JetBrains IDE Remote Code Execution and Local File Disclosure

Wow. I&#x27;d like to quote the final section &quot;Interactions with the vendor&quot;. It&#x27;s been my experience as a user as well, of my very numerous bug reports - not because it&#x27;s buggier than others but because I&#x27;m quick posting them - most have been solved within a very reasonable amount of time (I always provide a reproducible test case, which helps).<p><i>From here on it&#x27;s all a quote</i>:<p>&quot;I’d like to specifically thank Hadi Hariri and the rest of the JetBrains team for their proactive response to my report. My email requesting a security contact was answered within an hour of my sending it, and the issue was resolved relatively quickly.&quot;<p>&quot;They sent me a patchset against intellij-community and a binary build with their proposed solutions, and were receptive to my feedback when I mentioned potential issues.&quot;<p>&quot;Lastly, even though Jetbrains doesn’t have a bug bounty program that I’m aware of, and I definitely wasn’t expecting anything, Jetbrains quite generously awarded a bounty of $50,000 for my report and help reviewing the patch. I’ve asked them to donate the bulk of this to the PyPy project to fund improved Python 3 support, fingers crossed for await&#x2F;async support in PyPy :).&quot;

Kudos to JetBrains for awarding the very generous $50,000 bounty (and to the author for donating the bulk of it).<p>The YouCompleteMe project had a similar vulnerability[1]. I suppose a lesson here is that if your development environment&#x2F;tools expose services over HTTP on localhost you should be really careful with CORS headers.<p>[1]: <a href="https:&#x2F;&#x2F;github.com&#x2F;Valloric&#x2F;ycmd#is-hmac-auth-for-requestsresponses-really-necessary" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;Valloric&#x2F;ycmd#is-hmac-auth-for-requestsre...</a>

This is exactly why services that expose unnecessary network services drive me batty.<p>The extent of this vulnerability would have been significantly limited if it were only enabled for users using the feature (e.g., not Android Studio, PyCharm, or other users) and even more-so if it were enabled on-demand.<p>In recent memory, both CodeKit and Prepros <i>really</i> want to have some live preview HTTP server enabled all the time. Simply enabling it when the user hit the &quot;Open Live Preview&quot; button in the app would significantly reduce the attack surface. As would giving users the option to enable&#x2F;disable it at will.

Little known fact: OS X has something quite similar to UNC paths, which can probably be used in the same way as an exploitation vector for this bug (and others). Specifically, there is an autofs mounted on &#x2F;net which will try to mount an NFS share from any IP address if triggered by any process simply accessing a path starting with &quot;&#x2F;net&#x2F;(host)&#x2F;(sharename)&quot;.<p>Incidentally, I don&#x27;t think this is accessible from an app sandbox, but I expect JetBrains&#x27; IDEs aren&#x27;t sandboxed.

This was also present in Android Studio until version 2.1.1 - <a href="http:&#x2F;&#x2F;tools.android.com&#x2F;download&#x2F;studio&#x2F;builds&#x2F;2-1-1" rel="nofollow">http:&#x2F;&#x2F;tools.android.com&#x2F;download&#x2F;studio&#x2F;builds&#x2F;2-1-1</a> (note: this is no longer the most recent version, so don&#x27;t download from that page)

&gt;&quot;No live PoC for the Windows or OS X RCEs ‘cause I don’t want to host public-facing SMB or NFS shares :)&quot;<p>I wonder what the minimum amount of code &#x2F; work would be to make a Samba-lite to do this kind of testing. I&#x27;m surprised it isn&#x27;t in Metasploit already.

This is why you need to isolate your applications. You never know what kind of services and other things are being exposed. Use subuser (subuser.org) or at least firejail. Simple isolation eliminates this type of security problem.

When I played around with XMLHttpRequest to a locally running Jupyter server I got the following error:<p>No &#x27;Access-Control-Allow-Origin&#x27; header is present on the requested resource.<p>It seems that should have prevented this exploit as well?

Three things standout to me that made this attack possible.<p>1. JetBrains setting too broad CORS headers.<p>2. JetBrains listening to 0.0.0.0 instead of only listening to localhost. Seems like YCMD is also listening to 0.0.0.0 instead of only localhost though.<p>3. But the overlooked concern in my eyes is why web browsers support XMLHTTPRequests to localhost&#x2F;127.0.0.1 at all. I can&#x27;t imagine a valid use case for that outside of developers working against a local machine. Seems to me like XMLHTPPRequests to localhost should be rejected by browsers unless `--disable-web-security` or some other equivalent is used during startup.

<a href="https:&#x2F;&#x2F;www.eclipse.org&#x2F;security&#x2F;known.php" rel="nofollow">https:&#x2F;&#x2F;www.eclipse.org&#x2F;security&#x2F;known.php</a>

This seems intentional from JetBrains to target unlicensed users&#x2F;pirated copies.

A different experience: I&#x27;m working on an android project at the moment. I emailed JetBrains 10 days ago asking why the Intellij Ultimate IDE blocks the UI so generously. I characterized it as heavy handed and frequently unnecessary. I pointed out the workaround I use is to switch to a competing product during these moments. I suggested it diminishes developer productivity. I said that competing products have the same problem and solving it would be a big win for enterprise customers. I didn&#x27;t get $50K (not expected) or even the courtesy of a response (expected).