[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#30912: emacs as a route to privilege escalation
From: |
Lars Ingebrigtsen |
Subject: |
bug#30912: emacs as a route to privilege escalation |
Date: |
Fri, 23 Mar 2018 00:57:49 +0100 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (gnu/linux) |
"Nelson H. F. Beebe" <beebe@math.utah.edu> writes:
> The SANS security list today carried a pointer to this Web site:
>
> Abusing Text Editors with Third-party Plugins
> March 15, 2018
> Dor Azouri
>
> https://safebreach.com/Post/Abusing-Text-Editors-with-Third-party-Plugins
>
> It links to an 11-page report of the same title at
>
> https://go.safebreach.com/rs/535-IXZ-934/images/Abusing_Text_Editors.pdf
>
> Do emacs developers wish to respond to the security attacks described
> there?
To save people time, I've included the Emacs-relevant bits below.
It seems to be pure nonsense. You can't edit root's ~/.emacs without
root privilege.
----
Emacs executes its init file when it loads, and that’s where a user can add key
bindings, define functions, and call external
commands. It contains personal EmacsLisp code that will be executed when Emacs
starts. This file is located in one of the
following locations:
•
For GnuEmacs, it is ~/.emacs or _emacs or ~/.emacs.d/init.el.
•
For XEmacs, it is ~/.xemacs or ~/.xemacs/init.el.
•
For AquamacsEmacs, it is ~/.emacs or ~/Library/Preferences/Aquamacs
Emacs/Preferences.el
All you have to do is add this ELisp line of code to the
init file
. It will execute the command “touch /stub.file”, when “~/
emacs.d/” is the working directory.
(let ((
default-directory
"~/.emacs.d/")) (shell-command "
touch /stub.file
"))
And the privilege escalation objective is possible here as well, because
surprisingly, this init file can be edited without root
permissions.
--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog: http://lars.ingebrigtsen.no