VIM statusline Text-Embedded Command Execution Vulnerability BugTraq ID: 2510 Remote: Yes Date Published: 2001-03-26 Relevant URL: http://www.securityfocus.com/bid/2510 Summary: VIM is an enhanced version of the popular programmer's unix text editor vi. In versions up to and including the current release, 5.7, it is possible for an attacker to embed malicious commands in a normal text file; these commands will be executed when the text file is opened, with the privilege of the user opening the text file. VIM allows use of a "builtin function", system(), which executes shell commands and displays the output. VIM also provides the optional ability to display custom status-lines when an option in a .vimrc file is set ("statusline", also abbreviated "stl"). The system() function can be called from a "statusline" (equivalent to "stl") command, which can be embedded in a text file. An attacker can create a text file containing a vim command similar to the following: vim:ls=2:stl=%{system('/tmp/getroot&')} The command need not be found at the beginning of a line; it can be placed anywhere in the text file. This could conceivably facilitate hiding it, by placing it at the end of an excessively long line of dashes, for example. The first part of this example command, ls=2, sets the value of the 'laststatus' option to 2 - this tells vim to always display the status line, of importance since code execution is dependant on the status line being displayed. The second part of the command denotes the contents of the status line. In this simplified example it is only the output of the "/tmp/getroot&" process; the ampersand tells the shell to run the process in the background. A sophisticated attacker might include the appropriate statusline options to make the status line look exactly the same as the one normally displayed; since this example only includes the system() function call, it will appear blank. An interesting side effect of this sort of attack is that the command is executed every time the status line is updated, typically every keystroke. This could have the effect of exhausting system resources. In order for this vulnerability to be exploited, the ability to modify status lines must be turned on (as set in a .vimrc file with the "statusline" or "stl" option). This is not the default configuration with VIM 5.7 stand-alone distribution; this does not guarantee that some vendors who include VIM packages as part of a distribution have not turned this option on. - Pour poster une annonce: [EMAIL PROTECTED]
