Maksim Kabakou - Fotolia

How can a text editor plug-in enable privilege escalation?

Developers use text editors to enhance efficiency in the workplace even though they require vulnerable third-party plug-ins. Discover these vulnerabilities with Judith Myerson.

System administrators and developers use text editors on Linux and Unix systems to get their work done efficiently, especially when editing sensitive system and application configuration files. However, many advanced text editors -- including Emacs, Vim, Sublime and gedit -- that allow the use of third-party plug-ins capable of executing code can also be abused by local attackers to elevate their privilege level and take root control of systems. How does the text editor plug-in vulnerability work? How could attackers use the vulnerability to take over Unix and Linux systems?

Extensible Unix and Linux text editors that allow for the use of third-party plug-ins give users a useful way to add functionality, but the text editor plug-ins can also be exploited by local attackers to take control of a victim's machine through privilege escalation.

Dor Azouri, a security researcher at SafeBreach, examined how text editor plug-ins for leading text editors, including Emacs, Vim, Sublime, gedit and pico/nano, could be exploited by attackers for privilege escalation -- and crafted proof of concept exploits for all of them except pico/nano.

Because sysadmins often need to edit root-owned files, like system configuration files, text editors can be opened in elevated status with root privileges through the Unix sudo function. When the editor is opened in elevated status, third-party plug-ins are also reloaded; this is where an attacker can escalate the privilege.

If the attacker is able to gain access to a sysadmin's account to run the text editor -- for example, if the victim sysadmin's system has been left unattended and unlocked -- then the attacker could position a malicious plug-in to load when the victim next accesses the text editor in elevated status.

Azouri pointed out that the regular and elevated modes in Linux and Unix are not properly separated when plug-ins load into vulnerable text editors; he also noted that some text editor configuration files can be edited without root access. The attacks Azouri described succeed only after the malicious plug-in has been positioned and the victim uses the text editor with elevated privileges.

Recommended mitigations include monitoring modifications of the files and folders identified as vulnerable, as well as applying more strict permissions levels for affected system resources and using sudoedit, a built-in Unix/Linux command that does not support plug-ins.

Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
Cloud Computing