Vim: Arbitrary Code Execution in Commands: K, Control-], g] 1. SUMMARY Product : Vim -- Vi IMproved Versions : 3.0--current, possibly older Impact : Arbitrary code execution Wherefrom: Local Original : http://www.rdancer.org/vulnerablevim-K.html Insufficient sanitization can lead to Vim executing arbitrary commands when performing keyword or tag lookup. Ben Schmidt discovered this vulnerability[1]. 2. BACKGROUND ``Vim is an almost compatible version of the UNIX editor Vi. Many new features have been added: multi-level undo, syntax highlighting, command line history, on-line help, spell checking, filename completion, block operations, etc.'' -- Vim README.txt ``[Normal mode command] K [...] Run a program to lookup the keyword under the cursor. The name of the program is given with the 'keywordprg' (kp) option (default is "man").'' -- Vim Reference Manual (``various.txt'') ``[Normal mode command] CTRL-] [...] Jump to the definition of the keyword under the cursor.'' -- Vim Reference Manual (``tagsrch.txt'') 3. VULNERABILITIES ``src/normal.c'': 5514 if (cmdchar == '*') 5515 aux_ptr = (char_u *)(p_magic ? "/.*~[^$\\" : "/^$\\"); 5516 else if (cmdchar == '#') 5517 aux_ptr = (char_u *)(p_magic ? "/?.*~[^$\\" : "/?^$\\"); 5518 else if (cmdchar == 'K' && !kp_help) --> 5519 aux_ptr = (char_u *)" \t\\\"|!"; 5520 else 5521 /* Don't escape spaces and Tabs in a tag with a backslash */ --> 5522 aux_ptr = (char_u *)"\\|\""; 5523 5524 p = buf + STRLEN(buf); 5525 while (n-- > 0) 5526 { 5527 /* put a backslash before \ and some others */ 5528 if (vim_strchr(aux_ptr, *ptr) != NULL) 5529 *p++ = '\\'; 5530 #ifdef FEAT_MBYTE 5531 /* When current byte is a part of multibyte character, copy all bytes 5532 * of that character. */ 5533 if (has_mbyte) 5534 { 5535 int i; 5536 int len = (*mb_ptr2len)(ptr) - 1; 5537 5538 for (i = 0; i < len && n >= 1; ++i, --n) 5539 *p++ = *ptr++; 5540 } 5541 #endif 5542 *p++ = *ptr++; 5543 } 5544 *p = NUL; 5545 5546 /* 5547 * Execute the command. 5548 */ 5549 if (cmdchar == '*' || cmdchar == '#') 5550 { 5551 if (!g_cmd && ( 5552 #ifdef FEAT_MBYTE 5553 has_mbyte ? vim_iswordp(mb_prevptr(ml_get_curline(), ptr)) : 5554 #endif 5555 vim_iswordc(ptr[-1]))) 5556 STRCAT(buf, "\\>"); 5557 #ifdef FEAT_CMDHIST 5558 /* put pattern in search history */ 5559 add_to_history(HIST_SEARCH, buf, TRUE, NUL); 5560 #endif 5561 normal_search(cap, cmdchar == '*' ? '/' : '?', buf, 0); 5562 } 5563 else --> 5564 do_cmdline_cmd(buf); The variable ``aux_ptr'' contains characters to be escaped. Line 5519 for the ``K'' command, line 5522 for the ``Control-]'' and ``g]'' commands. Both values leave out characters that must be escaped. The command is assembled, and on line 5564, it is executed as a regular Ex command. No special shell escaping is done for the ``K'' command, although the string is passed to shell for execution. 3.1. Keyword Lookup -- The ``K'' Command 3.1.1. Shell Commands and Ex Commands Because the string passed to the shell for execution is not sanitized, it is possible to specify arbitrary shell commands where Vim expects an argument for the keyword program. Same applies to arbitrary Ex commands. 3.1.2. Keyword Program Command Line Switches It is possible to specify command line switches for the keyword program in place of the argument. The gravity of this vulnerability depends on the keyword program selected. GNU man, the default keyword program in many installations, supports for example the ``--pager'' option (cf. the GNU man(1) manual page). This allows arbitrary command execution. 3.2. Tag Lookup -- the ``Control-]'' and ``g]'' Commands Insufficient sanitization of an Ex command argument allows specifying additional arbitrary Ex commands in place of the argument. 3.3. Unknown Shell/Keyword Program Because the syntax of the shell that is being used to execute the commands is not known beforehand, there may be other unknown vulnerabilities, that are present depending on the shell being used. Ditto for the man(1) program, and other keyword programs. 4. EXPLOIT Copy-and-paste these examples into separate files: ;xclock vim: set iskeyword=;,@ Place your cursor on ``xclock'', and press K. xclock appears. ;date>>pwned vim: set iskeyword=1-255 Place your cursor on ``date'' and press K. File ``pwned'' is created in the current working directory. Please note: If modeline processing is disabled, set the 'iskeyword' option manually. See the thread on the Vim Developers' mailing list for some other examples[2]. 5. PATCH A patch that fixes some of the vulnerabilities has been developed[3]. 6. REFERENCES [1] Ben Schmidt discovered this vulnerability in: Message-Id: <48AB91B3.9000709@yahoo.com.au> http://groups.google.com/group/vim_dev/msg/6ad2d5b50a96668e [2] http://groups.google.com/group/vim_dev/browse_thread/thread/1434d0812b5c817e/6ad2d5b50a96668e [3] http://groups.google.com/group/vim_dev/msg/dd32ad3a84f36bb2 7. COPYRIGHT This advisory is Copyright 2008 Jan Minar Copying welcome, under the Creative Commons ``Attribution-Share Alike'' License http://creativecommons.org/licenses/by-sa/2.0/uk/ Code included herein, and accompanying this advisory, may be copied according to the GNU General Public License version 2, or the Vim license. See the subdirectory ``licenses''. Various portions of the accompanying code may have been written by various parties. Those parties may hold copyright, and those portions may be copied according to their respective licenses. 8. HISTORY 2008-08-22 Sent to: , , , 2008-08-20 Ben Schmidt reported this vulnerability to