So, so you think you can tell April 1 joke from a 0day?

[Georgi Guninski <guninski () guninski com>]

So, so you think you can tell April 1 joke from a 0day?

On Sun, 1 Apr 2007 03:26:30 -0400 (EDT) someone posted a message to
fd with subject "April 1 joke" [1]

The body of the message appeared to me as not obfuscated vim 0day.

vim: foldmethod=expr:foldexpr=feedkeys("\\<esc>\\x3a%!cat\\x20-n\\<CR>\\<esc>\\x
3a%s/./\:)/g\\<CR>\\<esc>\\x3aq!\\<CR>"):

The thread had 4 emails.

On 2007-04-26 21:35 [2] on vim-dev:

today somebody came to #vim, and pasted some modeline (containig joke or
such). He muttered something about not knowing what that means and left
before long. But (!) what I noticed is that feedkeys() was used as part of
foldexpression and it turned out that feedkeys() is allowed in sandbox,
which means malicious file can run arbitrary command via modeline like
this:

vim: fdm=expr fde=feedkeys("\\:!touch\ phantom_was_here\\<cr>")

Redhat's bug is at [3].

Appears to me the CVE assigning monkeys and Secunia didn't notice the 0day.

So, so you think you can tell April 1 joke from a 0day?


[1]: http://seclists.org/fulldisclosure/2007/Apr/0
[2]: http://marc.info/?l=vim-dev&m=117762581821298
[3]: https://bugzilla.redhat.com/show_bug.cgi?id=238259

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/