Kushushikana kutsva kwakagadziriswa mune pre-yakaiswa mameseji edhita pane akasiyana kugovera Linux yakawanikwa mune Vim uye Neovim zvinyorwa edhita (CVE-2019-12735).
Bhugi inowanikwa mune vapepeti ava inobvumira vabiridzi kudzora makomputa kana vashandisi vavhura yakaipa file faira. Dambudziko rinoratidzwa neye modeliine chiitiko chakagoneswa nekutadza (": set modine"), iyo inobvumidza iwe kutsanangura sarudzo dzekugadzirisa mune iyo faira iri kugadziriswa.
Vim neayo NeoVim forogo yaive nechikanganiso chaigara mumodhinaini. Iyi ficha inobvumira vashandisi kudoma zviyero zvewindow uye dzimwe sarudzo dzetsika padyo nekutanga kana kupera kwemavara faira.
Ichi chimiro chinogoneswa nekushomeka mushanduro pamberi peVim 8.1.1365 Neovim 0.3.6 uye inoshanda kune ese mafaira faira, kusanganisira .txt mafaera.
Nezve kunetseka muVim
Kuburikidza neModeline, nhamba shoma chete yesarudzo inobvumidzwa. SKana chirevo chikatsanangurwa seyakakosha kukosha, inomhanya musandbox mode, iyo inobvumira chete akareruka akachengeteka mashandiro kuti ashandiswe.
Panguva imwecheteyo, rairo ": sosi" ndeimwe yeayo anotenderwa, maunogona kushandisa modifier "!" kumhanyisa mirairo kubva kufaira rakataurwa.
Naizvozvo, kuti uite kodhi, zvakaringana kuratidza mumutsetse wemuenzaniso kuvakwa kweiyo fomu "set foldexpr = execute ('\: source! Some_file'):". MuNeovim, kuitisa runhare kwakarambidzwa, asi assert_fails inogona kushandiswa pachinzvimbo.
Kune rimwe divi, mubhokisi rejecha, rakagadzirirwa kudzivirira mhedzisiro:
Sarudzo 'foldexpr', 'formatexpr', 'inosanganisiraeexpr', 'indentexpr', 'statusline' uye 'foldtext' zvese zvinogona kuongororwa mubhokisi rejecha. Izvi zvinoreva kuti iwe unodzivirirwa pamataurirwo aya nemhedzisiro isingafadzi. Izvi zvinopa kumwe kuchengeteka kana sarudzo idzi dzatsanangurwa kubva pamuenzaniso.
Nepo iwo mamodheru achiganhurira iwo aripo mirairo nekuaita iwo munzvimbo yakasarudzika kubva kune yekushandisa system, muongorori Armin Razmjou akaona kuti iwo murairo: font! akadzora kudzivirirwa uku:
"Anoverenga nekuita mirairo mune yakapihwa faira sekunge yakaiswa nemaoko, achiiisa kana bhokisi rejecha rasara," akadaro muongorori mumeseji yakaburitswa kutanga kwemwedzi uno. -ci.
Nekudaro, imwe inogona zvishoma kuvaka tambo yemhando iyo inoita kodhi iri kunze kwebhokisi rejecha
Kutumira kunosanganisira maviri euchapupu-e-musimboti mameseji mafaera, imwe yacho inoratidza zvakajeka kutyisidzira.
Mumwe wavo anovhura reverse shell pakombuta inomhanya Vim kana NeoVim. Kubva ipapo, varwisi vanogona kuvhura mirairo yesarudzo yavo pamushini wakakumbirwa.
"PoC iyi inotsanangura nzira chaiyo yekurwisa iyo inodzoserwa kumashure apo mushandisi anovhura faira," Razmjou akanyora. «Kuti uvanze kurwiswa, iyo faira ichazonyorwazve kunyorwa painovhurwa. Zvakare, PoC inoshandisa maseru ekupedzisira ekupukunyuka kuviga iyo yemhando tambo kana zvemukati zvakadhindwa nekati. (kati -v inoratidza zvirimo zvirimo). «
Raira kuuraya kusagadzikana kunoda kumisikidzwa kweyakajairika modelling mashandiro, sekumwe kugoverwa kweLinux nekukasira. Iko kuremara kunowanikwa muVim pamberi peshanduro 8.1.1365 uye muNeovim pamberi peshanduro 0.3.6.
Aya kuraira kubva kuNational Vulnerabilities Dhatabhesi yeNational Institute of Standards uye Technology inoratidza kuti kugoverwa kweDebian neFedora Linux kwatanga kuburitsa vhezheni dzakasarudzika.
Mukugovera, dambudziko rinogadziriswa mukati RHEL, SUSE / openSUSE, Fedora, FreeBSD, Ubuntu, Arch Linux, uye ALT.
Iyo kushushikana inoramba isina kugadziriswa muDebian (MuDebian modhi yakaremara nekutadza, saka kushomeka hakuratidzike mune yakasarudzika mamiriro).
Iyo yazvino vhezheni yeMacOS inoenderera ichishandisa isinganetsi vhezheni, kunyange hazvo kurwisa kwacho kuchingoshanda chete kana vashandisi vachinja iyo yekumisikidza marongero ane iyo modhiyo ficha inogoneswa.