2017-01-19 15:06 GMT+03:00 sıx <[email protected]>: > On 01/19/2017 12:46 PM, Marc Weber wrote: >>> The trigger in this is a commonly used "ctrl+shift+v". I have asked >>> around a few vim users about how they copy a text from a website into a >>> file opened by vim. It looks like that everyone is doing that way. >> Yeah - worse - its the recommended way because "shell code on websites" >> could have <span hidden>...</span> code. Thus pasting into an editor >> before running usually is the way to go. If that action is exploitable >> it should be fixed in some way - and the :r!cat way is worth testing as >> well to be sure. >> >> Marc Weber >> > > I have tested two ways now: > > 1. Copy to clipboard from browser. > 2. Open Vim > 3. :r! cat > 4. Paste and wait. > 5. Payloag gets executed, but in this case it's a bit harder to hide the > fact of the exploitation. In the previous case I wrote the user at best > sees only that the screen blinks. > > 1. Copy to clipboard from browser. > 2. Create a new file with another text editor and save the clipboard > content. > 3. Open Vim > 4. :r! cat file_created.txt > 5. Does not get executed. > > sıx
I am wondering what do you mean by “Vim”? If it is terminal Vim *and* <C-S-v> is handled by the terminal itself (most likely, terminal Vim cannot distinguish <C-v> and <C-S-v> because terminals send same byte in both variants) then whether or not this is fixable depends on whether or not terminal supports bracketed paste mode: if it does, this can be fixed, otherwise cannot. In addition to this there is a question whether pasted text can prematurely end paste mode itself, if it can then this is terminal vulnerability and not Vim. Without the terminal bracketed paste support all Vim sees is that “user is typing very fast”, it cannot and should not prevent code in paste from being executed: it is completely possible that Vim is being fed input from e.g. some testing script (and I actually did something like this myself). *Vim* paste mode is utterly useless regarding the matter: it allows escaping from insert mode just by `<Esc>`, so there still is a problem if Vim cannot distinguish paste and input. Note that any kind of pasting to GUI Vim should not be vulnerable, or it is a fixable bug. I personally use `"*p` or `"+p`. Pasting like this should not be vulnerable with any kind of Vim UI. Basically if you want to paste something to Vim you should make *Vim* take care of obtaining the clipboard, `<C-S-v>` directs terminal. I have no idea why `:r !cat` is vulnerable, best guess that if there is `<C-d>` in the paste then it will end `cat` prematurely. Worse, while Vim telling terminal that it can receive bracketed pastes is completely justified, Vim must not assume that programs run with bang are also able to receive bracketed pastes, so for `r !command` Vim should tell terminal “bracketed paste can no longer be received” and `command` should again request bracketed paste mode to receive bracketed pastes. `<C-r>=system(…)` suggested by Marc Weber *must be* vulnerable, it is the whole point of `<C-r>`. Literal pasting is `p` from normal mode and `<C-r><C-r>` from insert mode, though I never used the latter (`<C-r><C-r>+` and `<C-r><C-r>*` should not be vulnerable as well). And, please, do not write `:r! cat`, this is highly misleading. Bang here is not a command modifier, it is the start of the argument: use `:r !cat`. Difference is that if it was a command modifier then proper spelling of `:read ++enc=cp1251 !echo «»` would be `read! ++enc=cp1251 echo «»`, also using `:r !cat` looks more like `:!cat` then `:r! cat` and these are related. (BTW, why `:read ++enc=cp1251 !echo «»` does not yield the same result as `:read !echo «» | iconv -f cp1251`?) > > -- > -- > You received this message from the "vim_dev" maillist. > Do not top-post! Type your reply below the text you are replying to. > For more information, visit http://www.vim.org/maillist.php > > --- > You received this message because you are subscribed to the Google Groups > "vim_dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
