VS Code as-a-RAT
VS Code in a computer near you
Visual Studio Code upended the developer work environment almost overnight, killing many competitive products along the way. According to the Stack overflow in 2023, it was the #1 tool by a large margin, with over 73% of respondents claiming to use the tool. If your organization does any amount of development, it’s in your environment.
VS Code’s significant success is built on the platform’s extensibility and association with its more mature brother Visual Studio. Verified extensions by Microsoft and other organizations are vetted and available in the tool for quick installation. Terminal/console access is built into the tool out of the box and works very well. Over all, it’s a single pane of glass for development for many developers.
Sharing is Caring
One of Microsoft’s built int functionality is their live share capability and it allows developers to share access to their VS code with their colleagues and collaborate in real time. This is especially helpful when pair programming or teaching students. It’s straight forward to use both as a presenter and collaborator. The flow goes something like this:
The presenter opens up VS Code on their machine.
If Live Share is not installed, it is installed with a single click in the extensions view.
The Presenter selects “Live Share” from the status bar of the application.
The present picks their authentication source (Github or Entra ID).
Live mode begins and the presenter receives a shareable link
The remote user receives the link and opens it in their browser.
The browser redirects to VS code and opens the session.
Within seconds, the remote presenter’s terminal and code begins to appear.
Attendee Rights
As a session attendee, I have the following default rights:
1. I can use the VS code explorer to create files, folders, and modify the contents of any documents in the shared window on the remote host.
2. I can issue _any_ commands with any terminal sessions open in the VS Code window.
Command acceptance is limited to the scope in which VS Code was opened. By default, this is as the presenting user’s default scoped permissions.
3. I can download and upload files through the bridged connection.
Stated with an adversarial mindset:
I can write arbitrary code and files to the system.
I can execute the code and files.
I can exfiltrate any data I pull into the folder that VS Code has opened.
Locking it down
Presenter Controls
As a presenter, you can open the live share in read only mode for the code, terminal, or both. For each live share you create, choose the most restrictive share permissions to prevent creating any opportunities for malicious use.
Network Controls
To restrict access to live share at the network layer, block the following domain:
https://*.liveshare.vsengsaas.visualstudio.com/
This does not prevent local sharing which is handled over TCP and can have the port and server name customized.
Endpoint Controls
Create a rule to detect and/or delete the extension on endpoints. By default, VS Code installs extensions in the user profile for all major desktop operating systems `~/.vscode/extensions`.
The live share extension folder matches this pattern in the extensions directory.
`ms-vsliveshare.vsliveshare-*`
Identity Provider Controls
In Entra ID, you may check your user accounts for access to the Visual Studio Code endpoint by searching the sign on logs.
1. Login to portal.azure.com
2. Navigate to “Users”
3. Open “Sign-in Logs”
4. Adjust the filter to search for the Application “Visual Studio Code”
In Closing
VS Code is a powerful tool that has increased productivity for developers the world over. However, there are few restrictions on the extensions available and some, like the live share extension, create potential for backdoor access to systems that was not intended. Given Live Share’s lack of logging and attendee restriction, it is important that this capability be monitored in your environment to avoid backdoors and breaches.