[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#22202: 24.5; SECURITY ISSUE -- Emacs Server vulnerable to random num
From: |
Eli Zaretskii |
Subject: |
bug#22202: 24.5; SECURITY ISSUE -- Emacs Server vulnerable to random number generator attack on Windows systems |
Date: |
Tue, 29 Dec 2015 18:21:30 +0200 |
> Date: Tue, 29 Dec 2015 15:36:12 +0000
> From: Richard Copley <rcopley@gmail.com>
>
> > Please provide the necessary details for reproducing this problem and
> > verifying the solution. What I'm missing:
> >
> > > 1. Be logged into the same Windows computer as someone else.
> >
> > How do you do that? I understand you are describing a situation where
> > 2 users are logged into the same Windows system simultaneously using
> > the same credentials, is that true? If so, how to create such a
> > situation?
>
> I don't think that is possible; however, two /different/ accounts can
> be logged in to a computer at the same time, via Remote Desktop or
> Fast User Switching.
Logging in via Remote Desktop usurps the system, AFAIK. So these
possibilities are not relevant to the issue at hand.
> > > 2. Have a process running that is notified whenever a process starts up
> > > 3. Have them run `emacs --daemon' or invoke `server-start'.
> > > 4. Use the knowledge of the current time and the server's PID to guess
> > > the authentication key.
> >
> > I don't think we use the current time and PID for that, but even if we
> > do, how do you get a hold of the time at the moment of the server
> > creation to nanosecond resolution? Please tell how to do that.
>
> We use function "random" (see function "server-generate-key"); its
> seed is typically set at startup using the current time and PID (see
> "init_random()" in sysdep.c), so it's the time Emacs started that you
> would want to know, not the time the server started. You can get the
> start time (to the nearest second at least) and PID of any user's
> processes using, e.g., Process Explorer.
You need the time to nanosecond resolution to compute the seed. How
do you do that?
> I'm not sure what resolution timestamp we end up using as the seed.
> gettime() might return microsecond timestamps in certain configurations.
On MS-Windows, gettime calls gettimeofday, which returns the system
clock in 100 nanosecond units. The actual resolution of the clock is
between 1 ms and 10 ms, but I think it's still an impossible task to
get the exact time we sample the clock during startup with such a high
accuracy.
> I can't speak for Demetri but it seems to me he's imagining an attacker
> who is prepared to use a certain amount of brute force. Knowing or
> guessing the Emacs start time within a few seconds would reduce the
> search space.
As I said, I don't see how such a user could even get access to a
machine without my paying attention. And that if the services
required for remote access have not been turned off to begin with.
- bug#22202: 24.5; SECURITY ISSUE -- Emacs Server vulnerable to random number generator attack on Windows systems, Demetri Obenour, 2015/12/18
- bug#22202: 24.5; SECURITY ISSUE -- Emacs Server vulnerable to random number generator attack on Windows systems, Eli Zaretskii, 2015/12/18
- bug#22202: 24.5; SECURITY ISSUE -- Emacs Server vulnerable to random number generator attack on Windows systems, Richard Copley, 2015/12/29
- bug#22202: 24.5; SECURITY ISSUE -- Emacs Server vulnerable to random number generator attack on Windows systems,
Eli Zaretskii <=
- bug#22202: 24.5; SECURITY ISSUE -- Emacs Server vulnerable to random number generator attack on Windows systems, Richard Copley, 2015/12/29
- bug#22202: 24.5; SECURITY ISSUE -- Emacs Server vulnerable to random number generator attack on Windows systems, David Engster, 2015/12/29
- bug#22202: 24.5; SECURITY ISSUE -- Emacs Server vulnerable to random number generator attack on Windows systems, Richard Copley, 2015/12/29
- bug#22202: 24.5; SECURITY ISSUE -- Emacs Server vulnerable to random number generator attack on Windows systems, David Engster, 2015/12/29
- bug#22202: 24.5; SECURITY ISSUE -- Emacs Server vulnerable to random number generator attack on Windows systems, Richard Copley, 2015/12/29
- bug#22202: 24.5; SECURITY ISSUE -- Emacs Server vulnerable to random number generator attack on Windows systems, Eli Zaretskii, 2015/12/30
- bug#22202: 24.5; SECURITY ISSUE -- Emacs Server vulnerable to random number generator attack on Windows systems, Richard Copley, 2015/12/30
- bug#22202: 24.5; SECURITY ISSUE -- Emacs Server vulnerable to random number generator attack on Windows systems, Eli Zaretskii, 2015/12/30
- bug#22202: 24.5; SECURITY ISSUE -- Emacs Server vulnerable to random number generator attack on Windows systems, Richard Copley, 2015/12/30
- bug#22202: 24.5; SECURITY ISSUE -- Emacs Server vulnerable to random number generator attack on Windows systems, Eli Zaretskii, 2015/12/31