oss-sec mailing list archives
Security risk of server side text editing in general and vim.tiny specifically
From: Fiedler Roman <Roman.Fiedler () ait ac at>
Date: Fri, 3 Nov 2017 11:07:14 +0000
Dear OSS-Security List, Due to the recent discussion on vim swap file use, I expected also attraction of of evil-minded to the topic of text editing security and thus an increase in attack probability on server side text editing in general. Therefore I wanted to review our software qualification criteria for text editing on servers, where vim/vim.tiny is used and probably update the SOPs and guidelines. As .swp security problems also arise from unclear software behaviour expectations, I looked at the behaviour of vim.tiny to verify it works according to specification (man pages as reference). As it seems, the tool is not suited for editing of files not owned by the same user, which is not mentioned in the man pages. Maybe that indicates, that the software design process did not include that specific security requirement or implementation was insufficient. Therefore I would assume, that numerous bugs of similar kind might be found, but there is no time (funding) to do in depth checks. I would be interested in consensus, if editing of non-root files by root user is bad practice in general (thus, e.g. should be mentioned in SECURITY section of man pages of various common server side test editing tools to raise awareness, but no CVEs) or if you think, that this is software misbehaviour. Input from "Solar Designer <solar at openwall x com>" to that topic: "This discussion does not belong on the distros list. Please bring it to oss-security ASAP, including the PoC (or optionally delay it by at most a week, but I see no reason for that as nothing will change in that week anyway), and people will hopefully reply for real in there. There's no embargoed issue here that I can see and no proposed unembargo date either (a requirement for any initial posting to distros), I don't see how anything will change within distros' list maximum embargo time of 14 days, and it is indeed "bad practice in general" to access files as root in user-writable directories, which is not at all limited to text editors." Best regards, Roman Fiedler PS: POC for vim.tiny on Ubuntu Xenial to overwrite arbitrary files as user root when editing file in directory owned by other user is available on request, disclosure after one week or if list discussion indicates other timing. ROMAN FIEDLER Scientist Information Management Center for Digital Safety & Security AIT Austrian Institute of Technology GmbH Reininghausstraße 13/1 | 8020 Graz | Austria T +43 50550-2957 | M +43 664 8561599 | F +43 50550-2950 roman.fiedler () ait ac at | https://www.ait.ac.at View my researcher profile: https://www.ait.ac.at/profile/detail/Fiedler-Roman/ FN: 115980 i HG Wien | UID: ATU14703506 www.ait.ac.at/Email-Disclaimer
Attachment:
smime.p7s
Description:
Current thread:
- Security risk of server side text editing in general and vim.tiny specifically Fiedler Roman (Nov 03)
- Re: Security risk of server side text editing in general and vim.tiny specifically Jakub Wilk (Nov 03)
- Re: Security risk of server side text editing in general and vim.tiny specifically Solar Designer (Nov 03)
- Re: Security risk of server side text editing in general and vim.tiny specifically Ian Zimmerman (Nov 03)
- nvi crash recovery (was Re: [oss-security] Re: Security risk of server side text editing in general and vim.tiny specifically) Hanno Böck (Nov 03)
- Re: nvi crash recovery Jakub Wilk (Nov 03)
- Re: nvi crash recovery Jakub Wilk (Nov 04)
- Re: nvi crash recovery (was Re: [oss-security] Re: Security risk of server side text editing in general and vim.tiny specifically) Daniel Micay (Nov 03)
- nvi crash recovery (was Re: [oss-security] Re: Security risk of server side text editing in general and vim.tiny specifically) Hanno Böck (Nov 03)
- Re: Re: Security risk of server side text editing in general and vim.tiny specifically Christos Zoulas (Nov 03)
- AW: Re: Security risk of server side text editing in general and vim.tiny specifically Fiedler Roman (Nov 06)
- Re: Security risk of server side text editing in general and vim.tiny specifically Solar Designer (Nov 13)