1. Summary Product : Vim -- Vi IMproved Version : >= 7.2a.013; tested with 7.2b Impact : Arbitrary code execution Wherefrom: Local, possibly remote Original : http://www.rdancer.org/vulnerablevim-shellescape.html http://www.rdancer.org/vulnerablevim-latest.tar.bz2 Improper implementation of the shellescape() function and lack of documentation can result in untrusted data being insufficiently sanitized, possibly leading to arbitrary code execution. 2. Background The shellescape() function, added by patch 7.0.111, has since been modified in 7.2a.013 to escape special characters, so as to be useful when sanitizing arguments of the ``execute'' command: ``shellescape({string} [, {special}]) Escape {string} for use as shell command argument. [...] When the {special} argument is present and it's a non-zero Number or a non-empty String [...], then special items such as "%", "#" and "<cword>" will be preceded by a backslash. This backslash will be removed again by the :! command. Example of use with a :! command: :exe '!dir ' . shellescape(expand('<cfile>'), 1) This results in a directory listing for the file under the cursor.'' -- Vim Reference Manual (``eval.txt'') 3. Vulnerability shellescape() does not escape all special items. In particular, shellescape() does not escape the ``!'' character. The Vim documentation lacks a comprehensive explicit list of special items. This might have been the reason why patch 7.2a.013 failed to acknowledge ``!'' as a special item. 3. Test Case We have added a test case to our test suite; run ``make test'' in the ``shellescape'' directory. The result will show as ``VULNERABLE'' if the shellescape() function of the version of Vim tested doesn't escape the ``!'' special item, ``FAILED'' otherwise. 4. Exploit -- Proof of Concept To show that this vulnerability can be exploited, we have updated our ``tar.vim'' exploit. Run ``make test'' in the ``tarplugin.v2'' directory. Please note that the problem lays within the shellescape() function implementation, rather than within ``tar.vim''. 5. Test Results ------------------------------------------- -------- Test results below --------------- ------------------------------------------- Vim version 7.2b ------------------------------------------- tarplugin.v2: VULNERABLE shellescape: VULNERABLE (Tests for vulnerabilities that are part of the accompanying test suite but are not mentioned in this advisory are omitted from this table.) 6. Copyright This advisory is Copyright 2008 Jan Minar <rdancer_at_rdancer&#46;org> Copying welcome, under the Creative Commons ``Attribution-Share Alike'' License http://creativecommons.org/licenses/by-sa/2.0/uk/ Code included herein, and accompanying this advisory, may be copied according to the GNU General Public License version 2, or the Vim license. See the subdirectory ``licenses''. Various portions of the accompanying code were written by various parties. Those parties may hold copyright, and those portions may be copied according to the respective licenses. 7. History 2008-07-16 Sent to: <vim-dev_at_vim&#46;org> -- This is the correct address, not <vim-dev_at_googlegroups&#46;com> 2008-07-16 Sent to: <bugs_at_vim&#46;org>, <vim-dev_at_googlegroups&#46;com>, <full-disclosure_at_lists&#46;grok.org.uk>, <bugtraq_at_securityfocus&#46;com>