Re: [PLUG] text editor priv escalation

Rich Freeman on 15 Mar 2018 07:14:03 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] text editor priv escalation

From: Rich Freeman <r-plug@thefreemanclan.net>
To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>
Subject: Re: [PLUG] text editor priv escalation
Date: Thu, 15 Mar 2018 10:13:57 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to; bh=WXSlmMOxj+w1/Vgnk+xQfjIV3kU9dssEaumP3Xx+fyE=; b=JSwcpo6Thgar8f659Lj7xAXsuwMHfEiuLL3+7oFJrG1/SFlQWXSDs4pgMjN6AUd1Yf wJjpWCJvZVhwbqffw8VfeqGd+hCH2pWklR4ovZ11a3lOn2VzrUc4hx13rIa+8nBeD+NZ 9Zg4r3BMfUtqwyD+wvzesZG2qFQDrtGlBN7D9ty+X0yU7Jjuu4S4nKLsnNf9/nj2khy8 wr8iAUKjWylGBmxrYduixSYgcjZQjXrNwOTGrRvB2fuHWMDJy4f45g8pTXtejzX4S1Kb VEXlgMnH6SORmT6fmHogq9GDvDBZaydepzuu0aIUUyuzQkqa1k9MZIYITzDtHaYKn7w5 sn5A==
Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Sender: "plug" <plug-bounces@lists.phillylinux.org>

On Thu, Mar 15, 2018 at 9:53 AM, jeff <jeffv@op.net> wrote:
> https://www.securityweek.com/hackers-can-abuse-text-editors-privilege-escalation
>
> For an attack to work, the attacker needs to somehow hijack a legitimate
> user account that has regular privileges, which can be achieved through
> phishing, social engineering and other methods. In the case of a malicious
> insider, the vulnerability found by SafeBreach can be useful for executing
> code with elevated privileges if their permissions have been restricted by
> the system administrator to certain files and commands.
>

This doesn't seem particularly new or exciting.

The issue here in general is that commands like sudo result in a mixed
enviornment.  Just run "sudo env" to see - $HOME is left untouched, at
least for me.  Well, if you're using software with sudo that looks at
$HOME and does stuff based on files in there, then the contents of
these files could influence code run as root.  That includes things
like editor plugins.

IMO the cleanest solution in a production environment is more
separation of roles.  Don't use the same UID to browse the web and run
sudo.

On a desktop this is harder to control.

Another solution that comes to mind is to use "sudo -i" which should
eliminate the mixed environment and be more like a root login shell.

And of course not using sudo at all is another solution.

If somebody wanted to fix something I think it would make more sense
to change the behavior of sudo than to try to identify every program
that uses $HOME and consider what happens if it is run under sudo.  If
you eliminated the mixed environment I think that would eliminate this
attack.  Of course, it does mean that when you run sudo vim that the
editor preferences would be root's and not your own.

-- 
Rich
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

References:
- [PLUG] text editor priv escalation
  - From: jeff <jeffv@op.net>

Prev by Date: [PLUG] text editor priv escalation
Next by Date: Re: [PLUG] text editor priv escalation
Previous by thread: [PLUG] text editor priv escalation
Next by thread: Re: [PLUG] text editor priv escalation
Index(es):
- Date
- Thread