This article by xpnsec delves into the intricate architecture of Visual Studio Code Dev Tunnels, exploring their utility for Red Team assessments. Assisted by an LLM named "Bishop," the author meticulously dissects the multi-layered protocol. The research begins by detailing the REST management layer for tunnel discovery and access token generation, leveraging GitHub or Azure OAuth2. It then progresses to the WebSocket layer, which establishes a secure tunnel, followed by a discussion of the non-standard SSH connection that utilizes a modified russh crate for authentication and client-initiated port forwarding. The final layer involves MsgPack RPC, through which commands like spawn_cli, fs_read, and sys_kill can be executed remotely.
The core outcome of this research is Ouroboros, a Rust-based tool designed to interact with these dev tunnels, enabling actions such as listing existing tunnels and executing remote commands. The article highlights several potent attack paths, including persistence and lateral movement by exploiting API credentials stored in state.vscdb. More critically, it details initial access vectors by abusing OAuth2 flows for GitHub and Azure Entra ID. This involves leveraging widely-used Client IDs (e.g., Visual Studio Code, Teams, Azure Portal) and understanding concepts like Family of Client IDs (FOCI) and Brokered Client ID (BroCI) to pivot compromised tokens into access for Dev Tunnels, thereby significantly extending the attack surface.
The author also offers a candid reflection on the increasing role of LLMs in cybersecurity research. While "Bishop" efficiently mapped the protocol and patched code, the strategic understanding of attack paths, such as Device Code Phishing, FOCI, and BroCI, stemmed from the author's personal experience and collaborative learning within the cybersecurity community. The article concludes by emphasizing the value of creating practical tools like Ouroboros for security professionals, even with AI assistance, and acknowledges prior parallel research on Cursor's tunneling capabilities by other security researchers.
Top comments (0)