what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

vim-filecreation.txt

vim-filecreation.txt
Posted Jul 18, 2008
Authored by Jan Minar

Vim version 5.0 through the current version suffer from an arbitrary code execution vulnerability via an insecure temporary file creation flaw.

tags | advisory, arbitrary, code execution
SHA-256 | e7aba5aff5906fcc02e2116bb842aec10130ebae6504b53a16617fdc67070ef6

vim-filecreation.txt

Change Mirror Download
1. Summary

Product : Vim -- Vi IMproved
Versions : 5.0--current, possibly older; 4.6 and 3.0 not vulnerable
Impact : Arbitrary code execution
Wherefrom: Local
Original : http://www.rdancer.org/vulnerablevim-configure.in.html
http://www.rdancer.org/vulnerablevim-configure.in.patch

Insecure temporary file creation during the build process is vulnerable
to symbolic link attacks, and arbitrary code execution. Patch provided.


2. Background

``Vim is an almost compatible version of the UNIX editor Vi. Many new
features have been added: multi-level undo, syntax highlighting, command
line history, on-line help, spell checking, filename completion, block
operations, etc.''
-- VIM ``README.txt''


3. Vulnerability

During the build process, a temporary file with a predictable name is
created in the ``/tmp'' directory. This code is run when Vim is being
build with Python support:

src/configure.in:

677 dnl -- we need to examine Python's config/Makefile too
678 dnl see what the interpreter is built from
679 AC_CACHE_VAL(vi_cv_path_python_plibs,
680 [
681 tmp_mkf="/tmp/Makefile-conf$$"
(1)--> 682 cat ${PYTHON_CONFDIR}/Makefile - <<'eof' >${tmp_mkf}
683 __:
684 @echo "python_MODLIBS='$(MODLIBS)'"
685 @echo "python_LIBS='$(LIBS)'"
686 @echo "python_SYSLIBS='$(SYSLIBS)'"
687 @echo "python_LINKFORSHARED='$(LINKFORSHARED)'"
688 eof
689 dnl -- delete the lines from make about
Entering/Leaving directory
(2)--> 690 eval "`cd ${PYTHON_CONFDIR} && make -f
${tmp_mkf} __ | sed '/ directory /d'`"
691 rm -f ${tmp_mkf}

The attacker has to create the temporary file
``/tmp/Makefile-conf<PID>'' before it is first written to at (1). In
the time between (1) and (2), arbitrary commands can be written to the
file. They will be executed at (2).


3. Test Case

No test case.


4. Patch

Patch fixing this vulnerability can be found at the following URL:

http://www.rdancer.org/vulnerablevim-configure.in.patch

Please note: The patch fixes ``src/configure.in'', an input file used by
the ``autoconf'' command. ``autoconf'' uses this input file to create
``src/auto/configure''. It is necessary to remove the latter, if
present, to force its recreation. Otherwise, further build runs will
still use it, and the vulnerability will still be present.


5. Copyright

This advisory is Copyright 2008 Jan Minar <rdancer@rdancer.org>

Copying welcome, under the Creative Commons ``Attribution-Share Alike''
License http://creativecommons.org/licenses/by-sa/2.0/uk/

Code included herein, and accompanying this advisory, may be copied
according to the GNU General Public License version 2, or the Vim
license. See the subdirectory ``licenses''.

Various portions of the accompanying code were written by various
parties. Those parties may hold copyright, and those portions may be
copied according to their respective licenses.


6. History

2008-07-17 Sent to: <bugs@vim.org>, <vim-dev@vim.org>
<full-disclosure@lists.grok.org.uk>, <bugtraq@securityfocus.com>
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close