From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Richard Copley Newsgroups: gmane.emacs.bugs Subject: bug#22202: 24.5; SECURITY ISSUE -- Emacs Server vulnerable to random number generator attack on Windows systems Date: Tue, 29 Dec 2015 15:36:12 +0000 Message-ID: References: <87h9jg5ay2.fsf@gmail.com> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 X-Trace: ger.gmane.org 1451403441 4620 80.91.229.3 (29 Dec 2015 15:37:21 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Tue, 29 Dec 2015 15:37:21 +0000 (UTC) To: Eli Zaretskii , Demetri Obenour , 22202@debbugs.gnu.org Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Tue Dec 29 16:37:12 2015 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1aDwKm-0001te-1w for geb-bug-gnu-emacs@m.gmane.org; Tue, 29 Dec 2015 16:37:12 +0100 Original-Received: from localhost ([::1]:48945 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aDwKl-0002Oo-Hd for geb-bug-gnu-emacs@m.gmane.org; Tue, 29 Dec 2015 10:37:11 -0500 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:40828) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aDwKh-0002OW-Nr for bug-gnu-emacs@gnu.org; Tue, 29 Dec 2015 10:37:08 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1aDwKc-0004yv-K0 for bug-gnu-emacs@gnu.org; Tue, 29 Dec 2015 10:37:07 -0500 Original-Received: from debbugs.gnu.org ([208.118.235.43]:41195) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aDwKc-0004yr-Fw for bug-gnu-emacs@gnu.org; Tue, 29 Dec 2015 10:37:02 -0500 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84) (envelope-from ) id 1aDwKc-0007Fu-B0 for bug-gnu-emacs@gnu.org; Tue, 29 Dec 2015 10:37:02 -0500 X-Loop: help-debbugs@gnu.org In-Reply-To: <87h9jg5ay2.fsf@gmail.com> Resent-From: Richard Copley Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Tue, 29 Dec 2015 15:37:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 22202 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security Original-Received: via spool by 22202-submit@debbugs.gnu.org id=B22202.145140338027831 (code B ref 22202); Tue, 29 Dec 2015 15:37:02 +0000 Original-Received: (at 22202) by debbugs.gnu.org; 29 Dec 2015 15:36:20 +0000 Original-Received: from localhost ([127.0.0.1]:48797 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84) (envelope-from ) id 1aDwJv-0007Ep-S6 for submit@debbugs.gnu.org; Tue, 29 Dec 2015 10:36:20 -0500 Original-Received: from mail-yk0-f171.google.com ([209.85.160.171]:33068) by debbugs.gnu.org with esmtp (Exim 4.84) (envelope-from ) id 1aDwJu-0007Eb-3H for 22202@debbugs.gnu.org; Tue, 29 Dec 2015 10:36:18 -0500 Original-Received: by mail-yk0-f171.google.com with SMTP id k129so109606009yke.0 for <22202@debbugs.gnu.org>; Tue, 29 Dec 2015 07:36:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=8JRmQ+4M4aGddBVKsc5cAwEAOxasOK7/YTzteV3S29E=; b=ruQV4A/IDn9hng8HjZU7Dkq05Ekh7zCuslSUb5GyIuQQzhXQLvzqxOgt7AzRFpyDl3 NxfhF4kF11LdYaf48GtSjRot9zzz1MWalSYSBPg13yUGwxFG914gzw6SLF283Ru96wWY qAG9CjeHtyn03fU3pV/zbDUAaqgOFyEsa+yQMbTNGrCU9F39nhSiyE3KMeDeB8Ihcamx 4yZemyGFm8SdkXPlMu366M2KkMbOLJfvASzSjwgN8556Q/M/S/AqSFYRISb9AdfeC5bU QKeITp4giuBGP1vvMBhRZr1tMbOZGspLRubQWk3jKuZax54IdlN+88Jv/xMEMj1wGNTz u7rA== X-Received: by 10.129.19.214 with SMTP id 205mr45378110ywt.136.1451403372631; Tue, 29 Dec 2015 07:36:12 -0800 (PST) Original-Received: by 10.37.207.214 with HTTP; Tue, 29 Dec 2015 07:36:12 -0800 (PST) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 208.118.235.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.bugs:110958 Archived-At: > Please provide the necessary details for reproducing this problem and > verifying the solution. What I'm missing: > > > 1. Be logged into the same Windows computer as someone else. > > How do you do that? I understand you are describing a situation where > 2 users are logged into the same Windows system simultaneously using > the same credentials, is that true? If so, how to create such a > situation? I don't think that is possible; however, two /different/ accounts can be logged in to a computer at the same time, via Remote Desktop or Fast User Switching. (If the computer is a Remote Desktop server then two users can be simultaneously interacting with their desktops, in separate sessions. That's not at all uncommon in a business environment, but I don't think it's relevant to this question.) > > 2. Have a process running that is notified whenever a process starts up > > 3. Have them run `emacs --daemon' or invoke `server-start'. > > 4. Use the knowledge of the current time and the server's PID to guess > > the authentication key. > > I don't think we use the current time and PID for that, but even if we > do, how do you get a hold of the time at the moment of the server > creation to nanosecond resolution? Please tell how to do that. We use function "random" (see function "server-generate-key"); its seed is typically set at startup using the current time and PID (see "init_random()" in sysdep.c), so it's the time Emacs started that you would want to know, not the time the server started. You can get the start time (to the nearest second at least) and PID of any user's processes using, e.g., Process Explorer. I'm not sure what resolution timestamp we end up using as the seed. gettime() might return microsecond timestamps in certain configurations. I can't speak for Demetri but it seems to me he's imagining an attacker who is prepared to use a certain amount of brute force. Knowing or guessing the Emacs start time within a few seconds would reduce the search space.