Pierluigi Paganini March 16, 2018

Following recent string of attacks that exploit flawed plugins, researchers at SafeBreach examined 6 popular extensible text editors for unix systems.

Most of the modern text editors allow users to extend their functionalities by using third-party plugins, in this way they are enlarging their attack surface.

Third-party plugins could be affected by vulnerabilities that could be exploited by hackers to target our systems.

The situation is particularly severe in case the flaw affects a plugin for popular software such as WordPress or Windows’ extensions for Chrome, Firefox or Photoshop.

Dor Azouri, a researcher at SafeBreach, has analyzed several popular extensible text editors for both Unix and Linux systems discovered that except for pico/nano all of them are affected by a critical privilege escalation flaw.

“We examined several popular editors for unix environments. Our research shows how these text editors with third-party plugins can be used as another way to gain privilege escalation on a machine. This method succeeds regardless of the file being opened in the editor, so even limitations commonly applied on sudo commands might not protect from it.” states the blog post published by SafeBreach.

“The set of editors that were put to the test include: Sublime, Vim, Emacs, Gedit, pico/nano.”

An attacker can exploit the flaw to run malicious code on a victims’ machines running the vulnerable text editor.

“This method succeeds regardless of the file being opened in the editor, so even limitations commonly applied on sudo commands might not protect from it,” reads the paper published by the company. 

“Technical users will occasionally need to edit root-owned files, and for that purpose they will open their editor with elevated privileges, using ‘sudo.’ There are many valid reasons to elevate the privileges of an editor.”

The vulnerability ties the way these text editors load plugins because they don’t properly separate regular and elevated modes when loading plugins.

Attackers with regular user permissions can access the folder permissions to elevate their privileges and execute arbitrary code on the user’s machine.

Azouri suggests Unix users use an open-source host-based intrusion detection system called OSSEC. Of course, users should avoid loading 3rd-party plugins when the editor is elevated and also deny write permissions for non-elevated users.

Below the full list of mitigations provided by the experts:

• implement OSEC monitoring rules
• deny write permisions for non-elevated users
• change folders and file permission models to ensure separation between regular and elevated modes.
• Prevent loading of 3rd party plugins when an editor is elevated.
• Provide a manual interface to approve the elevated loading of plugins.

Pierluigi Paganini

(Security Affairs – Text Editors, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]