exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

netrw-exec.txt

netrw-exec.txt
Posted Jul 16, 2008
Authored by Jan Minar

Lack of sanitization throughout Netrw can lead to arbitrary code execution upon opening a directory with a crafted name.

tags | advisory, arbitrary, code execution
SHA-256 | f50311e256266d8d203d3885b3448de80d94b947a9e036abe3e56dcfaf147b16

netrw-exec.txt

Change Mirror Download
1. Summary

Product : Vim -- Vi IMproved, Netrw
Version : Tested with Vim 7.2b, Netrw 127
Impact : Arbitrary code execution
Wherefrom: Local, possibly remote
Original : http://www.rdancer.org/vulnerablevim-netrw.v5.html
http://www.rdancer.org/vulnerablevim-latest.tar.bz2

Lack of sanitization throughout Netrw can lead to arbitrary code execution upon
opening a directory with a crafted name.


2. Overview

``Netrw makes reading, writing, and browsing over a network connection
easy! [...] Netrw supports "transparent" editing of files on other
machines using urls [...]''

-- Netrw Reference Manual (pi_netrw.txt)

For the new Vim version, the Netrw plugin has been updated with the new
fnameescape() and shellescape() functions. However, not all of the
vulnerable statements have been sanitized, and Netrw is still vulnerable
to arbitrary code execution.

The latest version of the archive with code that we're using can be
found at: ``http://www.rdancer.org/vulnerablevim-latest.tar.bz2''.


Best results are achieved by running ``make test'' in the root directory
of the abovementioned archive (this advisory details the ``netrw.v5''
test case):

-------------------------------------------
-------- Test results below ---------------
-------------------------------------------
Vim version 7.2b
zip.vim version: v21
netrw.vim version: v127
-------------------------------------------
filetype.vim
strong : EXPLOIT FAILED
weak : EXPLOIT FAILED
tarplugin : EXPLOIT FAILED
tarplugin.updated: EXPLOIT FAILED
zipplugin : EXPLOIT FAILED
zipplugin.v2: EXPLOIT FAILED
xpm.vim
xpm : EXPLOIT FAILED
xpm2 : EXPLOIT FAILED
remote : EXPLOIT FAILED
gzip_vim : EXPLOIT FAILED
netrw : EXPLOIT FAILED
netrw.v2 : EXPLOIT FAILED
netrw.v3 : VULNERABLE
netrw.v4 : EXPLOIT FAILED
--> netrw.v5 : VULNERABLE


3. Vulnerability

Few unsanitized statements still remain in ``netrw.vim'':

$ grep -n exe ~/.vim/autoload/netrw.vim|grep -v -e escape -e Decho -e
executable | wc -l
239

We will exploit the part of code where upon opening a directory, a
string of keyboard mappings is loaded, using the ``execute'' command,
with no sanitization of the ``b:netrw_curdir'' variable, which holds the
current directory name. In function s:BrowserMaps():

1709 if s:didstarstar || !mapcheck("<s-up>","n")
1710 nnoremap <buffer> <silent> <s-up> :Pexplore<cr>
1711 endif
1712 if g:netrw_mousemaps == 1
1713 nnoremap <buffer> <silent> <leftmouse>
<leftmouse>:call <SID>NetrwLeftmouse(1)<cr>
1714 nnoremap <buffer> <silent> <middlemouse>
<leftmouse>:call <SID>NetrwPrevWinOpen(1)<cr>
1715 nnoremap <buffer> <silent> <s-leftmouse>
<leftmouse>:call <SID>NetrwMarkFile(1,<SID>NetrwGetWord())<cr>
--> 1716 exe 'nnoremap <buffer> <silent> <rightmouse>
<leftmouse>:call <SID>NetrwLocalRm("'.b:netrw_curdir.'")<cr>'
--> 1717 exe 'vnoremap <buffer> <silent> <rightmouse>
<leftmouse>:call <SID>NetrwLocalRm("'.b:netrw_curdir.'")<cr>'
1718 endif
--> 1719 exe 'nnoremap <buffer> <silent> <del> :call
<SID>NetrwLocalRm("'.b:netrw_curdir.'")<cr>'
--> 1720 exe 'vnoremap <buffer> <silent> <del> :call
<SID>NetrwLocalRm("'.b:netrw_curdir.'")<cr>'
--> 1721 exe 'nnoremap <buffer> <silent> D :call
<SID>NetrwLocalRm("'.b:netrw_curdir.'")<cr>'
--> 1722 exe 'vnoremap <buffer> <silent> D :call
<SID>NetrwLocalRm("'.b:netrw_curdir.'")<cr>'
--> 1723 exe 'nnoremap <buffer> <silent> R :call
<SID>NetrwLocalRename("'.b:netrw_curdir.'")<cr>'
--> 1724 exe 'vnoremap <buffer> <silent> R :call
<SID>NetrwLocalRename("'.b:netrw_curdir.'")<cr>'
--> 1725 exe 'nnoremap <buffer> <silent> <Leader>m :call
<SID>NetrwMakeDir("")<cr>'
1726 nnoremap <buffer> <F1> :he netrw-quickhelp<cr>


4. Exploit

Run ``make test''. See ``netrw.v5/Makefile'' for details. If Vim is
vulnerable, number of times the payload has been run is printed.
Current version of Vim will run the payload six times.


5. Mitigation

Do not use Vim to open untrusted directories or files whose path
contains untrusted directories.


6. Copyright

This advisory is Copyright 2008 Jan Minar <rdancer@rdancer.org>

Copying welcome, under the Creative Commons ``Attribution-Share Alike''
License http://creativecommons.org/licenses/by-sa/2.0/uk/

Code included herein, and accompanying this advisory, may be copied
according to the GNU General Public License version 2, or the Vim
license. See the subdirectory ``licenses''.

Various portions of the accompanying code were written by various
parties. Those parties may hold copyright, and those portions may be
copied according to the respective licenses.


7. History

2008-07-16 Sent to: <bugs@vim.org>, <vim-dev@googlegroups.com>,
<full-disclosure@lists.grok.org.uk>, <bugtraq@securityfocus.com>
Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    18 Files
  • 4
    Oct 4th
    20 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    17 Files
  • 8
    Oct 8th
    66 Files
  • 9
    Oct 9th
    25 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    21 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    14 Files
  • 15
    Oct 15th
    49 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close