A method of attacking the VSCode code editor is demonstrated, which allows transferring arbitrary files within the rights of the current user when opening a specially designed source code in the editor. In the proposed demo, opening Rust code that uses a procedural macro establishes a connection to host 127.0.0.1:8080 and sends the contents of the "~/.ssh/id_rsa" file with the user's SSH keys.
To compromise, simply open the file with the code, without performing any other actions with the project. The example requires the presence of the rust-analyzer plugin in VSCode (binding over the standard rustc compiler) and the availability of tools for working with Rust code in the system. The problem is related to the expansion of procedural macros during initial code analysis. A similar effect can also be achieved at compile time using the "cargo build" command.
It is noted that the problem may affect other code editors and programming languages. VSCode and rust-analyze are used only to demonstrate the attack vector. Theoretically, any code editor that exposes procedural macros that allow you to create syntax extensions and execute code at compile time is affected by the problem. Initially, the researcher studied the possibility of performing malicious actions during code compilation, but found that procedural macros were expanded when processing source texts in code editors. It is likely that the attack can also affect other programming languages, for example, in Java, annotation processing can be manipulated in a similar way.
Source: opennet.ru