Connect with us

Hi, what are you looking for?


Risk Management

Hackers Can Abuse Text Editors for Privilege Escalation

Several popular text editors can be leveraged for privilege escalation and their developers do not plan on taking any action to prevent abuse, according to SafeBreach, a company that specializes in simulating attacks and breaches.

Several popular text editors can be leveraged for privilege escalation and their developers do not plan on taking any action to prevent abuse, according to SafeBreach, a company that specializes in simulating attacks and breaches.

Some text editors allow users to run third-party code and extend the application’s functionality through extensions. While this provides some benefits, an expert determined that it can also introduce security risks.

SafeBreach researcher Dor Azouri has analyzed the Sublime, Vim, Emacs, Gedit, pico and nano text editors, and found that only pico and its clone, nano, are not prone to abuse, mainly due to the fact that they offer only limited extensibility.

One part of the problem is that users — particularly on Linux servers — may often need to execute text editors with elevated privileges. If an attacker can plant malicious extensions in locations specific to the targeted text editor, their code will get executed with elevated privileges when the application is launched or when certain operations are performed.

Text editors allow privilege escalation

For an attack to work, the attacker needs to somehow hijack a legitimate user account that has regular privileges, which can be achieved through phishing, social engineering and other methods. In the case of a malicious insider, the vulnerability found by SafeBreach can be useful for executing code with elevated privileges if their permissions have been restricted by the system administrator to certain files and commands.

Depending on the targeted editor, the attacker needs to create specially crafted scripts or package files, and place them in specific plugin directories. In some cases, the hacker may need to create additional files and enable extensions in order for the attack to work, but this should not be difficult if they have access to a less-privileged account.

In the case of Emacs, for example, attackers simply need to add one line of code to the “init.el” file in order to get their code executed on startup. Azouri noted that editing the init file does not require root permissions. A report published on Thursday by SafeBreach details how privilege escalation can be achieved through each of the tested editors.

Advertisement. Scroll to continue reading.

While there are no reports of malicious attacks abusing text editors for privilege escalation, incidents involving abuse of extensibility are not unheard of. For instance, Kite, which offers Python code enhancements and suggestions for several popular editors via extensions, drew criticism last year after integrating promotional links into its users’ coding apps.

SafeBreach also pointed to a couple of incidents related to npm packages that resulted in malicious code getting loaded and applications breaking. Azouri has described several possible scenarios involving post-exploitation techniques that can be leveraged to gain root access on Unix-like systems.

“Badly configured Cron jobs, that are a natural part in Unix-like systems, can be abused to get root access. In a similar manner to the technique we present, an attacker might find binaries in cron jobs which are writable, and modify them to his/her needs. They are then executed as root by the OS (or other users, depending on the cron job settings), giving the attacker privileged execution,” Azouri told SecurityWeek.

Another example involves exploiting file permissions, such as special SUID executables. “SUID is a feature in Unix-like systems that allows configuring some executables to run as a specific user (the owner of the file). Finding a file that is owned by root and is set with SUID, can give a way for an attacker to get privileged execution,” the researcher said.

He added, “Some cases exist where the developers of 3rd party plugins, after gaining popularity for their plugin, updated the plugin’s code with malicious code (either intentionally or unintentionally, the latter can be as a result of getting hacked and the attacker obtained access to the codebase). This update was downloaded by the plugin users, and then executed without them being aware of the malicious change.”

The developers of the text editors analyzed by SafeBreach said they don’t plan on making any changes to prevent this type of abuse. Vim developers admitted that they can take measures, but they appear to believe that it’s the user’s responsibility to defend against these attacks.

Emacs developers will not make any changes to their application due to the fact that this type of privilege escalation can leverage many apps and releasing a patch on their end would not completely address the issue.

Gedit has yet to confirm SafeBreach’s findings and Sublime has not provided researchers any updates after acknowledging their bug report.

Related: Researchers Devise “Perfect” Data Exfiltration Technique

Related: Common Infiltration, Exfiltration Methods Still Successful

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...