exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

vimfiletype-exec.txt

vimfiletype-exec.txt
Posted Jul 23, 2008
Authored by Jan Minar

This advisory discusses the filetype.vim vulnerability in Vim version 7.2b.10 that allows for arbitrary code execution and also notes that the Vim patch 7.1.300 did not fix the vulnerability.

tags | advisory, arbitrary, code execution
SHA-256 | ce5ac1fb0fa0e4f7d6ca3213e51c52d637564fd39e7c05602f63456e5bd83fcd

vimfiletype-exec.txt

Change Mirror Download
1. SUMMARY

Product : Vim -- Vi IMproved
Version : Tested with Vim 7.2b.10, filetype.vim 2008-07-17
Impact : Arbitrary code execution
Wherefrom: Local and remote
CVE : CVE-2008-2712
Original : http://www.rdancer.org/vulnerablevim-filetype.vim.updated.html
http://www.rdancer.org/vulnerablevim-filetype.vim.updated.patch
http://www.rdancer.org/vulnerablevim-latest.tar.bz2

This is an update of a previous advisory[1]. Vim patch 7.1.300 which
purported to fix the ``filetype.vim'' vulnerability did not fix the
vulnerability.


2. BACKGROUND

``Vim is an almost compatible version of the UNIX editor Vi. Many new
features have been added: multi-level undo, syntax highlighting,
command line history, on-line help, spell checking, filename
completion, block operations, etc.''

-- Vim README.txt

``Problem: Value of asmsyntax argument isn't checked for valid
characters.
Solution: Only accepts letters and digits.''

-- Vim Patch 7.1.300[2]

3. VULNERABILITY

This is the ``filetype.vim'' vulnerability, described in the sections
3.4.2.1. and 3.4.2.2. of the original advisory[1]. It can lead to
arbitrary code execution upon Vim opening a crafted file. The file can
be either local or remote, and the filename must match one of the
following glob patterns:

*.asm
*.s
*.S
*.a
*.A
*.mac
*.lst (with the exception of /boot/grub/menu.lst)
*.i


4. PURPORTED FIX

Quoting the original advisory[1]:

``[A]bsent sanitization on line 190, followed by the execute
statements at filetype.vim lines 181 or 1267:

``The code looks in the first five lines [of the file being opened]
for a statement of the form ``asmsyntax=FOO'', where FOO can contain
any characters except Tab and Space. FOO is then executed, without
any sanitization.''

187 let head = " ".getline(1)." ".getline(2)." ".getline(3)."
".getline(4).
188 \" ".getline(5)." "
189 if head =~ '\sasmsyntax=\S\+\s'
*190 let b:asmsyntax = substitute(head,
'.*\sasmsyntax=\(\S\+\)\s.*','\1', "")
[... logical flow of the code then jumps to line 181 ...]
*181 exe "setf " . b:asmsyntax
[... or line 1267 ...]
*1267 exe "setf " . b:asmsyntax

Patch 7.1.300 changed the regular expression in the substitute() call on
line 190:

let b:asmsyntax = substitute(head,
'.*\sasmsyntax=\([a-zA-Z0-9]\+\)\s.*','\1', "")

This would work if substitute() were a matching function -- returning a
matching string, or an empty string if the pattern failed to match. But
substitute() always returns its first argument -- substituting the
matching string (if any). If the pattern fails to match, substitute()
returns its first argument as-is:

| pattern matches | no match
------------------+-----------------+--------------------
substitute() | alter match | return as-is
------------------+-----------------+--------------------
matching function | return match | return empty string

The previous line of code (line 189) remains unchanged, leaving two
different regular expressions. It is easy to create a payload matching
the first regular expression, but not the second one. As a matter of
fact, the payload in the test suite[3] that accompanied the original
advisory did just that.

It may be also worth noting that the failure to sanitize the input may
not have been fatal if the ``execute'' statements on lines 181 and 1276
were updated to use the fnameescape() function to sanitize the
arguments.


5. EXPLOIT

The exploit needed a small update in order to work with the current Vim.
It produces error messages, and the exploit text is not hidden. Making
the exploit fully compatible would be just a matter of spending some
more time. The updated exploit is called ``filetype.vim.updated'':

-------------------------------------------
-------- Test results below ---------------
-------------------------------------------
Vim version 7.2b, included patches: 1-10
filetype.vim revision date: 2008 Jul 17
zip.vim version: v21
netrw.vim version: v127
-------------------------------------------
filetype.vim
strong : EXPLOIT FAILED
weak : EXPLOIT FAILED
filetype.vim.updated
--> strong : VULNERABLE
--> weak : VULNERABLE
tarplugin : EXPLOIT FAILED
tarplugin.updated: EXPLOIT FAILED
tarplugin.v2: EXPLOIT FAILED
zipplugin : EXPLOIT FAILED
zipplugin.v2: EXPLOIT FAILED
xpm.vim
xpm : EXPLOIT FAILED
xpm2 : EXPLOIT FAILED
remote : EXPLOIT FAILED
gzip_vim : EXPLOIT FAILED
netrw : EXPLOIT FAILED
netrw.v2 : EXPLOIT FAILED
netrw.v3 : EXPLOIT FAILED
netrw.v4 : EXPLOIT FAILED
netrw.v5 : VULNERABLE
shellescape: EXPLOIT FAILED


6. PATCH

A copy of a patch that fixes this vulnerability can be found at the URL
below[4].


7. REFERENCES

[1] Collection of Vulnerabilities in Fully Patched Vim 7.1
http://www.rdancer.org/vulnerablevim.html
[2] Patch 7.1.300
http://groups.google.com/group/vim_dev/msg/5a882ab234f02377
http://ftp.vim.org/pub/vim/patches/7.1/7.1.300
[3] The Vulnerable Vim Test Suite
http://www.rdancer.org/vulnerablevim-latest.tar.bz2
[4] Proposed patch
http://www.rdancer.org/vulnerablevim-filetype.vim.updated.patch


8. COPYRIGHT

This advisory is Copyright 2008 Jan Minar <rdancer@rdancer.org>

Copying welcome, under the Creative Commons ``Attribution-Share Alike''
License http://creativecommons.org/licenses/by-sa/2.0/uk/

Code included herein, and accompanying this advisory, may be copied
according to the GNU General Public License version 2, or the Vim
license. See the subdirectory ``licenses''.

Various portions of the accompanying code were written by various
parties. Those parties may hold copyright, and those portions may be
copied according to their respective licenses.


9. HISTORY

2008-07-23 Sent to: <bugs@vim.org>, <vim-dev@vim.org>,
<full-disclosure@lists.grok.org.uk>, <bugtraq@securityfocus.com>
Login or Register to add favorites

File Archive:

August 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    20 Files
  • 2
    Aug 2nd
    4 Files
  • 3
    Aug 3rd
    6 Files
  • 4
    Aug 4th
    55 Files
  • 5
    Aug 5th
    16 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    13 Files
  • 9
    Aug 9th
    13 Files
  • 10
    Aug 10th
    34 Files
  • 11
    Aug 11th
    16 Files
  • 12
    Aug 12th
    5 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    0 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close