Drag and Pwnd: Leverage ASCII Characters to Exploit VS Code

By /

Listen to this Post

Featured Image
Control characters like SOH, STX, EOT, and ETX were never meant to run your code—but in modern terminal emulators, they sometimes do. In this post, we explore how ASCII control characters can be weaponized to execute arbitrary commands in VS Code by simply dragging and dropping a file into the terminal.

Read the full article here:

Drag and Pwnd: Leverage ASCII Characters to Exploit VS Code

You Should Know: Exploiting Terminal Emulators with ASCII Control Characters

How the Exploit Works

1. Terminal Injection via Drag-and-Drop:

  • When a file is dragged into a VS Code terminal, certain ASCII control characters (e.g., `\x01` SOH, `\x03` ETX) can be embedded in the filename.
  • These characters can break command parsing and inject malicious commands.

2. Bypassing Workspace Trust:

  • VS Code’s Workspace Trust feature may not fully sanitize terminal input, allowing command execution.

Proof of Concept (PoC) Commands

Here’s how you can test this behavior in a controlled environment:

Linux/MacOS

 Create a malicious filename with embedded control characters 
touch $'malicious\x03whoami\x04.txt'

Drag this file into VS Code’s terminal 
 Observe command execution (whoami)

Windows (PowerShell)

 Create a file with control characters 
New-Item -Path ".\malicious<code>u{0003}whoami</code>u{0004}.txt" -ItemType File

Drag into VS Code terminal

Mitigation Steps

  • Disable Drag-and-Drop in Terminals: 
    // settings.json in VS Code 
"terminal.integrated.enableFileLinks": false
  • Sanitize Filenames: 
    Use sed to strip control characters 
echo "$filename" | sed 's/[\x00-\x1F\x7F]//g'
  • Enable Strict Terminal Validation: 
    Check for control characters before processing 
if [[ "$filename" =~ [\x00-\x1F\x7F] ]]; then 
echo "Malicious input detected!" 
exit 1 
fi

What Undercode Say

This exploit demonstrates how seemingly harmless features (like drag-and-drop) can become attack vectors when combined with legacy ASCII control characters. Security teams should:
– Audit terminal emulators for unsanitized input.
– Monitor for unusual command executions in development environments.
– Apply strict input validation in all CLI tools.

Additional Security Commands

  • Linux Process Monitoring: 
    ps aux | grep -i "suspicious_process"
  • Windows Command Logging: 
    Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" | Where-Object {$_.Message -like "whoami"}
  • Network Traffic Inspection: 
    tcpdump -i eth0 'port 22 or port 80' -w terminal_traffic.pcap

Expected Output:

A secure development environment where terminal inputs are rigorously sanitized, preventing arbitrary command execution via drag-and-drop or other UI-based attacks.

🔗 Reference: PortSwigger Research

References:

Reported By: Zakhar Fedotkin – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: