From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: Dor Azouri Newsgroups: gmane.emacs.bugs Subject: bug#28618: Emacs Security Issue Date: Wed, 27 Sep 2017 13:56:46 +0000 Message-ID: NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="94eb2c1c0c3e31bbbc055a2c2ac3" X-Trace: blaine.gmane.org 1506526297 25589 195.159.176.226 (27 Sep 2017 15:31:37 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Wed, 27 Sep 2017 15:31:37 +0000 (UTC) To: 28618@debbugs.gnu.org Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Wed Sep 27 17:31:29 2017 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dxEIr-0005ML-0U for geb-bug-gnu-emacs@m.gmane.org; Wed, 27 Sep 2017 17:31:13 +0200 Original-Received: from localhost ([::1]:55254 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dxEIy-0004W1-Eu for geb-bug-gnu-emacs@m.gmane.org; Wed, 27 Sep 2017 11:31:20 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:37105) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dxEIm-0004Ta-O9 for bug-gnu-emacs@gnu.org; Wed, 27 Sep 2017 11:31:14 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dxEIg-0005e4-Lz for bug-gnu-emacs@gnu.org; Wed, 27 Sep 2017 11:31:08 -0400 Original-Received: from debbugs.gnu.org ([208.118.235.43]:54709) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1dxEIg-0005dq-Dv for bug-gnu-emacs@gnu.org; Wed, 27 Sep 2017 11:31:02 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1dxEIg-0000uC-2E for bug-gnu-emacs@gnu.org; Wed, 27 Sep 2017 11:31:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Dor Azouri Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Wed, 27 Sep 2017 15:31:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 28618 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: X-Debbugs-Original-To: bug-gnu-emacs@gnu.org Original-Received: via spool by submit@debbugs.gnu.org id=B.15065262143422 (code B ref -1); Wed, 27 Sep 2017 15:31:01 +0000 Original-Received: (at submit) by debbugs.gnu.org; 27 Sep 2017 15:30:14 +0000 Original-Received: from localhost ([127.0.0.1]:35157 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dxEHt-0000t8-TF for submit@debbugs.gnu.org; Wed, 27 Sep 2017 11:30:14 -0400 Original-Received: from eggs.gnu.org ([208.118.235.92]:48330) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dxCpw-00079q-3H for submit@debbugs.gnu.org; Wed, 27 Sep 2017 09:57:16 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dxCpp-0001wQ-RI for submit@debbugs.gnu.org; Wed, 27 Sep 2017 09:57:10 -0400 Original-Received: from lists.gnu.org ([2001:4830:134:3::11]:48299) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dxCpp-0001w9-Of for submit@debbugs.gnu.org; Wed, 27 Sep 2017 09:57:09 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:39258) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dxCpl-0000Rx-FR for bug-gnu-emacs@gnu.org; Wed, 27 Sep 2017 09:57:09 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dxCpf-0001rc-DS for bug-gnu-emacs@gnu.org; Wed, 27 Sep 2017 09:57:05 -0400 Original-Received: from mail-oi0-x22b.google.com ([2607:f8b0:4003:c06::22b]:52936) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1dxCpf-0001qF-5C for bug-gnu-emacs@gnu.org; Wed, 27 Sep 2017 09:56:59 -0400 Original-Received: by mail-oi0-x22b.google.com with SMTP id p126so16785314oih.9 for ; Wed, 27 Sep 2017 06:56:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=safebreach-com.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=vGkgzpi37kj4o3wln05aYrLE4WGp6ypSh5HZU8EwpWw=; b=Q+UpIlToOTAH5/YaNU8car9wO3uqDHb3caeGGuBKkgFFMmqv3Y8Om9U1wm5lmGCTNf y6HARvv4HNhNLPcpRUZkBjGwSYSs10DAfr5uZdsAI3kI7EPtVEJROzkG10rxCs7c9hjq UTFwxEsIqp1s2SfpmZViGA8EEe2aqBgT/eRp29xg4NEYbXpfkj7e2IcEQj4JrxHh1r72 pnv34sH3nZ6tZf1PweJujmVRk5bispLgE4wEOFuQym5guzdnru4AXR9PswmZFw2LNpiq kG7ajgnKf4eg+DpJWWCJddWF4PK/PoCKNHGlmrts6580mx80dgSmeVRhmFAuKgx1qzFw bRTw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=vGkgzpi37kj4o3wln05aYrLE4WGp6ypSh5HZU8EwpWw=; b=XqkXVOmuPO5gAt2JQlhZLjg/Ab1jG6I8Kdc7dL9EA7WPuipXz5gSKwZ5Hw7pQltHPo X+TyvGMtmdxTpWJZtemA496oioaEe87vqMlKguQtMWwPkqI7kQi1n9eNENSWJVDnIqWK EBEa2xZVlZxsWZI6OK1X9IVYWEnFKLzoOglzxcskOoIgkn++6WIk11iunCWFgFEHVG0M O32KbGvvAvYusSl4J497rrmUxdqjvPDMhUu6bI4uEe9X9NXW1tUQCC10X6s0jm5auw4w Kbm4bgJ2GXMIDyU9jqsCtaWG71Va9hxXVrB4Ov++Qy8hlY0yEU2mwrP07Rwm6m6uqXwt eB+Q== X-Gm-Message-State: AMCzsaXho9nuYQTYsmIE9ZiWT9Ljqw5b9L83FVpSXCIc91ylf5tGPW9I iBIaW3MtsHJ3MtbTz3gQfe70uNYPHj1x2/UTKErXEoI6 X-Google-Smtp-Source: AOwi7QBj/X46OdbpaKepQHWWUHN40zMda7UjMR4hgQsR85CP4zPiUCAqseK/5fkQaGUeYIf6z3mwjMxAel22DC6u4HE= X-Received: by 10.157.0.136 with SMTP id w8mr817343oti.353.1506520616510; Wed, 27 Sep 2017 06:56:56 -0700 (PDT) X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Mailman-Approved-At: Wed, 27 Sep 2017 11:30:12 -0400 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 208.118.235.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.org gmane.emacs.bugs:137499 Archived-At: --94eb2c1c0c3e31bbbc055a2c2ac3 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Dear Emacs developers, I would like to report a possible abuse one can perform on Emacs's extensibility mechanism, that may lead to privilege escalation. In short, a malicious actor that can execute code as one of the sudoers (in non-elevated mode), can edit the init file, and add malicious commands to it. Then he needs to wait for that user to invoke the editor in elevated mode - and the plugin that was written before, will be loaded with the root permissions. The root cause that enables this abuse is basically incomplete separation between regular and elevated execution modes of the editor (using "sudo"). I can suggest possible solutions to this issue, e.g.: applying better permissions to the plugins directories. Reproduction steps: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D 1) Add the following ELisp line of code to the init file. It will be loaded on startup and execute the command =E2=80=9Ctouch /stub.file=E2=80= =9D, when =E2=80=9C~/.emacs.d/=E2=80=9D is the working directory. *(let ((default-directory "~/.emacs.d/")) (shell-command "touch /stub.file"))* 2) Wait for the user to invoke Emacs in elevated mode. The owner of the newly created stub file is root. * This simple command is just for demonstration - of course much more complicated intentions can be achieved once Emacs is invoked with sudo. I will be happy to provide more information as needed, Dor Azouri --94eb2c1c0c3e31bbbc055a2c2ac3 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Dear Emacs developers,

I wou= ld like to report a possible abuse one can perform on Emacs's extensibi= lity mechanism, that may lead to privilege escalation.

=
In short, a malicious actor that can execute code as one of the sudoer= s (in non-elevated mode), can edit the init file, and add malicious command= s to it. Then he needs to wait for that user to invoke the editor in elevat= ed mode - and the plugin that was written before, will be loaded with the r= oot permissions.

The root cause that enables this = abuse is basically incomplete separation between regular and elevated execu= tion modes of the editor (using "sudo"). I can suggest possible s= olutions to this issue, e.g.: applying better permissions to the plugins di= rectories.

Reproduction steps:
=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
1) =C2=A0Add the= following ELisp line of code to the init file. It will be loaded on startu= p and execute the command =E2=80=9Ctouch /stub.file=E2=80=9D, when =E2=80= =9C~/.emacs.d/=E2=80=9D is the working directory.
=C2=A0 =C2=A0 = =C2=A0 =C2=A0 (let ((default-directory "~/.emacs.d/")) (shell-= command "touch /stub.file"))
2) =C2=A0Wait for = the user to invoke Emacs in elevated mode. The owner of the newly created s= tub file is root.

* This simple command is just fo= r demonstration - of course much more complicated intentions can be achieve= d once Emacs is invoked with sudo.

I will be happy= to provide more information as needed,
Dor Azouri
--94eb2c1c0c3e31bbbc055a2c2ac3--