Re: Vim: Arbitrary Code Execution in Commands: K, Control-], g]

[staff <staff () lul-disclosure net>]

You are almost as good as us when it comes to publishing bugs no one gives a
shit about.

On Fri, Aug 22, 2008 at 10:25 AM, Jan Minář <rdancer () rdancer org> wrote:

> Vim: Arbitrary Code Execution in Commands: K, Control-], g]
>
> 1. SUMMARY
>
> Product  : Vim -- Vi IMproved
> Versions : 3.0--current, possibly older
> Impact   : Arbitrary code execution
> Wherefrom: Local
> Original : http://www.rdancer.org/vulnerablevim-K.html
>
> Insufficient sanitization can lead to Vim executing arbitrary commands
> when performing keyword or tag lookup.  Ben Schmidt discovered this
> vulnerability[1].
>
>
> 2. BACKGROUND
>
>  ``Vim is an almost compatible version of the UNIX editor Vi. Many new
>    features have been added: multi-level undo, syntax highlighting,
>    command line history, on-line help, spell checking, filename
>    completion, block operations, etc.''
>
>                -- Vim README.txt
>
>  ``[Normal mode command] K [...] Run a program to lookup the keyword
>    under the cursor.  The name of the program is given with the
>    'keywordprg' (kp) option (default is "man").''
>
>                -- Vim Reference Manual (``various.txt'')
>
>  ``[Normal mode command] CTRL-] [...] Jump to the definition of the
>    keyword under the cursor.''
>
>                -- Vim Reference Manual (``tagsrch.txt'')
>
>
> 3. VULNERABILITIES
>
>  ``src/normal.c'':
>
>    5514            if (cmdchar == '*')
>    5515                aux_ptr = (char_u *)(p_magic ? "/.*~[^$\\" :
> "/^$\\");
>    5516            else if (cmdchar == '#')
>    5517                aux_ptr = (char_u *)(p_magic ? "/?.*~[^$\\" :
> "/?^$\\");
>    5518            else if (cmdchar == 'K' && !kp_help)
> --> 5519                aux_ptr = (char_u *)" \t\\\"|!";
>    5520            else
>    5521                /* Don't escape spaces and Tabs in a tag with a
> backslash */
> --> 5522                aux_ptr = (char_u *)"\\|\"";
>    5523
>    5524            p = buf + STRLEN(buf);
>    5525            while (n-- > 0)
>    5526            {
>    5527                /* put a backslash before \ and some others */
>    5528                if (vim_strchr(aux_ptr, *ptr) != NULL)
>    5529                    *p++ = '\\';
>    5530        #ifdef FEAT_MBYTE
>    5531                /* When current byte is a part of multibyte
> character, copy all bytes
>    5532                 * of that character. */
>    5533                if (has_mbyte)
>    5534                {
>    5535                    int i;
>    5536                    int len = (*mb_ptr2len)(ptr) - 1;
>    5537
>    5538                    for (i = 0; i < len && n >= 1; ++i, --n)
>    5539                        *p++ = *ptr++;
>    5540                }
>    5541        #endif
>    5542                *p++ = *ptr++;
>    5543            }
>    5544            *p = NUL;
>    5545
>    5546            /*
>    5547             * Execute the command.
>    5548             */
>    5549            if (cmdchar == '*' || cmdchar == '#')
>    5550            {
>    5551                if (!g_cmd && (
>    5552        #ifdef FEAT_MBYTE
>    5553                        has_mbyte ?
> vim_iswordp(mb_prevptr(ml_get_curline(), ptr)) :
>    5554        #endif
>    5555                        vim_iswordc(ptr[-1])))
>    5556                    STRCAT(buf, "\\>");
>    5557        #ifdef FEAT_CMDHIST
>    5558                /* put pattern in search history */
>    5559                add_to_history(HIST_SEARCH, buf, TRUE, NUL);
>    5560        #endif
>    5561                normal_search(cap, cmdchar == '*' ? '/' : '?', buf,
> 0);
>    5562            }
>    5563            else
> --> 5564                do_cmdline_cmd(buf);
>
> The variable ``aux_ptr'' contains characters to be escaped.  Line 5519
> for the ``K'' command, line 5522 for the ``Control-]'' and ``g]''
> commands.  Both values leave out characters that must be escaped.  The
> command is assembled, and on line 5564, it is executed as a regular Ex
> command.  No special shell escaping is done for the ``K'' command,
> although the string is passed to shell for execution.
>
>
> 3.1. Keyword Lookup -- The ``K'' Command
>
> 3.1.1. Shell Commands and Ex Commands
>
> Because the string passed to the shell for execution is not sanitized,
> it is possible to specify arbitrary shell commands where Vim expects an
> argument for the keyword program.  Same applies to arbitrary Ex commands.
>
>
> 3.1.2. Keyword Program Command Line Switches
>
> It is possible to specify command line switches for the keyword program
> in place of the argument.  The gravity of this vulnerability depends on
> the keyword program selected.  GNU man, the default keyword program in
> many installations, supports for example the ``--pager'' option (cf.
> the GNU man(1) manual page).  This allows arbitrary command execution.
>
>
> 3.2. Tag Lookup -- the ``Control-]'' and ``g]'' Commands
>
> Insufficient sanitization of an Ex command argument allows specifying
> additional arbitrary Ex commands in place of the argument.
>
>
> 3.3. Unknown Shell/Keyword Program
>
> Because the syntax of the shell that is being used to execute the
> commands is not known beforehand, there may be other unknown
> vulnerabilities, that are present depending on the shell being used.
> Ditto for the man(1) program, and other keyword programs.
>
>
> 4. EXPLOIT
>
> Copy-and-paste these examples into separate files:
>
>    ;xclock
>    vim: set iskeyword=;,@
>
> Place your cursor on ``xclock'', and press K.  xclock appears.
>
>    ;date>>pwned
>    vim: set iskeyword=1-255
>
> Place your cursor on ``date'' and press K.  File ``pwned'' is created in
> the current working directory.
>
> Please note: If modeline processing is disabled, set the 'iskeyword'
> option manually.
>
> See the thread on the Vim Developers' mailing list for some other
> examples[2].
>
>
> 5. PATCH
>
> A patch that fixes some of the vulnerabilities has been developed[3].
>
>
> 6. REFERENCES
>
> [1] Ben Schmidt discovered this vulnerability in:
>    Message-Id: <48AB91B3.9000709 () yahoo com au>
>    http://groups.google.com/group/vim_dev/msg/6ad2d5b50a96668e
>
> [2]
> http://groups.google.com/group/vim_dev/browse_thread/thread/1434d0812b5c817e/6ad2d5b50a96668e
>
> [3] http://groups.google.com/group/vim_dev/msg/dd32ad3a84f36bb2
>
>
> 7. COPYRIGHT
>
> This advisory is Copyright 2008 Jan Minar <rdancer () rdancer org>
>
> Copying welcome, under the Creative Commons ``Attribution-Share Alike''
> License http://creativecommons.org/licenses/by-sa/2.0/uk/
>
> Code included herein, and accompanying this advisory, may be copied
> according to the GNU General Public License version 2, or the Vim
> license.  See the subdirectory ``licenses''.
>
> Various portions of the accompanying code may have been written by
> various parties.  Those parties may hold copyright, and those portions
> may be copied according to their respective licenses.
>
>
> 8. HISTORY
>
> 2008-08-22 Sent to: <bugs () vim org>, <vim-dev () vim org>,
>           <full-disclosure () lists grok org uk>,
>           <bugtraq () securityfocus com>
> 2008-08-20 Ben Schmidt reported this vulnerability to <vim-dev () vim org>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/



-- 
submit to: staff [at] lul-disclosure.net

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/