Security risks in popular extensible text editors allow hackers to abuse plugins and escalate privileges on targeted systems, according to new research from SafeBreach. Inadequate separation of regular and elevated access modes used in editors and a lack of folder permissions integrity allow attackers to achieve execution of arbitrary code from regular user permissions.
A Mar.15 report from SafeBreach details the research of Dor Azouri, who looked at five notable text editors that offer the benefits of extensibility. By loading plugins for Sublime, Vim, Emacs, Gedit, and pico/nano– the most popular editors with third-party plugins for the UNIX environments, Azouri successfully leveraged each text editor for privilege escalation through simulated attacks.
Because application functionality is improved through extensions, it’s not uncommon for text editors to run third-party code. The benefits of performance and productivity have outweighed the risk. But loading plugins when folder permissions integrity is not well kept introduces security risks.
Moreover, the attack methods proved successful with all files opened in the editor, even with common limitations applied on sudo commands. The attackers can target specific locations and plant their malicious extensions, altering the seemingly innocuous extensible text editors into another way to gain privilege escalation on the machine.
Attackers who have gained access to user credentials through phishing scams or other nefarious means have the ability to write code even without elevated status. They can write a malicious plugin to the user folder of the editor that’s in use.
Eventually–and particularly for users on Linux servers who commonly have to run text editors with elevated privileges– the editor will be invoked in elevated status. Then, the user enters his root password, the application is launched,and the malicious code is executed.
While developers of 3rd party plugins have had malicious code executed (intentionally or unintentionally) as part of these plugins, there are no reports of malicious attacks abusing text editors for privilege escalation. Still, incidents involving abuse of extensibility are not unheard of. The SafeBreach report demonstrates privilege escalation details for each of the five text editors tested by AzoOSSECuri.
Though aware of the security risk discovered by SafeBreach, the developers of the text editors don’t plan on making any changes. To mitigate the risks, SafeBreach recommends adding these rules to OSSEC syscheck configuration.
Additionally, Azouri said one way to improve the integrity of the folder permissions is to entirely separate the plugins folders that are used when running the editors in elevated mode (using sudo).
“In this solution, there will be one folder owned by the user where he can place his/her plugins, and one folder owned by root where all the approved plugins will reside. When the editor is invoked in an elevated mode, it will load the plugins from the root owned folder only. This way, modifying the plugins that are root owned will require entering the root password.
The security risk and plausibility of this kind of attack is determined by parameters that differ in each organization. Risk is affected by the scale of use of UNIX systems in the network and the common tools the users are editing the files, among other parameters.
Given that developers don’t plan to patch the vulnerability, Azouri suggested several defense measures for users.
- Deny write permissions for non-elevated users, by taking root ownership on the relevant plugins folder, (e.g. ~/.config/sublime-text-3/Packages/User)
- Monitor modifications to the key files and folders presented in this article
- Track changes and review them
- Review 3rd party plugins code before approving their use in the network environment,
- Use simpler editors that don’t expose powerful API to 3rd party plugins.
Because similar extensibility models might be found in other kinds of software, Azouri said, “I suggest users and developers alike should apply these precautions on other extensible software that allow the loading of external modules, and not just text editors.”
(This article was written by guest author Kacy Zurkus. He can be reached at @KSZ714)