Re: Re: More arbitrary code executions in Netrw version 125, Vim 7.2a.10

["Jan Minář" <rdancer () rdancer org>]

On Wed, Jul 16, 2008 at 3:42 PM, Tomas Hoger <thoger () redhat com> wrote:
> On Wed, 16 Jul 2008 11:35:01 +0100 "Jan Minář" <rdancer () rdancer org>
> > are versioned and dated, so for example the first version of ftp.vim
> > not vulnerable is version 21 of 2008-07-12.

Should read ``zip.vim'' of course.

> > The overall issue is that up until recently Vim  script did not
> > provide any means of quoting metacharacters.  At the time of the
> > first advisory, there were close to a thousand ``execute''
> > statements.
>
> Based on your research, do you believe that all / most of them can
> really be exploited to perform some harmful actions just by user
> opening some file with odd file name?

Let's see:

``zip.vim'':
Version ................ 14
Released ............... 2007-05-08
Lines .................. 373
``execute'' statements:  11
out of which exploitable 10

Version ................ 21
Released ............... 2008-07-12
Lines .................. 387
``execute'' statements:  8
out of which exploitable ???

I wasn't joking when I used grep in the first advisory to estimate the
size of the problem.

> > The particular vulnerabilities detailed in the advisories are
> > examples of a more widespread tendency in the Vim code. Should there
> > be a separate CVE for the overall issue, alongside CVEs for the
> > particular vulnerabilities?
>
> I'm not aware of any example of such generic umbrella CVE and I believe
> "tendency" it not a good candidate for CVE id, as CVE should map to
> particular vulnerability.  Though there are few special cases / CVEs,
> so Steven may correct me in this.

What I meant was, all those execute statements and system() calls
should be fixed, which means quoting introduced, and until that
happens, it doesn't really matter much if the problems with CVEs are
fixed, because any script kiddie can just pick one of the places that
will not have been fixed, and use one of the existing exploits.  But
as I said, I know very little about CVE number assignment, and I fully
submit to you collective wisdom.

Have a nice day,
Jan Minar.

PS: I have published two more advisories:

(1) Vim: Improper Implementation of shellescape()/Arbitrary Code Execution
    http://www.rdancer.org/vulnerablevim-shellescape.html
    -- This is two issues:
          (a) Flawed implementation of shellescape() (not all
metacharacters are escaped)
          (b) Updated still the same tar.vim exploit to use the
abovementioned vulnerability

(2) Arbitrary code execution in Netrw version 127, Vim 7.2b
    http://www.rdancer.org/vulnerablevim-netrw.v5.html
    -- This is new vulnerability, same old pattern: 6 instances of
unsanitized execute statemtents

The updated testsuite:
http://www.rdancer.org/vulnerablevim-latest.tar.bz2