Shulou(Shulou.com)06/02 Report--

Editor to share with you how to use the text editor plug-in in the Unix machine to achieve power, I believe that most people do not know much about it, so share this article for your reference, I hope you will learn a lot after reading this article, let's go to know it!

The researchers say that they have conducted security tests on editors such as Sublime, Vim, Emacs, Gedit, Pico and Nano (cloned from Ubuntu devices). With the exception of Pico and Nano, they can take advantage of security vulnerabilities in other text editors to load plug-ins to successfully lift rights on the target host.

What's the problem?

These text editors mainly extend their functions through third-party plug-ins, which are developed by other users or developers, and many of them are open source.

Dor Azouri, a security researcher at SafeBreach, said:

"after testing these text editors, we found that they generally have two modes, namely, regular mode and lifting mode. When they load the plug-in, they will enter the rights-raising mode, but because they do not have adequate control over the integrity of folder permissions, attackers with only ordinary user rights will be able to exploit this vulnerability to lift rights and execute arbitrary code on the target host.

Suppose that now the attacker can only run arbitrary code on the target host, but does not implement the privilege. Then they can now write malicious plug-in code to the folder currently used by the text editor, and then wait for the editor to switch to claim mode, where the user will need to enter the root password of the device. Of course, for some "high-end" users, attackers may only need to wait a while to complete the attack, because these users often need to install various functional extensions, or often need to use the sudo command to open various files. But in some cases, the attacker may have to wait forever. "

Detailed description

Note: this article takes Sublime and VIM as examples to explain the attack. All the related code and content description can be found in the GitHub code base of SafeBreach.

Sublime

Test environment:

Sublime Version: 3.0 Build 3143

Ubuntu 14.04.5, Kernel 4.13.0

Add plug-in

There are two main forms of Sublime plug-ins:

1. Install package (install directly using package management tools)

two。 Separate Python plug-in files

The first form is managed by Package Control (usually sublime-package files), and the directory path is generally as follows:

/ opt/sublime_text

The second form is a Python file with the following path address:

~ / .confg/sublime-text-3/Packages/User

If you want the plug-in to handle editor events, you need to implement a subclass of the sublime_plugin.EventListener class, and then rewrite some event callbacks, your first choice is usually on_actvated_async. This special event means that "this method is called when a view gets the input focus, and then the program runs as a separate thread." Therefore, you need to call this callback method [API document] whenever the user switches the editor tag tab, or when Sublime is open.

Next, the attacker only needs to implement malicious code in a complete Python environment to complete the attack.

VIM

Test environment:

Vim Versions: 7.48.0

Ubuntu 14.04.5, Kernel 4.13.0

In order to reproduce the attack scenario in VIM, we need to locate the storage location of the relevant plug-ins, and we also need to figure out how to load the plug-ins at startup. The core idea of the attack is as follows:

1. Develop your own Python attack script.

two。 Store it in ~ / .vim / plugin/.

3. Create a new * .vim file in the same directory, which is the actual vim plug-in, which will be loaded with other plug-ins during editor startup. In our test scenario, we will demonstrate how to use Python scripts to implement attacks (which look a bit like VimScript):

If! has ('python') & &! has (' python3') finishendiffunction! RootWrite () If has ('python') pyfile ~ / .vim/plugin/write_root_file.py else py3file ~ / .vim/plugin/write_root_file.py endifendfunccall RootWrite ()

4. The write_root_file.py script we developed attempts to write a file to the protected path address (only the root user has write access):

Try: F = open ("/ stub.file", "wb") f.close () except IOError as e: pass

For a more detailed description of this attack technique, please refer to the [Research report] released by the researchers.

Mitigation scheme

The researchers have submitted the problems they found to the developers of Sublime, Vim, Emacs and Gedit, but the mitigation solutions are not mentioned in the report.

In this regard, the researchers' suggestion is to improve the file / folder permission model and ensure that the editor can switch between the regular mode and the weighting mode normally. They can also allow the editor to prevent third-party plug-ins from being loaded when running in claim mode. In other words, a manual interface is provided to the user to load the plug-in in heightened mode. Of course, they can also use built-in commands like sudoedit (rather than root privileges) to allow ordinary users to safely edit the contents of the file.

In addition, the researchers also provide administrators with a copy of the OSSEC syscheck configuration rules, which you can use to monitor changes to files or folders.

OSSEC monitoring rules

Monitor changes to key files and folders on your device. For example, you can add the following rules to your OSSEC syscheck configuration file:

/ var/ossec/etc/ossec.conf: ~ / .config/sublime-text-3/Packages/User ~ / .vim/plugin/ ~ / .emacs, ~ / _ emacs, ~ / .emacs.d / init.el, ~ / .xemacs, ~ / .xemacs / init.el, ~ / Library/Preferences/AquamacsEmacs/Preferences.el ~ / .local/share/gedit/plugins

After the modification, don't forget to restart OSSEC using the following command:

Sudo / var/ossec/bin/ossec-control restart above is all the content of the article "how to use the plug-in of the text editor to lift the weight on the Unix machine". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.