ID CVE-2008-3949
Summary emacs/lisp/progmodes/python.el in Emacs 22.1 and 22.2 imports Python script from the current working directory during editing of a Python file, which allows local users to execute arbitrary code via a Trojan horse Python file.
References
Vulnerable Configurations
  • SuSE SuSE Linux
    cpe:2.3:o:suse:suse_linux
CVSS
Base: 7.2 (as of 23-09-2008 - 14:02)
Impact:
Exploitability:
CWE CWE-94
CAPEC
  • Leverage Executable Code in Non-Executable Files
    An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
  • Manipulating User-Controlled Variables
    This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An attacker can override environment variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the attacker can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
nessus via4
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2008-216.NASL
    description A vulnerability was found in how Emacs would import python scripts from the current working directory during the editing of a python file. This could allow a local user to execute arbitrary code via a trojan python file (CVE-2008-3949).
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 37477
    published 2009-04-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=37477
    title Mandriva Linux Security Advisory : emacs (MDVSA-2008:216)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200902-06.NASL
    description The remote host is affected by the vulnerability described in GLSA-200902-06 (GNU Emacs, XEmacs: Multiple vulnerabilities) Morten Welinder reports about GNU Emacs and edit-utils in XEmacs: By shipping a .flc accompanying a source file (.c for example) and setting font-lock-support-mode to fast-lock-mode in the source file through local variables, any Lisp code in the .flc file is executed without warning (CVE-2008-2142). Romain Francoise reported a security risk in a feature of GNU Emacs related to interacting with Python. The vulnerability arises because Python, by default, prepends the current directory to the module search path, allowing for arbitrary code execution when launched from a specially crafted directory (CVE-2008-3949). Impact : Remote attackers could entice a user to open a specially crafted file in GNU Emacs, possibly leading to the execution of arbitrary Emacs Lisp code or arbitrary Python code with the privileges of the user running GNU Emacs or XEmacs. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-07-11
    plugin id 35732
    published 2009-02-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=35732
    title GLSA-200902-06 : GNU Emacs, XEmacs: Multiple vulnerabilities
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_0_EMACS-080912.NASL
    description When editing Python files Emacs accidentally imported other Python script in the current directory (CVE-2008-3949).
    last seen 2019-02-21
    modified 2014-09-16
    plugin id 39954
    published 2009-07-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=39954
    title openSUSE Security Update : emacs (emacs-190)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_66657BD5AC9211DDB541001F3B19D541.NASL
    description Emacs developers report : The Emacs command `run-python' launches an interactive Python interpreter. After the Python process starts up, Emacs automatically sends it the line : import emacs which normally imports a script named emacs.py which is distributed with Emacs. This script, which is typically located in a write-protected installation directory with other Emacs program files, defines various functions to help the Python process communicate with Emacs. The vulnerability arises because Python, by default, prepends '' to the module search path, so modules are looked for in the current directory. If the current directory is world-writable, an attacker may insert malicious code by adding a fake Python module named emacs.py into that directory.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 34732
    published 2008-11-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=34732
    title FreeBSD : emacs -- run-python vulnerability (66657bd5-ac92-11dd-b541-001f3b19d541)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_EMACS-5597.NASL
    description When editing Python files Emacs accidentally imported other Python script in the current directory (CVE-2008-3949).
    last seen 2019-02-21
    modified 2014-09-16
    plugin id 34213
    published 2008-09-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=34213
    title openSUSE 10 Security Update : emacs (emacs-5597)
refmap via4
bid 31052
confirm https://bugzilla.novell.com/show_bug.cgi?id=424340
gentoo GLSA-200902-06
mandriva MDVSA-2008:216
mlist [emacs-devel] 20080905 Vulnerability in Emacs python integration
secunia
  • 31982
  • 34004
suse SUSE-SR:2008:018
xf emacs-python-code-execution(45021)
statements via4
contributor Joshua Bressers
lastmodified 2017-08-07
organization Red Hat
statement Not vulnerable. This issue did not affect the versions of the emacs package, as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.
Last major update 01-09-2009 - 01:19
Published 22-09-2008 - 14:52
Last modified 07-08-2017 - 21:32
Back to Top