From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Eli Zaretskii Newsgroups: gmane.emacs.bugs Subject: bug#22202: 24.5; SECURITY ISSUE -- Emacs Server vulnerable to random number generator attack on Windows systems Date: Fri, 18 Dec 2015 12:46:26 +0200 Message-ID: <8337v0xce5.fsf@gnu.org> References: <87h9jg5ay2.fsf@gmail.com> Reply-To: Eli Zaretskii NNTP-Posting-Host: plane.gmane.org X-Trace: ger.gmane.org 1450435718 486 80.91.229.3 (18 Dec 2015 10:48:38 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Fri, 18 Dec 2015 10:48:38 +0000 (UTC) Cc: 22202@debbugs.gnu.org To: Demetri Obenour Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Fri Dec 18 11:48:27 2015 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1a9saI-0003rW-Nz for geb-bug-gnu-emacs@m.gmane.org; Fri, 18 Dec 2015 11:48:26 +0100 Original-Received: from localhost ([::1]:59531 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1a9saI-0002No-2C for geb-bug-gnu-emacs@m.gmane.org; Fri, 18 Dec 2015 05:48:26 -0500 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:52969) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1a9sYz-0008KH-F9 for bug-gnu-emacs@gnu.org; Fri, 18 Dec 2015 05:47:06 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1a9sYw-0000M2-8e for bug-gnu-emacs@gnu.org; Fri, 18 Dec 2015 05:47:05 -0500 Original-Received: from debbugs.gnu.org ([208.118.235.43]:47568) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1a9sYw-0000Lx-5Q for bug-gnu-emacs@gnu.org; Fri, 18 Dec 2015 05:47:02 -0500 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84) (envelope-from ) id 1a9sYv-0005AV-Tl for bug-gnu-emacs@gnu.org; Fri, 18 Dec 2015 05:47:01 -0500 X-Loop: help-debbugs@gnu.org Resent-From: Eli Zaretskii Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Fri, 18 Dec 2015 10:47:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 22202 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: Original-Received: via spool by 22202-submit@debbugs.gnu.org id=B22202.145043557319811 (code B ref 22202); Fri, 18 Dec 2015 10:47:01 +0000 Original-Received: (at 22202) by debbugs.gnu.org; 18 Dec 2015 10:46:13 +0000 Original-Received: from localhost ([127.0.0.1]:55170 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84) (envelope-from ) id 1a9sY9-00059T-5B for submit@debbugs.gnu.org; Fri, 18 Dec 2015 05:46:13 -0500 Original-Received: from eggs.gnu.org ([208.118.235.92]:33073) by debbugs.gnu.org with esmtp (Exim 4.84) (envelope-from ) id 1a9sY8-00059I-EH for 22202@debbugs.gnu.org; Fri, 18 Dec 2015 05:46:12 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1a9sY0-0008ID-1k for 22202@debbugs.gnu.org; Fri, 18 Dec 2015 05:46:07 -0500 Original-Received: from fencepost.gnu.org ([2001:4830:134:3::e]:56785) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1a9sXz-0008I8-Us; Fri, 18 Dec 2015 05:46:03 -0500 Original-Received: from 84.94.185.246.cable.012.net.il ([84.94.185.246]:1781 helo=HOME-C4E4A596F7) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.82) (envelope-from ) id 1a9sXz-0004do-Bw; Fri, 18 Dec 2015 05:46:03 -0500 In-reply-to: <87h9jg5ay2.fsf@gmail.com> (message from Demetri Obenour on Fri, 18 Dec 2015 05:05:09 -0500) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 208.118.235.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.bugs:110116 Archived-At: > From: Demetri Obenour > Date: Fri, 18 Dec 2015 05:05:09 -0500 > > > 1. Be logged into the same Windows computer as someone else. > 2. Have a process running that is notified whenever a process starts up > 3. Have them run `emacs --daemon' or invoke `server-start'. > 4. Use the knowledge of the current time and the server's PID to guess > the authentication key. > 5. Connect to the other user's Emacs server. > 6. Execute arbitrary code with the other user's privileges. Please provide the necessary details for reproducing this problem and verifying the solution. What I'm missing: > 1. Be logged into the same Windows computer as someone else. How do you do that? I understand you are describing a situation where 2 users are logged into the same Windows system simultaneously using the same credentials, is that true? If so, how to create such a situation? > 2. Have a process running that is notified whenever a process starts up > 3. Have them run `emacs --daemon' or invoke `server-start'. > 4. Use the knowledge of the current time and the server's PID to guess > the authentication key. I don't think we use the current time and PID for that, but even if we do, how do you get a hold of the time at the moment of the server creation to nanosecond resolution? Please tell how to do that. Thanks.