From: Dor Azouri <dor.azouri@safebreach.com>
To: John Wiegley <jwiegley@gmail.com>
Cc: 28618@debbugs.gnu.org
Subject: bug#28618: Emacs Security Issue
Date: Wed, 27 Sep 2017 16:02:42 +0000 [thread overview]
Message-ID: <CALVPaFYY2dc-d8Gdr2QUL6YWmU1tSFb-ge4LKGpW_oVYZnA8mA@mail.gmail.com> (raw)
In-Reply-To: <m260c4w3h9.fsf@newartisans.com>
[-- Attachment #1: Type: text/plain, Size: 1676 bytes --]
sudo access is not required to edit the init file.
The only requirement is that the user is a sudoer (a user that’s in
/etc/sudoers). It is different: a sudoer is a user that is able to elevate
to root after entering root password, it doesn't mean that it is always
doing things as root. Such a user still needs to explicitly "sudo" for
elevated commands (similar to "Run As Administrator" or UAC in Windows).
So what I identified here is that such a user can be used by an attacker to
edit the init file without elevating, even though the same file will be
loaded when elevating the editor.
The flow: after inserting malicious commands to the init script, all the
attacker has to do is wait for the user to elevate Emacs at some point
(under the assumption that the user will at some point elevate Emacs, which
may not always be true). The malicious commands will be run as root.
On Wed, Sep 27, 2017 at 6:44 PM John Wiegley <jwiegley@gmail.com> wrote:
> >>>>> "DA" == Dor Azouri <dor.azouri@safebreach.com> writes:
>
> DA> In short, a malicious actor that can execute code as one of the sudoers
> DA> (in non-elevated mode), can edit the init file, and add malicious
> commands
> DA> to it. Then he needs to wait for that user to invoke the editor in
> DA> elevated mode - and the plugin that was written before, will be loaded
> DA> with the root permissions.
>
> If the user has sudo access to run Emacs, isn't the game already over? They
> could M-x shell and rm -fr /, no?
>
> --
> John Wiegley GPG fingerprint = 4710 CF98 AF9B 327B B80F
> http://newartisans.com 60E1 46C4 BD1A 7AC1 4BA2
>
[-- Attachment #2: Type: text/html, Size: 2208 bytes --]
next prev parent reply other threads:[~2017-09-27 16:02 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-09-27 13:56 bug#28618: Emacs Security Issue Dor Azouri
2017-09-27 15:44 ` John Wiegley
2017-09-27 16:02 ` Dor Azouri [this message]
2017-09-27 16:23 ` Andreas Schwab
2017-09-27 17:24 ` Glenn Morris
2017-09-27 18:03 ` Glenn Morris
2017-09-28 11:25 ` Noam Postavsky
2017-09-29 12:57 ` Dor Azouri
2017-09-29 13:24 ` Noam Postavsky
2017-09-29 16:41 ` Glenn Morris
2017-09-29 22:55 ` Noam Postavsky
2017-10-01 15:27 ` Dor Azouri
2017-10-06 2:23 ` Noam Postavsky
2018-03-17 1:43 ` Noam Postavsky
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CALVPaFYY2dc-d8Gdr2QUL6YWmU1tSFb-ge4LKGpW_oVYZnA8mA@mail.gmail.com \
--to=dor.azouri@safebreach.com \
--cc=28618@debbugs.gnu.org \
--cc=jwiegley@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).