign to access whatever file it wants

@dealloc Жыл бұрын

I think you'd have more important concerns if malware ended up on your computer in the first place.