oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Security risk of server side text editing in general and vim.tiny specifically

From: Jakub Wilk <jwilk () jwilk net>
Date: Fri, 3 Nov 2017 13:01:10 +0100
* Fiedler Roman <Roman.Fiedler () ait ac at>, 2017-11-03, 11:07:
POC for vim.tiny on Ubuntu Xenial to overwrite arbitrary files as user root when editing file in directory owned by other user is available on request, disclosure after one week or if list discussion indicates other timing. 

By default[1], when vim wants to overwrite the file "foo", it does:

  rename("foo", "foo~")                   = 0
  open("foo", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0600) = 3
There's a race window between the two syscalls when the attacker could re-create "foo", and then vim would happily write to it. 

Is this the attack you meant?

NB, vim disables this behavior for files in /tmp (but not /var/tmp)[2].


[1] http://vimdoc.sourceforge.net/htmldoc/options.html#%27writebackup%27
[2] http://vimdoc.sourceforge.net/htmldoc/options.html#%27backupskip%27

--
Jakub Wilk
Previous By Date Next
Previous By Thread Next

Current thread: