oss-sec mailing list archives

Re: Re: More arbitrary code executions in Netrw version 125, Vim 7.2a.10

From: Tomas Hoger <thoger () redhat com>
Date: Tue, 15 Jul 2008 17:43:53 +0200

On Sun, 13 Jul 2008 01:35:42 +0100 "Jan Minář" <rdancer () rdancer org>
wrote:

Thanks for CCing me.  Thomas's observations are right.


No problem.  Your inputs are really appreciated, as you obviously spent
a lot of time on researching those issues.

CVE-2008-2712 description does not mention tar.vim issue.  It is
described in 3.4.2.3, but its test does not seem to be run when
doing make test for the top-most Makefile in the first test suite.


That's correct, I omitted the test from the top-most Makefile by
mistake.


I believe this is already corrected in your updated test suite:
http://www.rdancer.org/vulnerablevim.2008-07-13.tar.bz2

On Thu, 10 Jul 2008 18:55:46 +0200 Tomas Hoger <thoger () redhat com>
wrote:

Jonathan, did new netrw tests work for you?  With which vim version?
They all failed for me with vim 7.1.245 / netrw 109.


Regarding those new netrw issues:

- Issues 1 (netrw.v2) and 2 (netrw.v3) (for mz and mc commands) does not
seem to affect any stable version of vim.  Support for those commands
was only added after vim 7.1 and should only affect 7.2 alpha (and
possibly also beta, which was released this week iirc).

- Issue 3 (netrw.v4) affects netrw versions of netrw as shipped with
vim 7.0 and 7.1.  This problem does not seem to affect explorer.vim
used by vim 6.x.

Steven, are you going to split / de-dupe CVE ids based on this
information and the information in my post in other thread:

http://www.openwall.com/lists/oss-security/2008/07/15/2 ?

Sounds like this may be a good split, but I'm afraid I'll get stoned
for causing another CVE headache mess:
- CVE-2008-2712 - first advisory; xpm, filetype, gzip tests; affects
vim 6.0+, possibly older (not checked)
- CVE-new1 - first + second advisory; netrw and netrw.v4 tests; vim 7.0+
- CVE-new2 - first advisory; netrw test; explorer.vim on vim 6.x,
possibly older
- merged CVE-2008-3074 and CVE-2008-3075 - first + second advisroy;
tarplugin* and zipplugin tests; vim 7.0+
- CVE-new3 - second advisory; netrw.v2 and netrw.v3 tests; vim 7.2a+

Of course, this split takes into account first affected version, not
when the issue got / will get fixed.  I believe not all issues are
already fixed upstream.  Bram, feel free to correct me if I'm wrong.

Additionally, netrw.v3 uncovered one old bug affecting some 6.2 and 6.3
vim versions.  On affected versions, it triggers heap buffer overflow,
when vim is used to open file or directory with specially crafted name.

The problem is in the mch_expand_wildcards() in os_unix.c.  Problem was
introduced in 6.2.429:
  http://vim.cvs.sourceforge.net/vim/vim/src/os_unix.c?view=log#rev1.104
  ftp://ftp.vim.org/pub/vim/patches/6.2.429

After applying this patch, following occurs:
- vim tries to run external command to perform shell expansion, to
calculate a buffer size needed to store this command, following code is
used:

  /* "unset nonomatch; print -N >" plus two is 29 */
  len = STRLEN(tempname) + 29;
  for (i = 0; i < num_pat; ++i)       /* count the length of the patterns */
      len += STRLEN(pat[i]) + 3;      /* add space and two quotes */
  command = alloc(len);

(i.e. expected command is: <some fixed length prefix> <space> <quote>
<pattern from file/directory name> <quote>, possibly with multiple
patterns).

However, later in the code, more complex quoting is used, which quotes
being added around spaces and 's, so patterns with lots of spaces can
easily trigger command buffer overflow:

    if (vim_strchr((char_u *)" '", pat[i][j]) != NULL)
    {
        *p++ = '"';
        while (pat[i][j] != NUL
                && vim_strchr((char_u *)" '", pat[i][j]) != NULL)
            *p++ = pat[i][j++];
        *p++ = '"';
    }
    else
        *p++ = pat[i][j++];

Issue was addressed upstream in:
  http://vim.cvs.sourceforge.net/vim/vim/src/os_unix.c?view=log#rev1.111
  ftp://ftp.vim.org/pub/vim/patches/6.3/6.3.059

Memory requirement computation phase was updated to take this quoting
mechanism into account.  This was further re-written for vim 7.0 in:
  http://vim.cvs.sourceforge.net/vim/vim7/src/os_unix.c?r1=1.49&r2=1.50

Steven, can you please allocate an id for this heap corruption
affecting 6.2.429 - 6.3.059?  Thanks!

-- 
Tomas Hoger / Red Hat Security Response Team

Current thread:

Re: More arbitrary code executions in Netrw version 125, Vim 7.2a.10 Jonathan Smith (Jul 07)
- Re: More arbitrary code executions in Netrw version 125, Vim 7.2a.10 Steven M. Christey (Jul 08)
  - Re: Re: More arbitrary code executions in Netrw version 125, Vim 7.2a.10 Tomas Hoger (Jul 10)
    - Re: Re: More arbitrary code executions in Netrw version 125, Vim 7.2a.10 Jan Minář (Jul 12)
    - Re: Re: More arbitrary code executions in Netrw version 125, Vim 7.2a.10 Tomas Hoger (Jul 15)
    - Re: Re: More arbitrary code executions in Netrw version 125, Vim 7.2a.10 Jan Minář (Jul 16)
    - Re: Re: More arbitrary code executions in Netrw version 125, Vim 7.2a.10 Tomas Hoger (Jul 16)
    - Re: Re: More arbitrary code executions in Netrw version 125, Vim 7.2a.10 Jan Minář (Jul 16)
    - Re: Re: More arbitrary code executions in Netrw version 125, Vim 7.2a.10 Jonathan Smith (Jul 20)
    - Re: Re: More arbitrary code executions in Netrw version 125, Vim 7.2a.10 Tomas Hoger (Jul 20)
    - Re: Re: More arbitrary code executions in Netrw version 125, Vim 7.2a.10 Steven M. Christey (Jul 31)
    - Re: Re: More arbitrary code executions in Netrw version 125, Vim 7.2a.10 Tomas Hoger (Aug 05)
    - Re: Re: More arbitrary code executions in Netrw version 125, Vim 7.2a.10 Jan Minář (Jul 21)
    - Re: Re: More arbitrary code executions in Netrw version 125, Vim 7.2a.10 Tomas Hoger (Jul 21)
    - Re: Re: More arbitrary code executions in Netrw version 125, Vim 7.2a.10 Jan Minář (Jul 21)

(Thread continues...)