CVE-2023-27985
📋 TL;DR
This vulnerability in Emacs allows attackers to execute arbitrary shell commands through a malicious mailto: URI when using emacsclient-mail.desktop. It affects Emacs users who process mailto: links through the vulnerable desktop entry. The issue stems from improper sanitization of URI parameters.
💻 Affected Systems
- GNU Emacs
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution with user privileges, potentially leading to full system compromise if the user has elevated privileges.
Likely Case
Local privilege escalation or arbitrary command execution when a user clicks a crafted mailto: link.
If Mitigated
Limited impact if proper input validation or patched version is used.
🎯 Exploit Status
Exploitation requires user interaction but is straightforward with publicly available proof-of-concept details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 29.0.90 and later
Vendor Advisory: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=60204
Restart Required: No
Instructions:
1. Update Emacs to version 29.0.90 or later. 2. Use package manager: 'sudo apt update && sudo apt upgrade emacs' (Debian/Ubuntu) or equivalent for your distribution. 3. For source installations: download latest source from GNU and rebuild.
🔧 Temporary Workarounds
Disable emacsclient-mail.desktop handler
linuxRemove or modify the desktop entry to prevent mailto: URI handling by vulnerable component.
sudo rm /usr/share/applications/emacsclient-mail.desktop
xdg-mime default thunderfox.desktop x-scheme-handler/mailto
Use alternative mail client
linuxConfigure system to use a different application for mailto: links.
xdg-mime default thunderfox.desktop x-scheme-handler/mailto
🧯 If You Can't Patch
- Avoid clicking mailto: links from untrusted sources
- Use Emacs in terminal mode without desktop integration
🔍 How to Verify
Check if Vulnerable:
Check Emacs version: 'emacs --version' and verify if between 28.1-28.2. Check if emacsclient-mail.desktop exists: 'ls /usr/share/applications/emacsclient-mail.desktop'.Check Version:
emacs --version | head -1Verify Fix Applied:
Verify Emacs version is 29.0.90 or later: 'emacs --version | head -1'. Test with a safe mailto: URI.📡 Detection & Monitoring
Log Indicators:
- Unusual shell commands executed from emacsclient processes
- Suspicious mailto: URI parameters in system logs
Network Indicators:
- Outbound connections from Emacs processes to unexpected destinations
SIEM Query:
process.name:"emacs" AND cmdline:"mailto:*" AND cmdline:["$", "&", ";", "|"]🔗 References
- http://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29&id=d32091199ae5de590a83f1542a01d75fba000467
- http://www.openwall.com/lists/oss-security/2023/03/09/1
- https://debbugs.gnu.org/cgi/bugreport.cgi?bug=60204
- https://www.gabriel.urdhr.fr/2023/06/08/emacsclient-mail-shell-elisp-injections/
- https://www.openwall.com/lists/oss-security/2023/03/08/2
- http://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29&id=d32091199ae5de590a83f1542a01d75fba000467
- http://www.openwall.com/lists/oss-security/2023/03/09/1
- https://debbugs.gnu.org/cgi/bugreport.cgi?bug=60204
- https://www.gabriel.urdhr.fr/2023/06/08/emacsclient-mail-shell-elisp-injections/
- https://www.openwall.com/lists/oss-security/2023/03/08/2
