exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

vim72b-exec.txt

vim72b-exec.txt
Posted Jul 16, 2008
Authored by Jan Minar

Vim versions greater than and equal to 7.2.a.013 suffer from an arbitrary code execution vulnerability using the shellescape() function.

tags | advisory, arbitrary, code execution
SHA-256 | 6adfab1ef22a58322cefeb82ac51d3173e70797770814479bc878db14994e3b5

vim72b-exec.txt

Change Mirror Download
1. Summary

Product : Vim -- Vi IMproved
Version : >= 7.2a.013; tested with 7.2b
Impact : Arbitrary code execution
Wherefrom: Local, possibly remote
Original : http://www.rdancer.org/vulnerablevim-shellescape.html
http://www.rdancer.org/vulnerablevim-latest.tar.bz2

Improper implementation of the shellescape() function and lack of
documentation can result in untrusted data being insufficiently
sanitized, possibly leading to arbitrary code execution.


2. Background

The shellescape() function, added by patch 7.0.111, has since been
modified in 7.2a.013 to escape special characters, so as to be useful
when sanitizing arguments of the ``execute'' command:


``shellescape({string} [, {special}])
Escape {string} for use as shell command argument.
[...]
When the {special} argument is present and it's a non-zero Number or
a non-empty String [...], then special items such as "%", "#" and
"<cword>" will be preceded by a backslash. This backslash will be
removed again by the :! command. Example of use with a :! command:
:exe '!dir ' . shellescape(expand('<cfile>'), 1)
This results in a directory listing for the file under the cursor.''

-- Vim Reference Manual (``eval.txt'')


3. Vulnerability

shellescape() does not escape all special items. In particular,
shellescape() does not escape the ``!'' character.

The Vim documentation lacks a comprehensive explicit list of special
items. This might have been the reason why patch 7.2a.013 failed to
acknowledge ``!'' as a special item.


3. Test Case

We have added a test case to our test suite; run ``make test'' in the
``shellescape'' directory. The result will show as ``VULNERABLE'' if
the shellescape() function of the version of Vim tested doesn't escape
the ``!'' special item, ``FAILED'' otherwise.


4. Exploit -- Proof of Concept

To show that this vulnerability can be exploited, we have updated our
``tar.vim'' exploit. Run ``make test'' in the ``tarplugin.v2''
directory. Please note that the problem lays within the shellescape()
function implementation, rather than within ``tar.vim''.


5. Test Results

-------------------------------------------
-------- Test results below ---------------
-------------------------------------------
Vim version 7.2b
-------------------------------------------
tarplugin.v2: VULNERABLE
shellescape: VULNERABLE

(Tests for vulnerabilities that are part of the accompanying test suite
but are not mentioned in this advisory are omitted from this table.)


6. Copyright

This advisory is Copyright 2008 Jan Minar <rdancer@rdancer.org>

Copying welcome, under the Creative Commons ``Attribution-Share Alike''
License http://creativecommons.org/licenses/by-sa/2.0/uk/

Code included herein, and accompanying this advisory, may be copied
according to the GNU General Public License version 2, or the Vim
license. See the subdirectory ``licenses''.

Various portions of the accompanying code were written by various
parties. Those parties may hold copyright, and those portions may be
copied according to the respective licenses.


7. History

2008-07-16 Sent to: <bugs@vim.org>, <vim-dev@googlegroups.com>,
<full-disclosure@lists.grok.org.uk>, <bugtraq@securityfocus.com>

Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    18 Files
  • 4
    Oct 4th
    20 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    17 Files
  • 8
    Oct 8th
    66 Files
  • 9
    Oct 9th
    25 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close