A vulnerability in Vim allowed code execution when opening a TXT

Vim

A new vulnerability was fixed in the pre-installed text editors on various distributions Linux was found in the Vim and Neovim text editors (CVE-2019-12735).

The bug found in these editors allows hackers to control computers when users open a malicious text file. The problem is manifested with the modeline activity enabled by default (": set modeline"), which allows you to define the editing options in the file that is being processed.

Vim and its NeoVim fork contained a flaw that resided in the modelines. This feature allows users to specify window dimensions and other custom options near the beginning or end of a text file.

This feature is enabled by default in versions prior to Vim 8.1.1365 Neovim 0.3.6 and applies to all file types, including .txt files.

About vulnerability in Vim

Through Modeline, only a limited number of options are allowed. SIf an expression is specified as an option value, it runs in sandbox mode, which allows only the simplest safe operations to be used.

At the same time, the command ": source" is one of those allowed, in which you can use the modifier "!" to run arbitrary commands from the specified file.

Therefore, to execute the code, it is sufficient to indicate in the modeline line a construction of the form "set foldexpr = execute ('\: source! Some_file'):". In Neovim, the execution call is forbidden, but assert_fails can be used instead.

On the other hand, in the sandbox, it is designed to prevent side effects:

The options 'foldexpr', 'formatexpr', 'includeexpr', 'indentexpr', 'statusline' and 'foldtext' can all be evaluated in a sandbox. This means that you are protected against these expressions with unpleasant side effects. This provides some security when these options are defined from a model.

While the models limit the available commands and execute them in an environment isolated from the operating system, researcher Armin Razmjou noted that the command: font! circumvented this protection:

"She reads and executes the commands in a given file as if they were entered manually, executing them once the sandbox has been left," the researcher wrote in a message published earlier this month. -ci.

Thus, one can trivially build a model line that executes the code outside of the sandbox.

Post includes two proof-of-principle text files, one of which graphically illustrates the threat.

One of them opens a reverse shell on the computer running Vim or NeoVim. From there, the attackers could launch the commands of their choice at the requisitioned machine.

"This PoC describes a real attack approach in which a reverse shell is launched when the user opens the file," Razmjou wrote. «To hide the attack, the file will be immediately rewritten when it is opened. Also, PoC uses terminal escape sequences to hide the model line when content is printed with cat. (cat -v reveals the actual content). «

Command execution vulnerability requires activation of standard modeling functionality, as in some Linux distributions by default. The defect is found in Vim before version 8.1.1365 and in Neovim before version 0.3.6.

This advisory from the National Vulnerabilities Database of the National Institute of Standards and Technology shows that Debian and Fedora Linux distributions have started releasing fixed versions.

In distributions, the problem is solved in RHEL, SUSE / openSUSE, Fedora, FreeBSD, Ubuntu, Arch Linux, and ALT.

The vulnerability remains uncorrected in Debian (In Debian modeline it is disabled by default, so the vulnerability does not manifest in the default state).

The latest version of MacOS continues to use a vulnerable version, although the attacks only work when users have changed a default setting that has the modelines feature enabled.


The content of the article adheres to our principles of editorial ethics. To report an error click here!.

Be the first to comment

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: AB Internet Networks 2008 SL
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.