Sublime, Vim, Emacs, Gedit, pico/nano text editor exisit privilege escalation vulnerability

privilege escalation vulnerability

According to securityaffairs reports on March 16, after a series of recent attacks using exploits, SafeBreach researchers discussed how advanced text editors with third-party extensibility mechanisms were misused to increase device permissions and target Unix and the Linux system examined several popular extensible text editors (Sublime, Vim, Emacs, Gedit, pico/nano). After research, it was discovered that all checked editors except pico/nano were affected by a critical privilege escalation vulnerability that could be exploited by an attacker to run malicious code on a target device running a vulnerable text editor.

It is reported that most modern text editors allow users to extend functionality by using third-party plug-ins, thereby increasing their attack surface. Researchers believe that this situation is very serious because third-party plug-ins may be affected by critical privilege escalation vulnerabilities, affecting popular plug-ins like WordPress, Windows Chrome, Firefox, and Photoshop.

The vulnerability is currently considered related to the way these text editors load plugins because they do not properly separate regular and advanced modes when loading plugins.

SafeBreach’s research shows that these text editors with third-party plug-ins are another way to gain privilege escalation for the device, and that even if the file is opened in the editor, using this method to achieve the upgrade can be successful even if The use of commonly used restrictions in the sudo command may also not prevent it.

So some mitigation measures provided by SafeBreach:

  • implement OSEC monitoring rules
  • deny write permissions for non-elevated users
  • change folders and file permission models to ensure separation between regular and elevated modes.
  • Prevent loading of 3rd party plugins when an editor is elevated.
  • Provide a manual interface to approve the elevated loading of plugins.

Source: SecurityAffairs