Privilege escalation on Unix machines via plugins for text editors
Several of the most popular extensible text editors for Unix environments could be misused by attackers to escalate privileges on targeted systems, SafeBreach researchers have found.
They tested Sublime, Vim, Emacs, Gedit, Pico and its clone Nano on machines running Ubuntu, and have managed to exploit the process of loading plugins to achieve privilege escalation with all except the last two.
What seems to be the problem?
These text editors achieve extensibility through third-party plugins, created by the user or another developer that made the extension public and available for use.
“What we found about most of the applications that we examined is that when it comes to loading plugins, their separation of the two modes – regular and elevated – is not complete. Their folder permissions integrity is not kept well and that opens the door for an attacker with regular user permissions to get elevated execution of arbitrary code,” SafeBreach security researcher Dor Azouri noted.
“Imagine a starting point where an attacker has the ability to run code, not elevated. The user that he runs under is a sudoer (Linux), but running without elevated status. All he or she has to do is write a malicious plugin to the user folder of the editor that’s in use, and wait for the editor to be invoked in elevated status, where the user will enter his root password. Depending on the user profile, the attacker might only need to wait for hours. In some cases he may wait forever, but there are plenty of situations that require users to open fies using sudo.”
He detailed their successful attacks in this paper, and explained that they did not work on Pico and Nano because they offer a very limited extensibility ground.
Proposed solutions
The researchers notified the Sublime, Vim, Emacs and Gedit developers of their findings, but do not mention whether they will do something about the issue.
The researchers’ advice to them is to change folders and file permissions models to complete the separation between the regular and elevated modes, and to either completely prevent the loading of third-party plugin when the editor is in elevated mode, or to provide a manual interface to approve the elevated loading of plugins.
In the meantime, sysadmins can deny write permissions for non-elevated users on the endpoints (by taking root ownership on the relevant plugins folders) or allow them to run sudoedit, a built-in command will allow them to securely edit (a temporary copy of) files as themselves, and not as root.
The researchers also provided a set of rules admins can add to the OSSEC syscheck configuration in order to monitor modifications to the files and folders mentioned in the paper.