bug#30912: emacs as a route to privilege escalation

bug#30912: emacs as a route to privilege escalation

[Nelson H. F. Beebe]

The SANS security list today carried a pointer to this Web site:

	Abusing Text Editors with Third-party Plugins
	March 15, 2018
	Dor Azouri 
	https://safebreach.com/Post/Abusing-Text-Editors-with-Third-party-Plugins

It links to an 11-page report of the same title at

	https://go.safebreach.com/rs/535-IXZ-934/images/Abusing_Text_Editors.pdf

Do emacs developers wish to respond to the security attacks described
there?

-------------------------------------------------------------------------------
- Nelson H. F. Beebe                    Tel: +1 801 581 5254                  -
- University of Utah                    FAX: +1 801 581 4148                  -
- Department of Mathematics, 110 LCB    Internet e-mail: beebe@math.utah.edu  -
- 155 S 1400 E RM 233                       beebe@acm.org  beebe@computer.org -
- Salt Lake City, UT 84112-0090, USA    URL: http://www.math.utah.edu/~beebe/ -
-------------------------------------------------------------------------------

bug#30912: emacs as a route to privilege escalation

[Lars Ingebrigtsen]

"Nelson H. F. Beebe" <beebe@math.utah.edu> writes:

> The SANS security list today carried a pointer to this Web site:
>
> 	Abusing Text Editors with Third-party Plugins
> 	March 15, 2018
> 	Dor Azouri 
> 	https://safebreach.com/Post/Abusing-Text-Editors-with-Third-party-Plugins
>
> It links to an 11-page report of the same title at
>
> 	https://go.safebreach.com/rs/535-IXZ-934/images/Abusing_Text_Editors.pdf
>
> Do emacs developers wish to respond to the security attacks described
> there?

To save people time, I've included the Emacs-relevant bits below.

It seems to be pure nonsense.  You can't edit root's ~/.emacs without
root privilege.

----

Emacs executes its init file when it loads, and that’s where a user can add key bindings, define functions, and call external
commands. It contains personal EmacsLisp code that will be executed when Emacs starts. This file is located in one of the
following locations:
•
For GnuEmacs, it is ~/.emacs or _emacs or ~/.emacs.d/init.el.
•
For XEmacs, it is ~/.xemacs or ~/.xemacs/init.el.
•
For AquamacsEmacs, it is ~/.emacs or ~/Library/Preferences/Aquamacs Emacs/Preferences.el
All you have to do is add this ELisp line of code to the 
init file
. It will execute the command “touch /stub.file”, when “~/
emacs.d/” is the working directory.
 (let ((
default-directory
 "~/.emacs.d/")) (shell-command "
touch /stub.file
"))
And the privilege escalation objective is possible here as well, because surprisingly, this init file can be edited without root 
permissions.


-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no

bug#30912: emacs as a route to privilege escalation

[Richard Stallman]

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

  > It seems to be pure nonsense.  You can't edit root's ~/.emacs without
  > root privilege.

In principle, that should be the case, but sometimes it isn't.

Basically, it is true if the kernel has no bugs.
However, the kernel often does have a bug which can 
be used for "privilege escalation."  When such an exploit
is available, problems in user programs can be used to take
control of the computer.

But this does not require a add-on.  Bugs in programs that
display files obtained over the web, even files that are not
supposed to contain code at all, can be used to do this.

It is a real problem.

-- 
Dr Richard Stallman
President, Free Software Foundation (https://gnu.org, https://fsf.org)
Internet Hall-of-Famer (https://internethalloffame.org)
Skype: No way! See https://stallman.org/skype.html.

bug#30912: emacs as a route to privilege escalation

[Noam Postavsky]

forcemerge 28618 30912
quit

"Nelson H. F. Beebe" <beebe@math.utah.edu> writes:

> The SANS security list today carried a pointer to this Web site:
>
> 	Abusing Text Editors with Third-party Plugins
> 	March 15, 2018
> 	Dor Azouri 
> 	https://safebreach.com/Post/Abusing-Text-Editors-with-Third-party-Plugins
>
> It links to an 11-page report of the same title at
>
> 	https://go.safebreach.com/rs/535-IXZ-934/images/Abusing_Text_Editors.pdf
>
> Do emacs developers wish to respond to the security attacks described
> there?

Dor already brought this up in Bug#28618.  As Glenn said:

    If an attacker has [compromised] a user account that can run "sudo arbitrary
    command", then that's just the same as having compromised the root
    account, and so worrying about this on the individual application level
    doesn't seem to make sense. Eg they could replace "sudo" with a keylogger.

Note that the problem could be "fixed" by setting

    Defaults always_set_home

in /etc/sudoers (Debian has this setting by default), but that won't
help with the sudo-is-a-key-logger problem.