Re: Arbitrary Code Execution in Commands: K, Control-], g]

["Michael Wojcik" <Michael.Wojcik () microfocus com>]

> From: rdancer () gmail com [mailto:rdancer () gmail com] On Behalf 
> Of Jan Minár
> Sent: Friday, 22 August, 2008 10:26
> To: bugs () vim org; vim-dev () vim org; 
> full-disclosure () lists grok org uk; bugtraq () securityfocus com
> Subject: Vim: Arbitrary Code Execution in Commands: K, Control-], g]
>
> Vim: Arbitrary Code Execution in Commands: K, Control-], g]

This report greatly overstates the danger of this bug. It's worth reading the discussion from the Vim Dev list (Minár's 
[2] below).


> 3.1. Keyword Lookup -- The ``K'' Command
>
> 3.1.1. Shell Commands and Ex Commands
>
> Because the string passed to the shell for execution is not 
> sanitized, it is possible to specify arbitrary shell commands 
> where Vim expects an argument for the keyword program.  Same 
> applies to arbitrary Ex commands.

The K command is designed to execute an arbitrary program. The user can set the program by setting the keywordprg 
option. Minár's exploits require setting vim options to implausible values, either using a modeline (which no sensible 
user ever allows on untrustworthy files, and no truly security-conscious user enables at all) or monumental user 
stupidity. Given that, why not simply set keywordprg? Or do anything else that a modeline allows?

> 3.1.2. Keyword Program Command Line Switches
>
> It is possible to specify command line switches for the 
> keyword program in place of the argument.  The gravity of 
> this vulnerability depends on the keyword program selected.  
> GNU man, the default keyword program in many installations, 
> supports for example the ``--pager'' option (cf.
> the GNU man(1) manual page).  This allows arbitrary command execution.

As does setting PAGER in the environment before vim starts, which is an equally plausible attack.

Schmidt did accidentally discover an issue with unescaped characters and the K command - specifically with Visual-K and 
an unconventional setting of keywordprg, used in a manner for which it was not intended (selecting a URL and using K to 
pass it to a browser). See Minár's [1]. So it's not impossible for someone to encounter this bug while operating in a 
manner they think is sensible.

But very few users will create the necessary conditions, so the attack surface is vanishingly small; and users who do 
that sort of thing with untrustworthy data are going to shoot themselves in the foot sooner or later. No vim required.

It'd be much better to focus on vim security issues that have some chance of exploitation, like the netrw problems that 
Minár recently documented. This sort of thing is just noise.

> [1] Ben Schmidt discovered this vulnerability in:
>     Message-Id: <48AB91B3.9000709 () yahoo com au>
>     http://groups.google.com/group/vim_dev/msg/6ad2d5b50a96668e
>
> [2] 
> http://groups.google.com/group/vim_dev/browse_thread/thread/14
> 34d0812b5c817e/6ad2d5b50a96668e
>
> [3] http://groups.google.com/group/vim_dev/msg/dd32ad3a84f36bb2

-- 
Michael Wojcik
Principal Software Systems Developer, Micro Focus

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/