GNU bug report logs - #22202
24.5; SECURITY ISSUE -- Emacs Server vulnerable to random number generator attack on Windows systems

Previous Next

Package: emacs;

Reported by: Demetri Obenour <demetriobenour <at> gmail.com>

Date: Fri, 18 Dec 2015 10:09:01 UTC

Severity: normal

Tags: security

Found in version 24.5

Done: Eli Zaretskii <eliz <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

Message #26 received at 22202 <at> debbugs.gnu.org (full text, mbox):

From: David Engster <deng <at> randomsample.de>
To: Richard Copley <rcopley <at> gmail.com>
Cc: Eli Zaretskii <eliz <at> gnu.org>, 22202 <at> debbugs.gnu.org,
 Demetri Obenour <demetriobenour <at> gmail.com>
Subject: Re: bug#22202: 24.5;
 SECURITY ISSUE -- Emacs Server vulnerable to random number generator
 attack on Windows systems
Date: Tue, 29 Dec 2015 23:02:55 +0100

Richard Copley writes:
>>> [...]
>>
>> That's correct (it requires a Windows Server with enabled terminal
>> services), but each user session has of course its own process space, so
>> I don't see how the described attack could work there.
>
> Not sure what you mean by process space. As an unprivileged user
> you can find other users' Emacs processes without any effort (using
> tasklist.exe, for example). If you know on what port an Emacs server
> is listening (which is admittedly a difficulty), you can send bytes to it.
> I've just done so as an experiment. (I was driving both sessions so I
> knew the server port.)

You logged in with two different user accounts? I always thought
sessions from different users were better isolated from one another and
more similar to Linux containers. If that is not the case, then I agree
the attack scenario looks feasible.

-David
This bug report was last modified 9 years and 178 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.