Vim: Flawed Fix of Arbitrary Code Execution Vulnerability in filetype.vim

To: bugs@xxxxxxx, vim-dev@xxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx
Subject: Vim: Flawed Fix of Arbitrary Code Execution Vulnerability in filetype.vim
From: "Jan Minář" <rdancer@xxxxxxxxxxx>
Date: Wed, 23 Jul 2008 19:29:01 +0100
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:sender :to:subject:mime-version:content-type:content-transfer-encoding :content-disposition:x-google-sender-auth; bh=dPL6mmJqhyzMnBGMSzZcbNp9DaPV0GZJ7H8k6gZVJ6g=; b=iRa6YB/sppdGzq4aFGrnbrnEEkgyWCHwIYf6FbSuae3obkJdqzqsy8YIQf+eujFisT gYURT2BYMc8p9P6OKnSYou8Kr2iWdMlrRyIb5xeG9oLBPvuNaSAi7JbM3Suby1kVLTxQ OWuci6bc/SZIUi8Lhp4/khDn+aSY8anHohnXg=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:sender:to:subject:mime-version:content-type :content-transfer-encoding:content-disposition:x-google-sender-auth; b=ctb5Ioo7gE6p0Ra0J6Y7Y8EeHv6qt17zTErH32Su+HJKCE5OF0e8vNuP2w/hpInwq+ BVQGa8Q7CVdmjEMz/AsfRauVeaYvEwaUJpGtO3eecdEdcjxJBI2txI3zTYDaiVlbXu18 XM1RL2OQS86XaRhLnhFVPIqDbO91LFbCa593o=
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Sender: rdancer@xxxxxxxxx

1. SUMMARY

Product  : Vim -- Vi IMproved
Version  : Tested with Vim 7.2b.10, filetype.vim 2008-07-17
Impact   : Arbitrary code execution
Wherefrom: Local and remote
CVE      : CVE-2008-2712
Original : http://www.rdancer.org/vulnerablevim-filetype.vim.updated.html
           http://www.rdancer.org/vulnerablevim-filetype.vim.updated.patch
           http://www.rdancer.org/vulnerablevim-latest.tar.bz2

This is an update of a previous advisory[1].  Vim patch 7.1.300 which
purported to fix the ``filetype.vim'' vulnerability did not fix the
vulnerability.


2. BACKGROUND

  ``Vim is an almost compatible version of the UNIX editor Vi.  Many new
    features have been added: multi-level undo, syntax highlighting,
    command line history, on-line help, spell checking, filename
    completion, block operations, etc.''

                -- Vim README.txt

  ``Problem:    Value of asmsyntax argument isn't checked for valid
                characters.
    Solution:   Only accepts letters and digits.''

                -- Vim Patch 7.1.300[2]

3. VULNERABILITY

This is the ``filetype.vim'' vulnerability, described in the sections
3.4.2.1. and 3.4.2.2. of the original advisory[1].  It can lead to
arbitrary code execution upon Vim opening a crafted file.  The file can
be either local or remote, and the filename must match one of the
following glob patterns:

    *.asm
    *.s
    *.S
    *.a
    *.A
    *.mac
    *.lst (with the exception of /boot/grub/menu.lst)
    *.i


4. PURPORTED FIX

Quoting the original advisory[1]:

  ``[A]bsent sanitization on line 190, followed by the execute
    statements at filetype.vim lines 181 or 1267:

  ``The code looks in the first five lines [of the file being opened]
    for a statement of the form ``asmsyntax=FOO'', where FOO can contain
    any characters except Tab and Space.  FOO is then executed, without
    any sanitization.''

       187        let head = " ".getline(1)." ".getline(2)." ".getline(3)."
".getline(4).
       188              \" ".getline(5)." "
       189        if head =~ '\sasmsyntax=\S\+\s'
      *190          let b:asmsyntax = substitute(head,
'.*\sasmsyntax=\(\S\+\)\s.*','\1', "")
       [... logical flow of the code then jumps to line 181 ...]
      *181        exe "setf " . b:asmsyntax
       [... or line 1267 ...]
     *1267              exe "setf " . b:asmsyntax

Patch 7.1.300 changed the regular expression in the substitute() call on
line 190:

    let b:asmsyntax = substitute(head,
'.*\sasmsyntax=\([a-zA-Z0-9]\+\)\s.*','\1', "")

This would work if substitute() were a matching function -- returning a
matching string, or an empty string if the pattern failed to match.  But
substitute() always returns its first argument -- substituting the
matching string (if any).  If the pattern fails to match, substitute()
returns its first argument as-is:

                      | pattern matches | no match
    ------------------+-----------------+--------------------
    substitute()      | alter match     | return as-is
    ------------------+-----------------+--------------------
    matching function | return match    | return empty string

The previous line of code (line 189) remains unchanged, leaving two
different regular expressions.  It is easy to create a payload matching
the first regular expression, but not the second one.  As a matter of
fact, the payload in the test suite[3] that accompanied the original
advisory did just that.

It may be also worth noting that the failure to sanitize the input may
not have been fatal if the ``execute'' statements on lines 181 and 1276
were updated to use the fnameescape() function to sanitize the
arguments.


5. EXPLOIT

The exploit needed a small update in order to work with the current Vim.
It produces error messages, and the exploit text is not hidden.  Making
the exploit fully compatible would be just a matter of spending some
more time.  The updated exploit is called ``filetype.vim.updated'':

    -------------------------------------------
    -------- Test results below ---------------
    -------------------------------------------
    Vim version 7.2b, included patches: 1-10
    filetype.vim revision date: 2008 Jul 17
    zip.vim version: v21
    netrw.vim version: v127
    -------------------------------------------
    filetype.vim
      strong  : EXPLOIT FAILED
      weak    : EXPLOIT FAILED
    filetype.vim.updated
-->   strong  : VULNERABLE
-->   weak    : VULNERABLE
    tarplugin : EXPLOIT FAILED
    tarplugin.updated: EXPLOIT FAILED
    tarplugin.v2: EXPLOIT FAILED
    zipplugin : EXPLOIT FAILED
    zipplugin.v2: EXPLOIT FAILED
    xpm.vim
      xpm     : EXPLOIT FAILED
      xpm2    : EXPLOIT FAILED
      remote  : EXPLOIT FAILED
    gzip_vim  : EXPLOIT FAILED
    netrw     : EXPLOIT FAILED
    netrw.v2  : EXPLOIT FAILED
    netrw.v3  : EXPLOIT FAILED
    netrw.v4  : EXPLOIT FAILED
    netrw.v5  : VULNERABLE
    shellescape: EXPLOIT FAILED


6. PATCH

A copy of a patch that fixes this vulnerability can be found at the URL
below[4].


7. REFERENCES

[1] Collection of Vulnerabilities in Fully Patched Vim 7.1
    http://www.rdancer.org/vulnerablevim.html
[2] Patch 7.1.300
    http://groups.google.com/group/vim_dev/msg/5a882ab234f02377
    http://ftp.vim.org/pub/vim/patches/7.1/7.1.300
[3] The Vulnerable Vim Test Suite
    http://www.rdancer.org/vulnerablevim-latest.tar.bz2
[4] Proposed patch
    http://www.rdancer.org/vulnerablevim-filetype.vim.updated.patch


8. COPYRIGHT

This advisory is Copyright 2008 Jan Minar <rdancer@xxxxxxxxxxx>

Copying welcome, under the Creative Commons ``Attribution-Share Alike''
License http://creativecommons.org/licenses/by-sa/2.0/uk/

Code included herein, and accompanying this advisory, may be copied
according to the GNU General Public License version 2, or the Vim
license.  See the subdirectory ``licenses''.

Various portions of the accompanying code were written by various
parties.  Those parties may hold copyright, and those portions may be
copied according to their respective licenses.


9. HISTORY

2008-07-23 Sent to: <bugs@xxxxxxx>, <vim-dev@xxxxxxx>,
           <full-disclosure@xxxxxxxxxxxxxxxxx>, <bugtraq@xxxxxxxxxxxxxxxxx>

Prev by Date: [SECURITY] [DSA 1540-3] New lighttpd packages fix regression
Next by Date: [USN-628-1] PHP vulnerabilities
Previous by thread: [SECURITY] [DSA 1540-3] New lighttpd packages fix regression
Next by thread: [USN-628-1] PHP vulnerabilities
Index(es):
- Date
- Thread