Security Experts:

Hackers Can Abuse Text Editors for Privilege Escalation

Several popular text editors can be leveraged for privilege escalation and their developers do not plan on taking any action to prevent abuse, according to SafeBreach, a company that specializes in simulating attacks and breaches.

Some text editors allow users to run third-party code and extend the application’s functionality through extensions. While this provides some benefits, an expert determined that it can also introduce security risks.

SafeBreach researcher Dor Azouri has analyzed the Sublime, Vim, Emacs, Gedit, pico and nano text editors, and found that only pico and its clone, nano, are not prone to abuse, mainly due to the fact that they offer only limited extensibility.

One part of the problem is that users — particularly on Linux servers — may often need to execute text editors with elevated privileges. If an attacker can plant malicious extensions in locations specific to the targeted text editor, their code will get executed with elevated privileges when the application is launched or when certain operations are performed.

Text editors allow privilege escalation

For an attack to work, the attacker needs to somehow hijack a legitimate user account that has regular privileges, which can be achieved through phishing, social engineering and other methods. In the case of a malicious insider, the vulnerability found by SafeBreach can be useful for executing code with elevated privileges if their permissions have been restricted by the system administrator to certain files and commands.

Depending on the targeted editor, the attacker needs to create specially crafted scripts or package files, and place them in specific plugin directories. In some cases, the hacker may need to create additional files and enable extensions in order for the attack to work, but this should not be difficult if they have access to a less-privileged account.

In the case of Emacs, for example, attackers simply need to add one line of code to the “init.el” file in order to get their code executed on startup. Azouri noted that editing the init file does not require root permissions. A report published on Thursday by SafeBreach details how privilege escalation can be achieved through each of the tested editors.

While there are no reports of malicious attacks abusing text editors for privilege escalation, incidents involving abuse of extensibility are not unheard of. For instance, Kite, which offers Python code enhancements and suggestions for several popular editors via extensions, drew criticism last year after integrating promotional links into its users’ coding apps.

SafeBreach also pointed to a couple of incidents related to npm packages that resulted in malicious code getting loaded and applications breaking. Azouri has described several possible scenarios involving post-exploitation techniques that can be leveraged to gain root access on Unix-like systems.

“Badly configured Cron jobs, that are a natural part in Unix-like systems, can be abused to get root access. In a similar manner to the technique we present, an attacker might find binaries in cron jobs which are writable, and modify them to his/her needs. They are then executed as root by the OS (or other users, depending on the cron job settings), giving the attacker privileged execution,” Azouri told SecurityWeek.

Another example involves exploiting file permissions, such as special SUID executables. “SUID is a feature in Unix-like systems that allows configuring some executables to run as a specific user (the owner of the file). Finding a file that is owned by root and is set with SUID, can give a way for an attacker to get privileged execution,” the researcher said.

He added, “Some cases exist where the developers of 3rd party plugins, after gaining popularity for their plugin, updated the plugin's code with malicious code (either intentionally or unintentionally, the latter can be as a result of getting hacked and the attacker obtained access to the codebase). This update was downloaded by the plugin users, and then executed without them being aware of the malicious change.”

The developers of the text editors analyzed by SafeBreach said they don’t plan on making any changes to prevent this type of abuse. Vim developers admitted that they can take measures, but they appear to believe that it’s the user’s responsibility to defend against these attacks.

Emacs developers will not make any changes to their application due to the fact that this type of privilege escalation can leverage many apps and releasing a patch on their end would not completely address the issue.

Gedit has yet to confirm SafeBreach’s findings and Sublime has not provided researchers any updates after acknowledging their bug report.

Related: Researchers Devise "Perfect" Data Exfiltration Technique

Related: Common Infiltration, Exfiltration Methods Still Successful

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.