In addition to our efforts to analyze attacks and hacker techniques, SafeBreach Labs also performs independent research on unique attacks.
In our latest research, we explore how advanced text editors with third-party extensibility mechanisms can be abused for privilege escalation.
Third-party extensibility in software has been used for attacks in the past. For example, badly configured Cron jobs can be abused to get root access; exploiting file permissions such as special SUID executables can enable privileged executions, and developers of 3rd party plugins have had malicious code executed (intentionally or unintentionally) as part of these plugins.
In our research, we took a look at advanced editors with extensibility. Advanced editors give you more features, ease of use and most importantly for our scope - they offer extensibility. Extensibillity in this case means running some third-party bits of code. That third party may be yourself, or a developer (who made his extension public in a web store, git repo...).
We examined several popular editors for unix environments. Our research shows how these text editors with third-party plugins can be used as another way to gain privilege escalation on a machine. This method succeeds regardless of the file being opened in the editor, so even limitations commonly applied on sudo commands might not protect from it.
The set of editors that were put to the test include:
When loading plugins for these editors, we found inadequate separation of regular and elevated modes. Folder permissions integrity is not maintained and that opens the door for an attacker with regular user permissions to get elevated execution of arbitrary code.
Imagine a starting point where an attacker has the ability to run code, not elevated. The user that he/she runs under is a sudoer (Linux), but running without elevated status. All he or she has to do is write a malicious plugin to the user folder of the text editor that’s in use, and wait for the editor to be invoked in elevated status, where the user will enter his root password, and execute the malicious plugin.
We demonstrated that this technique was successful with all the advanced editors we tested from the list above except for pico/nano. We notified vendors for Sublime, Vim, Emacs and Gedit with our findings.
To mitigate this third-party plugin issue, we suggest the following (complete examples in research paper):
- implement OSEC monitoring rules
- deny write permisions for non-elevated users
- change folders and file permission models to ensure separation between regular and elevated modes.
- Prevent loading of 3rd party plugins when an editor is elevated.
- Provide a manual interface to approve the elevated loading of plugins.
For more information and details on what we tested, download the complete research paper here. All code pieces and other content in our research can be found in the SafeBreach-Labs/blog-snippets GitHub repository.