r1cksec

Opening a file in GNU Emacs can trigger arbitrary code execution through version control (git), most requiring zero user interaction beyond the file open itself.

https://github.com/califio/publications/blob/main/MADBugs/vim-vs-emacs-vs-claude/Emacs.md

#infosec #cybersecurity #redteam #pentest #ai #emacs #claude

publications/MADBugs/vim-vs-emacs-vs-claude/Emacs.md at main · califio/publications

Publications from Calif. Contribute to califio/publications development by creating an account on GitHub.

GitHub
Mar 31 at 6:43amWeb
Show threadOmar Antolín1d ago
@r1cksec Just to be clear, running any git command in that repo will run the arbitrary code, even if you don't have Emacs installed on your machine.
Show threadmekeor1d ago
@oantolin @r1cksec "i found an RCE vulnerability in emacs" turns out to be "claude remembers an old git-vulnerability and puts it in an emacs-framing"
Show threadKlara ❤️1d ago

@mekeor @oantolin @r1cksec

Yeah, the page even links to the Git vulnerability where it says IDEs are vulnerable, so... What's new?

Show threadmaya1d ago
@mekeor @oantolin @r1cksec but the whole thing is framed as "emacs developers refused to fix this issue" lmao
Show threadλzyd1d ago

@oantolin @r1cksec Yeah, I chalk this up to the problem of whether or not you can trust a git repo. Any time you run a git command in a git repo, you run the risk of executing code: https://git-scm.com/docs/git#_security

However, it is not safe to run Git commands in a .git directory (or the working tree that surrounds it) when that .git directory itself comes from an untrusted source. The commands in its config and hooks are executed in the usual way.

Maybe it would be nice if Emacs had a way to disable executing git commands by default as an option for threat models concerned about working with untrusted git repos, but I'm unsure if it's on Emacs to address this.

Git - git Documentation

Show threadmaya1d ago
@r1cksec yeah the complete thing is not a vulnerability at all, you will run arbitrary code when running git hooks - that is git vuln. atd second, you need to downlad a git repo tar because cloning does not clone git hooks
Show threadNeblib1d ago

@zenmaya @r1cksec yeah definitely a git bug. I don't typically use them but looking into it, it seems a good solution might be to distrust git hooks globally then allow them per trusted project in git itself?

git config --global core.hooksPath /dev/null (or your own custom trusted hooks folder you always want)

then in trusted projects enable them git config core.hooksPath .git/hooks