Rich Freeman on 15 Mar 2018 07:14:03 -0700 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
Re: [PLUG] text editor priv escalation |
On Thu, Mar 15, 2018 at 9:53 AM, jeff <jeffv@op.net> wrote: > https://www.securityweek.com/hackers-can-abuse-text-editors-privilege-escalation > > For an attack to work, the attacker needs to somehow hijack a legitimate > user account that has regular privileges, which can be achieved through > phishing, social engineering and other methods. In the case of a malicious > insider, the vulnerability found by SafeBreach can be useful for executing > code with elevated privileges if their permissions have been restricted by > the system administrator to certain files and commands. > This doesn't seem particularly new or exciting. The issue here in general is that commands like sudo result in a mixed enviornment. Just run "sudo env" to see - $HOME is left untouched, at least for me. Well, if you're using software with sudo that looks at $HOME and does stuff based on files in there, then the contents of these files could influence code run as root. That includes things like editor plugins. IMO the cleanest solution in a production environment is more separation of roles. Don't use the same UID to browse the web and run sudo. On a desktop this is harder to control. Another solution that comes to mind is to use "sudo -i" which should eliminate the mixed environment and be more like a root login shell. And of course not using sudo at all is another solution. If somebody wanted to fix something I think it would make more sense to change the behavior of sudo than to try to identify every program that uses $HOME and consider what happens if it is run under sudo. If you eliminated the mixed environment I think that would eliminate this attack. Of course, it does mean that when you run sudo vim that the editor preferences would be root's and not your own. -- Rich ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug