unofficial mirror of bug-gnu-emacs@gnu.org 
 help / color / mirror / code / Atom feed
* bug#30912: emacs as a route to privilege escalation
@ 2018-03-22 23:41 Nelson H. F. Beebe
  2018-03-22 23:57 ` Lars Ingebrigtsen
  2018-03-23  0:05 ` Noam Postavsky
  0 siblings, 2 replies; 4+ messages in thread
From: Nelson H. F. Beebe @ 2018-03-22 23:41 UTC (permalink / raw)
  To: 30912; +Cc: beebe

The SANS security list today carried a pointer to this Web site:

	Abusing Text Editors with Third-party Plugins
	March 15, 2018
	Dor Azouri 
	https://safebreach.com/Post/Abusing-Text-Editors-with-Third-party-Plugins

It links to an 11-page report of the same title at

	https://go.safebreach.com/rs/535-IXZ-934/images/Abusing_Text_Editors.pdf

Do emacs developers wish to respond to the security attacks described
there?

-------------------------------------------------------------------------------
- Nelson H. F. Beebe                    Tel: +1 801 581 5254                  -
- University of Utah                    FAX: +1 801 581 4148                  -
- Department of Mathematics, 110 LCB    Internet e-mail: beebe@math.utah.edu  -
- 155 S 1400 E RM 233                       beebe@acm.org  beebe@computer.org -
- Salt Lake City, UT 84112-0090, USA    URL: http://www.math.utah.edu/~beebe/ -
-------------------------------------------------------------------------------





^ permalink raw reply	[flat|nested] 4+ messages in thread

* bug#30912: emacs as a route to privilege escalation
  2018-03-22 23:41 bug#30912: emacs as a route to privilege escalation Nelson H. F. Beebe
@ 2018-03-22 23:57 ` Lars Ingebrigtsen
  2018-03-24 18:15   ` Richard Stallman
  2018-03-23  0:05 ` Noam Postavsky
  1 sibling, 1 reply; 4+ messages in thread
From: Lars Ingebrigtsen @ 2018-03-22 23:57 UTC (permalink / raw)
  To: Nelson H. F. Beebe; +Cc: 30912

"Nelson H. F. Beebe" <beebe@math.utah.edu> writes:

> The SANS security list today carried a pointer to this Web site:
>
> 	Abusing Text Editors with Third-party Plugins
> 	March 15, 2018
> 	Dor Azouri 
> 	https://safebreach.com/Post/Abusing-Text-Editors-with-Third-party-Plugins
>
> It links to an 11-page report of the same title at
>
> 	https://go.safebreach.com/rs/535-IXZ-934/images/Abusing_Text_Editors.pdf
>
> Do emacs developers wish to respond to the security attacks described
> there?

To save people time, I've included the Emacs-relevant bits below.

It seems to be pure nonsense.  You can't edit root's ~/.emacs without
root privilege.

----

Emacs executes its init file when it loads, and that’s where a user can add key bindings, define functions, and call external
commands. It contains personal EmacsLisp code that will be executed when Emacs starts. This file is located in one of the
following locations:
•
For GnuEmacs, it is ~/.emacs or _emacs or ~/.emacs.d/init.el.
•
For XEmacs, it is ~/.xemacs or ~/.xemacs/init.el.
•
For AquamacsEmacs, it is ~/.emacs or ~/Library/Preferences/Aquamacs Emacs/Preferences.el
All you have to do is add this ELisp line of code to the 
init file
. It will execute the command “touch /stub.file”, when “~/
emacs.d/” is the working directory.
 (let ((
default-directory
 "~/.emacs.d/")) (shell-command "
touch /stub.file
"))
And the privilege escalation objective is possible here as well, because surprisingly, this init file can be edited without root 
permissions.


-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no





^ permalink raw reply	[flat|nested] 4+ messages in thread

* bug#30912: emacs as a route to privilege escalation
  2018-03-22 23:41 bug#30912: emacs as a route to privilege escalation Nelson H. F. Beebe
  2018-03-22 23:57 ` Lars Ingebrigtsen
@ 2018-03-23  0:05 ` Noam Postavsky
  1 sibling, 0 replies; 4+ messages in thread
From: Noam Postavsky @ 2018-03-23  0:05 UTC (permalink / raw)
  To: Nelson H. F. Beebe; +Cc: 30912

forcemerge 28618 30912
quit

"Nelson H. F. Beebe" <beebe@math.utah.edu> writes:

> The SANS security list today carried a pointer to this Web site:
>
> 	Abusing Text Editors with Third-party Plugins
> 	March 15, 2018
> 	Dor Azouri 
> 	https://safebreach.com/Post/Abusing-Text-Editors-with-Third-party-Plugins
>
> It links to an 11-page report of the same title at
>
> 	https://go.safebreach.com/rs/535-IXZ-934/images/Abusing_Text_Editors.pdf
>
> Do emacs developers wish to respond to the security attacks described
> there?

Dor already brought this up in Bug#28618.  As Glenn said:

    If an attacker has [compromised] a user account that can run "sudo arbitrary
    command", then that's just the same as having compromised the root
    account, and so worrying about this on the individual application level
    doesn't seem to make sense. Eg they could replace "sudo" with a keylogger.

Note that the problem could be "fixed" by setting

    Defaults always_set_home

in /etc/sudoers (Debian has this setting by default), but that won't
help with the sudo-is-a-key-logger problem.





^ permalink raw reply	[flat|nested] 4+ messages in thread

* bug#30912: emacs as a route to privilege escalation
  2018-03-22 23:57 ` Lars Ingebrigtsen
@ 2018-03-24 18:15   ` Richard Stallman
  0 siblings, 0 replies; 4+ messages in thread
From: Richard Stallman @ 2018-03-24 18:15 UTC (permalink / raw)
  To: Lars Ingebrigtsen; +Cc: 30912, beebe

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

  > It seems to be pure nonsense.  You can't edit root's ~/.emacs without
  > root privilege.

In principle, that should be the case, but sometimes it isn't.

Basically, it is true if the kernel has no bugs.
However, the kernel often does have a bug which can 
be used for "privilege escalation."  When such an exploit
is available, problems in user programs can be used to take
control of the computer.

But this does not require a add-on.  Bugs in programs that
display files obtained over the web, even files that are not
supposed to contain code at all, can be used to do this.

It is a real problem.

-- 
Dr Richard Stallman
President, Free Software Foundation (https://gnu.org, https://fsf.org)
Internet Hall-of-Famer (https://internethalloffame.org)
Skype: No way! See https://stallman.org/skype.html.






^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2018-03-24 18:15 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-03-22 23:41 bug#30912: emacs as a route to privilege escalation Nelson H. F. Beebe
2018-03-22 23:57 ` Lars Ingebrigtsen
2018-03-24 18:15   ` Richard Stallman
2018-03-23  0:05 ` Noam Postavsky

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/emacs.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).