You are almost as good as us when it comes to publishing bugs no one gives a shit about.
On Fri, Aug 22, 2008 at 10:25 AM, Jan Minář <[EMAIL PROTECTED]> wrote: > Vim: Arbitrary Code Execution in Commands: K, Control-], g] > > 1. SUMMARY > > Product : Vim -- Vi IMproved > Versions : 3.0--current, possibly older > Impact : Arbitrary code execution > Wherefrom: Local > Original : http://www.rdancer.org/vulnerablevim-K.html > > Insufficient sanitization can lead to Vim executing arbitrary commands > when performing keyword or tag lookup. Ben Schmidt discovered this > vulnerability[1]. > > > 2. BACKGROUND > > ``Vim is an almost compatible version of the UNIX editor Vi. Many new > features have been added: multi-level undo, syntax highlighting, > command line history, on-line help, spell checking, filename > completion, block operations, etc.'' > > -- Vim README.txt > > ``[Normal mode command] K [...] Run a program to lookup the keyword > under the cursor. The name of the program is given with the > 'keywordprg' (kp) option (default is "man").'' > > -- Vim Reference Manual (``various.txt'') > > ``[Normal mode command] CTRL-] [...] Jump to the definition of the > keyword under the cursor.'' > > -- Vim Reference Manual (``tagsrch.txt'') > > > 3. VULNERABILITIES > > ``src/normal.c'': > > 5514 if (cmdchar == '*') > 5515 aux_ptr = (char_u *)(p_magic ? "/.*~[^$\\" : > "/^$\\"); > 5516 else if (cmdchar == '#') > 5517 aux_ptr = (char_u *)(p_magic ? "/?.*~[^$\\" : > "/?^$\\"); > 5518 else if (cmdchar == 'K' && !kp_help) > --> 5519 aux_ptr = (char_u *)" \t\\\"|!"; > 5520 else > 5521 /* Don't escape spaces and Tabs in a tag with a > backslash */ > --> 5522 aux_ptr = (char_u *)"\\|\""; > 5523 > 5524 p = buf + STRLEN(buf); > 5525 while (n-- > 0) > 5526 { > 5527 /* put a backslash before \ and some others */ > 5528 if (vim_strchr(aux_ptr, *ptr) != NULL) > 5529 *p++ = '\\'; > 5530 #ifdef FEAT_MBYTE > 5531 /* When current byte is a part of multibyte > character, copy all bytes > 5532 * of that character. */ > 5533 if (has_mbyte) > 5534 { > 5535 int i; > 5536 int len = (*mb_ptr2len)(ptr) - 1; > 5537 > 5538 for (i = 0; i < len && n >= 1; ++i, --n) > 5539 *p++ = *ptr++; > 5540 } > 5541 #endif > 5542 *p++ = *ptr++; > 5543 } > 5544 *p = NUL; > 5545 > 5546 /* > 5547 * Execute the command. > 5548 */ > 5549 if (cmdchar == '*' || cmdchar == '#') > 5550 { > 5551 if (!g_cmd && ( > 5552 #ifdef FEAT_MBYTE > 5553 has_mbyte ? > vim_iswordp(mb_prevptr(ml_get_curline(), ptr)) : > 5554 #endif > 5555 vim_iswordc(ptr[-1]))) > 5556 STRCAT(buf, "\\>"); > 5557 #ifdef FEAT_CMDHIST > 5558 /* put pattern in search history */ > 5559 add_to_history(HIST_SEARCH, buf, TRUE, NUL); > 5560 #endif > 5561 normal_search(cap, cmdchar == '*' ? '/' : '?', buf, > 0); > 5562 } > 5563 else > --> 5564 do_cmdline_cmd(buf); > > The variable ``aux_ptr'' contains characters to be escaped. Line 5519 > for the ``K'' command, line 5522 for the ``Control-]'' and ``g]'' > commands. Both values leave out characters that must be escaped. The > command is assembled, and on line 5564, it is executed as a regular Ex > command. No special shell escaping is done for the ``K'' command, > although the string is passed to shell for execution. > > > 3.1. Keyword Lookup -- The ``K'' Command > > 3.1.1. Shell Commands and Ex Commands > > Because the string passed to the shell for execution is not sanitized, > it is possible to specify arbitrary shell commands where Vim expects an > argument for the keyword program. Same applies to arbitrary Ex commands. > > > 3.1.2. Keyword Program Command Line Switches > > It is possible to specify command line switches for the keyword program > in place of the argument. The gravity of this vulnerability depends on > the keyword program selected. GNU man, the default keyword program in > many installations, supports for example the ``--pager'' option (cf. > the GNU man(1) manual page). This allows arbitrary command execution. > > > 3.2. Tag Lookup -- the ``Control-]'' and ``g]'' Commands > > Insufficient sanitization of an Ex command argument allows specifying > additional arbitrary Ex commands in place of the argument. > > > 3.3. Unknown Shell/Keyword Program > > Because the syntax of the shell that is being used to execute the > commands is not known beforehand, there may be other unknown > vulnerabilities, that are present depending on the shell being used. > Ditto for the man(1) program, and other keyword programs. > > > 4. EXPLOIT > > Copy-and-paste these examples into separate files: > > ;xclock > vim: set iskeyword=;,@ > > Place your cursor on ``xclock'', and press K. xclock appears. > > ;date>>pwned > vim: set iskeyword=1-255 > > Place your cursor on ``date'' and press K. File ``pwned'' is created in > the current working directory. > > Please note: If modeline processing is disabled, set the 'iskeyword' > option manually. > > See the thread on the Vim Developers' mailing list for some other > examples[2]. > > > 5. PATCH > > A patch that fixes some of the vulnerabilities has been developed[3]. > > > 6. REFERENCES > > [1] Ben Schmidt discovered this vulnerability in: > Message-Id: <[EMAIL PROTECTED]> > http://groups.google.com/group/vim_dev/msg/6ad2d5b50a96668e > > [2] > http://groups.google.com/group/vim_dev/browse_thread/thread/1434d0812b5c817e/6ad2d5b50a96668e > > [3] http://groups.google.com/group/vim_dev/msg/dd32ad3a84f36bb2 > > > 7. COPYRIGHT > > This advisory is Copyright 2008 Jan Minar <[EMAIL PROTECTED]> > > Copying welcome, under the Creative Commons ``Attribution-Share Alike'' > License http://creativecommons.org/licenses/by-sa/2.0/uk/ > > Code included herein, and accompanying this advisory, may be copied > according to the GNU General Public License version 2, or the Vim > license. See the subdirectory ``licenses''. > > Various portions of the accompanying code may have been written by > various parties. Those parties may hold copyright, and those portions > may be copied according to their respective licenses. > > > 8. HISTORY > > 2008-08-22 Sent to: <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, > <[email protected]>, > <[EMAIL PROTECTED]> > 2008-08-20 Ben Schmidt reported this vulnerability to <[EMAIL PROTECTED]> > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- submit to: staff [at] lul-disclosure.net
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
