bug-gnu-emacs
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#22202: 24.5; SECURITY ISSUE -- Emacs Server vulnerable to random num

From: Eli Zaretskii
Subject: bug#22202: 24.5; SECURITY ISSUE -- Emacs Server vulnerable to random number generator attack on Windows systems
Date: Tue, 29 Dec 2015 18:21:30 +0200 
> Date: Tue, 29 Dec 2015 15:36:12 +0000
> From: Richard Copley <rcopley@gmail.com>
> 
> > Please provide the necessary details for reproducing this problem and
> > verifying the solution.  What I'm missing:
> >
> > > 1. Be logged into the same Windows computer as someone else.
> >
> > How do you do that?  I understand you are describing a situation where
> > 2 users are logged into the same Windows system simultaneously using
> > the same credentials, is that true?  If so, how to create such a
> > situation?
> 
> I don't think that is possible; however, two /different/ accounts can
> be logged in to a computer at the same time, via Remote Desktop or
> Fast User Switching.

Logging in via Remote Desktop usurps the system, AFAIK.  So these
possibilities are not relevant to the issue at hand.

> > > 2. Have a process running that is notified whenever a process starts up
> > > 3. Have them run `emacs --daemon' or invoke `server-start'.
> > > 4. Use the knowledge of the current time and the server's PID to guess
> > >    the authentication key.
> >
> > I don't think we use the current time and PID for that, but even if we
> > do, how do you get a hold of the time at the moment of the server
> > creation to nanosecond resolution?  Please tell how to do that.
> 
> We use function "random" (see function "server-generate-key"); its
> seed is typically set at startup using the current time and PID (see
> "init_random()" in sysdep.c), so it's the time Emacs started that you
> would want to know, not the time the server started. You can get the
> start time (to the nearest second at least) and PID of any user's
> processes using, e.g., Process Explorer.

You need the time to nanosecond resolution to compute the seed.  How
do you do that?

> I'm not sure what resolution timestamp we end up using as the seed.
> gettime() might return microsecond timestamps in certain configurations.

On MS-Windows, gettime calls gettimeofday, which returns the system
clock in 100 nanosecond units.  The actual resolution of the clock is
between 1 ms and 10 ms, but I think it's still an impossible task to
get the exact time we sample the clock during startup with such a high
accuracy.

> I can't speak for Demetri but it seems to me he's imagining an attacker
> who is prepared to use a certain amount of brute force. Knowing or
> guessing the Emacs start time within a few seconds would reduce the
> search space.

As I said, I don't see how such a user could even get access to a
machine without my paying attention.  And that if the services
required for remote access have not been turned off to begin with.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]