GNU bug report logs - #22202
24.5; SECURITY ISSUE -- Emacs Server vulnerable to random number generator attack on Windows systems

Previous Next

Full log

Message #8 received at 22202 <at> debbugs.gnu.org (full text, mbox):

From: Eli Zaretskii <eliz <at> gnu.org>
To: Demetri Obenour <demetriobenour <at> gmail.com>
Cc: 22202 <at> debbugs.gnu.org
Subject: Re: bug#22202: 24.5;
 SECURITY ISSUE -- Emacs Server vulnerable to random number generator
 attack on Windows systems
Date: Fri, 18 Dec 2015 12:46:26 +0200

> From: Demetri Obenour <demetriobenour <at> gmail.com>
> Date: Fri, 18 Dec 2015 05:05:09 -0500
> 
> 
> 1. Be logged into the same Windows computer as someone else.
> 2. Have a process running that is notified whenever a process starts up
> 3. Have them run `emacs --daemon' or invoke `server-start'.
> 4. Use the knowledge of the current time and the server's PID to guess
>    the authentication key.
> 5. Connect to the other user's Emacs server.
> 6. Execute arbitrary code with the other user's privileges.

Please provide the necessary details for reproducing this problem and
verifying the solution.  What I'm missing:

> 1. Be logged into the same Windows computer as someone else.

How do you do that?  I understand you are describing a situation where
2 users are logged into the same Windows system simultaneously using
the same credentials, is that true?  If so, how to create such a
situation?

> 2. Have a process running that is notified whenever a process starts up
> 3. Have them run `emacs --daemon' or invoke `server-start'.
> 4. Use the knowledge of the current time and the server's PID to guess
>    the authentication key.

I don't think we use the current time and PID for that, but even if we
do, how do you get a hold of the time at the moment of the server
creation to nanosecond resolution?  Please tell how to do that.

Thanks.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.