bug#22202: 24.5; SECURITY ISSUE -- Emacs Server vulnerable to random number generator attack on Windows systems

[Richard Copley]

On 29 December 2015 at 16:21, Eli Zaretskii <eliz@gnu.org> wrote:
>> Date: Tue, 29 Dec 2015 15:36:12 +0000
>> From: Richard Copley <rcopley@gmail.com>
>>
>> > Please provide the necessary details for reproducing this problem and
>> > verifying the solution.  What I'm missing:
>> >
>> > > 1. Be logged into the same Windows computer as someone else.
>> >
>> > How do you do that?  I understand you are describing a situation where
>> > 2 users are logged into the same Windows system simultaneously using
>> > the same credentials, is that true?  If so, how to create such a
>> > situation?
>>
>> I don't think that is possible; however, two /different/ accounts can
>> be logged in to a computer at the same time, via Remote Desktop or
>> Fast User Switching.
>
> Logging in via Remote Desktop usurps the system, AFAIK.  So these
> possibilities are not relevant to the issue at hand.

That is definitely not correct. In some configurations several users
can connect via remote desktop. I do this every day. It /might/ be
necessary to have a "Professional" and/or Server edition of Windows.
A licensed Terminal Server supports dozens of sessions at once.

Fast User Switching is a different thing. (Type CTRL-ALT-DEL and click
"Switch User".) That, too, might require "Professional".

>> > > 2. Have a process running that is notified whenever a process starts up
>> > > 3. Have them run `emacs --daemon' or invoke `server-start'.
>> > > 4. Use the knowledge of the current time and the server's PID to guess
>> > >    the authentication key.
>> >
>> > I don't think we use the current time and PID for that, but even if we
>> > do, how do you get a hold of the time at the moment of the server
>> > creation to nanosecond resolution?  Please tell how to do that.
>>
>> We use function "random" (see function "server-generate-key"); its
>> seed is typically set at startup using the current time and PID (see
>> "init_random()" in sysdep.c), so it's the time Emacs started that you
>> would want to know, not the time the server started. You can get the
>> start time (to the nearest second at least) and PID of any user's
>> processes using, e.g., Process Explorer.
>
> You need the time to nanosecond resolution to compute the seed.  How
> do you do that?

I haven't tried, but the MSDN docs for GetProcessTimes say it returns the
start time in 100 ns units. I'd guess that's what Process Explorer uses.

>> I'm not sure what resolution timestamp we end up using as the seed.
>> gettime() might return microsecond timestamps in certain configurations.
>
> On MS-Windows, gettime calls gettimeofday, which returns the system
> clock in 100 nanosecond units.  The actual resolution of the clock is
> between 1 ms and 10 ms, but I think it's still an impossible task to
> get the exact time we sample the clock during startup with such a high
> accuracy.

Perhaps you don't need to. Brute force. (Maybe that's ridiculous. I haven't
tried to do the sums. Trying 100 to 1000 different values doesn't sound too
hard.)

>> I can't speak for Demetri but it seems to me he's imagining an attacker
>> who is prepared to use a certain amount of brute force. Knowing or
>> guessing the Emacs start time within a few seconds would reduce the
>> search space.
>
> As I said, I don't see how such a user could even get access to a
> machine without my paying attention.

With respect, that's not correct (explained above).

> And that if the services
> required for remote access have not been turned off to begin with.

Yes obviously, but many organizations do have Remote Desktop
servers their staff can (or must) connect to.