On 01/19/2017 02:25 PM, Nikolay Aleksandrovich Pavlov wrote: > 2017-01-19 15:06 GMT+03:00 sıx <[email protected]>: >> On 01/19/2017 12:46 PM, Marc Weber wrote: >>>> The trigger in this is a commonly used "ctrl+shift+v". I have asked >>>> around a few vim users about how they copy a text from a website into a >>>> file opened by vim. It looks like that everyone is doing that way. >>> Yeah - worse - its the recommended way because "shell code on websites" >>> could have <span hidden>...</span> code. Thus pasting into an editor >>> before running usually is the way to go. If that action is exploitable >>> it should be fixed in some way - and the :r!cat way is worth testing as >>> well to be sure. >>> >>> Marc Weber >>> >> >> I have tested two ways now: >> >> 1. Copy to clipboard from browser. >> 2. Open Vim >> 3. :r! cat >> 4. Paste and wait. >> 5. Payloag gets executed, but in this case it's a bit harder to hide the >> fact of the exploitation. In the previous case I wrote the user at best >> sees only that the screen blinks. >> >> 1. Copy to clipboard from browser. >> 2. Create a new file with another text editor and save the clipboard >> content. >> 3. Open Vim >> 4. :r! cat file_created.txt >> 5. Does not get executed. >> >> sıx > > I am wondering what do you mean by “Vim”? If it is terminal Vim *and* > <C-S-v> is handled by the terminal itself (most likely, terminal Vim > cannot distinguish <C-v> and <C-S-v> because terminals send same byte > in both variants) then whether or not this is fixable depends on > whether or not terminal supports bracketed paste mode: if it does, > this can be fixed, otherwise cannot. In addition to this there is a > question whether pasted text can prematurely end paste mode itself, if > it can then this is terminal vulnerability and not Vim. Without the > terminal bracketed paste support all Vim sees is that “user is typing > very fast”, it cannot and should not prevent code in paste from being > executed: it is completely possible that Vim is being fed input from > e.g. some testing script (and I actually did something like this > myself). > > *Vim* paste mode is utterly useless regarding the matter: it allows > escaping from insert mode just by `<Esc>`, so there still is a problem > if Vim cannot distinguish paste and input. > > Note that any kind of pasting to GUI Vim should not be vulnerable, or > it is a fixable bug. > > I personally use `"*p` or `"+p`. Pasting like this should not be > vulnerable with any kind of Vim UI. Basically if you want to paste > something to Vim you should make *Vim* take care of obtaining the > clipboard, `<C-S-v>` directs terminal. I have no idea why `:r !cat` is > vulnerable, best guess that if there is `<C-d>` in the paste then it > will end `cat` prematurely. Worse, while Vim telling terminal that it > can receive bracketed pastes is completely justified, Vim must not > assume that programs run with bang are also able to receive bracketed > pastes, so for `r !command` Vim should tell terminal “bracketed paste > can no longer be received” and `command` should again request > bracketed paste mode to receive bracketed pastes. > > `<C-r>=system(…)` suggested by Marc Weber *must be* vulnerable, it is > the whole point of `<C-r>`. Literal pasting is `p` from normal mode > and `<C-r><C-r>` from insert mode, though I never used the latter > (`<C-r><C-r>+` and `<C-r><C-r>*` should not be vulnerable as well). > > And, please, do not write `:r! cat`, this is highly misleading. Bang > here is not a command modifier, it is the start of the argument: use > `:r !cat`. Difference is that if it was a command modifier then proper > spelling of `:read ++enc=cp1251 !echo «»` would be `read! ++enc=cp1251 > echo «»`, also using `:r !cat` looks more like `:!cat` then `:r! cat` > and these are related. > > (BTW, why `:read ++enc=cp1251 !echo «»` does not yield the same result > as `:read !echo «» | iconv -f cp1251`?) >
It sounds like we went a bit far with guessing. I think it would be easier if I send the PoC to someone trusted here. Question arises though, who is that or if multiple, then who are these people? sıx -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
