CVE-2024-53920 Emacs arbitrary code execution via unsafe macro-expansion

CVE-2024-53920 Emacs arbitrary code execution via unsafe macro-expansion

[Eshel Yaron]

Hi all,

I've just published an advisory regarding an arbitrary code execution
vulnerability in Emacs, which has been assigned CVE-2024-53920:

https://eshelyaron.com/posts/2024-11-27-emacs-aritrary-code-execution-and-how-to-avoid-it.html

The vulnerability itself is not new and it has been brought up in the
past (as I learned from Stefan K. after reporting this issue privately),
but no CVE has been assigned previously.  I tried to spell out the issue
in clear and simple terms in this advisory, if someone spots a mistake
or something that deserves further clarification, please let me know.


Best regards and safe hacking,

Eshel

Re: CVE-2024-53920 Emacs arbitrary code execution via unsafe macro-expansion

[Daniel Radetsky]

On Wed, Nov 27, 2024 at 08:02:35AM +0100, Eshel Yaron wrote:
> Hi all,
> 
> I've just published an advisory regarding an arbitrary code execution
> vulnerability in Emacs, which has been assigned CVE-2024-53920:
> 
> https://eshelyaron.com/posts/2024-11-27-emacs-aritrary-code-execution-and-how-to-avoid-it.html

Slight correction: you wrote:

> In some Emacs “distributions”, such as the popular Doom
> Emacs and Prelude, either Flymake or Flycheck are enabled
> by default in ELisp mode.

This is not true of Doom, which I use. I had to modify my
init form (which is the same as the current default in this
respect) from

       :checkers
       syntax              ; tasing you for every semicolon you forget

to

       :checkers
       (syntax +flymake)              ; tasing you for every semicolon you forget

in order to get your rx poc to create /tmp/owned simply by
visiting the file. This is the only doom module which can
activate flymake.

Is the same true of flycheck? It's harder to tell, but I
think the answer is also no. In any case, while I didn't
intentionally test this on the literal default
configuration, I also never explicitly disabled flycheck and
it isn't running and I had to make the above-mentioned
change to get your poc to work.

--dmr

Re: CVE-2024-53920 Emacs arbitrary code execution via unsafe macro-expansion

[Eshel Yaron]

Hi Daniel,

Daniel Radetsky <dradetsky@gmail.com> writes:

> On Wed, Nov 27, 2024 at 08:02:35AM +0100, Eshel Yaron wrote:
>> Hi all,
>> 
>> I've just published an advisory regarding an arbitrary code execution
>> vulnerability in Emacs, which has been assigned CVE-2024-53920:
>> 
>> https://eshelyaron.com/posts/2024-11-27-emacs-aritrary-code-execution-and-how-to-avoid-it.html
>
> Slight correction: you wrote:
>
>> In some Emacs “distributions”, such as the popular Doom
>> Emacs and Prelude, either Flymake or Flycheck are enabled
>> by default in ELisp mode.
>
> This is not true of Doom, which I use. I had to modify my
> init form (which is the same as the current default in this
> respect) from
>
>        :checkers
>        syntax              ; tasing you for every semicolon you forget
>
> to
>
>        :checkers
>        (syntax +flymake)              ; tasing you for every semicolon you forget
>
> in order to get your rx poc to create /tmp/owned simply by
> visiting the file. This is the only doom module which can
> activate flymake.
>
> Is the same true of flycheck? It's harder to tell, but I
> think the answer is also no. In any case, while I didn't
> intentionally test this on the literal default
> configuration, I also never explicitly disabled flycheck and
> it isn't running and I had to make the above-mentioned
> change to get your poc to work.

Thanks for the heads up.  I have little experience with Doom, but here
with the default Doom configuration I see that Flycheck is enabled and
the POC works, so maybe it does have something to do with your config?

If you or someone else can confirm that Doom is not vulnerable by
default I'll gladly amend the text accordingly (and try to figure out
why here it does reproduce).


Cheers,

Eshel

Re: CVE-2024-53920 Emacs arbitrary code execution via unsafe macro-expansion

[Daniel Radetsky]

On Wed, Nov 27, 2024 at 09:40:30AM +0100, Eshel Yaron wrote:
> Thanks for the heads up.  I have little experience with Doom, but here
> with the default Doom configuration I see that Flycheck is enabled and
> the POC works, so maybe it does have something to do with your config?

Actually, it probably does. In order to solve an unrelated
issue with (IIRC) LSP, I added

(remove-hook 'doom-first-buffer-hook #'global-flycheck-mode)

and then forgot about it completely (I'm very much a
turn-on-checks-when-I-want-them-checked kind of developer).
So I could test it, but I think you're probably just
correct.

--dmr