bkoolMar 23, 2018
ed(1) conference

With recent revelations that Visual Studio Code (1.19.0 to 1.19.2) was listening on 9333/tcp exposing a debugging interface with flaws, it's worth learning an editor like ed(1) that doesn't even have network connectivity, let alone listen furtively on exposed ports.

If you want to read from the network, follow the Unix Way: external tools used explicitly

r !nc -Nl 0.0.0.0 31415

The remote machine can then do "echo hello | nc -N ${ED_MACHINE_IP} 31415"

https://medium.com/0xcc/visual-studio-code-silently-fixed-a-remote-code-execution-vulnerability-8189e85b486b

Visual Studio Code silently fixed a remote code execution vulnerability

This blog was written few weeks ago, since VSCode has been upgraded for a while, I made this public.

Mar 23, 2018 at 11:15pmWeb
Show threaded(1) conferenceMar 24, 2018

Even better, execute the command in a remote context over a secure connection:

r !ssh user@host "$COMMAND"

Show threadsaperMar 24, 2018

@ed1conf ed(1) is cloud ready.

I'd prefer r! uux host!user command since I can decide what commands are allowed to be run remotely.