GNU bug report logs - #30912
[bug-gnu-emacs] emacs as a route to privilege escalation

Previous Next

Package: emacs;

Reported by: "Nelson H. F. Beebe" <beebe <at> math.utah.edu>

Date: Thu, 22 Mar 2018 23:42:01 UTC

Severity: normal

Tags: notabug, security, wontfix

Merged with 28618

Done: Noam Postavsky <npostavs <at> gmail.com>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 30912 in the body.
You can then email your comments to 30912 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-gnu-emacs <at> gnu.org:
bug#30912; Package emacs. (Thu, 22 Mar 2018 23:42:01 GMT) Full text and rfc822 format available.
Acknowledgement sent to "Nelson H. F. Beebe" <beebe <at> math.utah.edu>:
New bug report received and forwarded. Copy sent to bug-gnu-emacs <at> gnu.org. (Thu, 22 Mar 2018 23:42:01 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: "Nelson H. F. Beebe" <beebe <at> math.utah.edu>
To: bug-gnu-emacs <at> gnu.org
Cc: beebe <at> math.utah.edu
Subject: [bug-gnu-emacs] emacs as a route to privilege escalation
Date: Thu, 22 Mar 2018 17:41:22 -0600

The SANS security list today carried a pointer to this Web site:

	Abusing Text Editors with Third-party Plugins
	March 15, 2018
	Dor Azouri 
	https://safebreach.com/Post/Abusing-Text-Editors-with-Third-party-Plugins

It links to an 11-page report of the same title at

	https://go.safebreach.com/rs/535-IXZ-934/images/Abusing_Text_Editors.pdf

Do emacs developers wish to respond to the security attacks described
there?

-------------------------------------------------------------------------------
- Nelson H. F. Beebe                    Tel: +1 801 581 5254                  -
- University of Utah                    FAX: +1 801 581 4148                  -
- Department of Mathematics, 110 LCB    Internet e-mail: beebe <at> math.utah.edu  -
- 155 S 1400 E RM 233                       beebe <at> acm.org  beebe <at> computer.org -
- Salt Lake City, UT 84112-0090, USA    URL: http://www.math.utah.edu/~beebe/ -
-------------------------------------------------------------------------------
Information forwarded to bug-gnu-emacs <at> gnu.org:
bug#30912; Package emacs. (Thu, 22 Mar 2018 23:58:02 GMT) Full text and rfc822 format available.

Message #8 received at 30912 <at> debbugs.gnu.org (full text, mbox):

From: Lars Ingebrigtsen <larsi <at> gnus.org>
To: "Nelson H. F. Beebe" <beebe <at> math.utah.edu>
Cc: 30912 <at> debbugs.gnu.org
Subject: Re: bug#30912: emacs as a route to privilege escalation
Date: Fri, 23 Mar 2018 00:57:49 +0100

"Nelson H. F. Beebe" <beebe <at> math.utah.edu> writes:

> The SANS security list today carried a pointer to this Web site:
>
> 	Abusing Text Editors with Third-party Plugins
> 	March 15, 2018
> 	Dor Azouri 
> 	https://safebreach.com/Post/Abusing-Text-Editors-with-Third-party-Plugins
>
> It links to an 11-page report of the same title at
>
> 	https://go.safebreach.com/rs/535-IXZ-934/images/Abusing_Text_Editors.pdf
>
> Do emacs developers wish to respond to the security attacks described
> there?

To save people time, I've included the Emacs-relevant bits below.

It seems to be pure nonsense.  You can't edit root's ~/.emacs without
root privilege.

----

Emacs executes its init file when it loads, and that’s where a user can add key bindings, define functions, and call external
commands. It contains personal EmacsLisp code that will be executed when Emacs starts. This file is located in one of the
following locations:
•
For GnuEmacs, it is ~/.emacs or _emacs or ~/.emacs.d/init.el.
•
For XEmacs, it is ~/.xemacs or ~/.xemacs/init.el.
•
For AquamacsEmacs, it is ~/.emacs or ~/Library/Preferences/Aquamacs Emacs/Preferences.el
All you have to do is add this ELisp line of code to the 
init file
. It will execute the command “touch /stub.file”, when “~/
emacs.d/” is the working directory.
 (let ((
default-directory
 "~/.emacs.d/")) (shell-command "
touch /stub.file
"))
And the privilege escalation objective is possible here as well, because surprisingly, this init file can be edited without root 
permissions.


-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no
Information forwarded to bug-gnu-emacs <at> gnu.org:
bug#30912; Package emacs. (Fri, 23 Mar 2018 00:06:01 GMT) Full text and rfc822 format available.

Message #11 received at 30912 <at> debbugs.gnu.org (full text, mbox):

From: Noam Postavsky <npostavs <at> gmail.com>
To: "Nelson H. F. Beebe" <beebe <at> math.utah.edu>
Cc: 30912 <at> debbugs.gnu.org
Subject: Re: bug#30912: [bug-gnu-emacs] emacs as a route to privilege
 escalation
Date: Thu, 22 Mar 2018 20:05:01 -0400

forcemerge 28618 30912
quit

"Nelson H. F. Beebe" <beebe <at> math.utah.edu> writes:

> The SANS security list today carried a pointer to this Web site:
>
> 	Abusing Text Editors with Third-party Plugins
> 	March 15, 2018
> 	Dor Azouri 
> 	https://safebreach.com/Post/Abusing-Text-Editors-with-Third-party-Plugins
>
> It links to an 11-page report of the same title at
>
> 	https://go.safebreach.com/rs/535-IXZ-934/images/Abusing_Text_Editors.pdf
>
> Do emacs developers wish to respond to the security attacks described
> there?

Dor already brought this up in Bug#28618.  As Glenn said:

    If an attacker has [compromised] a user account that can run "sudo arbitrary
    command", then that's just the same as having compromised the root
    account, and so worrying about this on the individual application level
    doesn't seem to make sense. Eg they could replace "sudo" with a keylogger.

Note that the problem could be "fixed" by setting

    Defaults always_set_home

in /etc/sudoers (Debian has this setting by default), but that won't
help with the sudo-is-a-key-logger problem.
Forcibly Merged 28618 30912. Request was from Noam Postavsky <npostavs <at> gmail.com> to control <at> debbugs.gnu.org. (Fri, 23 Mar 2018 00:06:02 GMT) Full text and rfc822 format available.
Information forwarded to bug-gnu-emacs <at> gnu.org:
bug#30912; Package emacs. (Sat, 24 Mar 2018 18:25:02 GMT) Full text and rfc822 format available.

Message #16 received at 30912 <at> debbugs.gnu.org (full text, mbox):

From: Richard Stallman <rms <at> gnu.org>
To: Lars Ingebrigtsen <larsi <at> gnus.org>
Cc: 30912 <at> debbugs.gnu.org, beebe <at> math.utah.edu
Subject: Re: bug#30912: emacs as a route to privilege escalation
Date: Sat, 24 Mar 2018 14:15:28 -0400

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

  > It seems to be pure nonsense.  You can't edit root's ~/.emacs without
  > root privilege.

In principle, that should be the case, but sometimes it isn't.

Basically, it is true if the kernel has no bugs.
However, the kernel often does have a bug which can 
be used for "privilege escalation."  When such an exploit
is available, problems in user programs can be used to take
control of the computer.

But this does not require a add-on.  Bugs in programs that
display files obtained over the web, even files that are not
supposed to contain code at all, can be used to do this.

It is a real problem.

-- 
Dr Richard Stallman
President, Free Software Foundation (https://gnu.org, https://fsf.org)
Internet Hall-of-Famer (https://internethalloffame.org)
Skype: No way! See https://stallman.org/skype.html.
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Sun, 22 Apr 2018 11:24:05 GMT) Full text and rfc822 format available.
This bug report was last modified 7 years and 56 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.