Bug 455023
Summary: | vim: command execution due to insufficient input sanitation in netrw | ||||||
---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> | ||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
Status: | CLOSED DUPLICATE | QA Contact: | |||||
Severity: | low | Docs Contact: | |||||
Priority: | low | ||||||
Version: | unspecified | CC: | jlieskov, karsten | ||||
Target Milestone: | --- | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2008-10-27 12:37:05 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 453544, 453545 | ||||||
Bug Blocks: | |||||||
Attachments: |
|
Description
Tomas Hoger
2008-07-11 14:46:45 UTC
Created attachment 311589 [details] Jan Minar's test suite Downloaded from: http://www.rdancer.org/vulnerablevim-netrw.tar.bz2 At: Fri Jul 11 14:48:38 UTC 2008 Problems 1. and 2. as described in -netrw advisory (affecting mz and mc commands) only affect netrw plugin as shipped with vim 7.1 alpha. Problem 3. (affecting D command) affects vim 7.1 and possibly previous versions. Furthermore, user needs to perform certain actions (running one of the affected commands) for the malicious command to be executed. Opening a file with specially crafted name is not sufficient to exploit this flaw. Correction to comment #2, first paragraph should be: Problems 1. and 2. as described in -netrw advisory (affecting mz and mc commands) only affect netrw plugin as shipped with vim 7.2 alpha. (i.e. 7.2 alpha, not 7.1 alpha) Problem #3 -- "Deleting Files (The ``D'' Command)" was moved to BZ#467439, as it affects the same version of the Vim package (i.e. Vim 7.0 and Vim 7.1) as the netrw.v5 issue. This bug is now only for tracking purposes. The first two problems i.e "1. Compression and Decompression (The ``mz'' Command)" and "3.3. Copying Files (The ``mc'' Command)" affect the 7.2 version of the Vim package and versions of netrw.vim plugin before 132. Current version of netrw.vim plugin in Fedora rawhide is 132, so this problem fixed already. Attaching netrw.vim plugin code differences between versions v.111 and v.132 for the 'mz' command issue (the relevant affected code function is NetrwMarkFileCompress()): netrw.vim 111: 2705 for sfx in sort(keys(g:netrw_decompress)) 2706 if fname =~ '\'.sfx.'$' 2707 " fname has a suffix indicating that its compressed; apply associated decompression routine 2708 let exe= g:netrw_decompress[sfx] 2709 " call Decho("fname<".fname."> is compressed so decompress with <".exe.">") 2710 if executable(exe) 2711 if a:islocal 2712 call system(exe." ".fname) 2713 else 2714 call s:RemoteSystem(exe." ".fname) 2715 endif 2716 else 2717 call netrw#ErrorMsg(s:WARNING,"unable to apply<".exe."> to file<".fname.">",50) 2718 endif 2719 break 2720 endif 2721 endfor 2722 if exists("exe") 2723 unlet exe 2724 elseif a:islocal 2725 " fname not a compressed file, so compress it 2726 call system(g:netrw_compress." ".fname) 2727 else 2728 " fname not a compressed file, so compress it 2729 call s:RemoteSystem(g:netrw_compress." ".fname) 2730 endif 2731 endfor netrw.v132: 3858 for sfx in sort(keys(g:netrw_decompress)) 3859 if fname =~ '\'.sfx.'$' 3860 " fname has a suffix indicating that its compressed; apply associated decompression routine 3861 let exe= s:WinPath(g:netrw_decompress[sfx]) 3862 " call Decho("fname<".fname."> is compressed so decompress with <".exe.">") 3863 if a:islocal 3864 if g:netrw_keepdir 3865 let fname= shellescape(s:ComposePath(curdir,fname)) 3866 endif 3867 else 3868 let fname= shellescape(b:netrw_curdir.fname,1) 3869 endif 3870 if executable(exe) 3871 if a:islocal 3872 call system(exe." ".fname) 3873 else 3874 call s:RemoteSystem(exe." ".fname) 3875 endif 3876 else 3877 call netrw#ErrorMsg(s:WARNING,"unable to apply<".exe."> to file<".fname.">",50) 3878 endif 3879 break 3880 endif 3881 endfor 3882 if exists("exe") 3883 unlet exe 3884 elseif a:islocal 3885 " fname not a compressed file, so compress it 3886 call system(s:WinPath(g:netrw_compress)." ".shellescape(s:ComposePath(b:netrw_curdir,fname))) 3887 else 3888 " fname not a compressed file, so compress it 3889 call s:RemoteSystem(s:WinPath(g:netrw_compress)." ".shellescape(fname)) 3890 endif 3891 endfor i.e. on Unix systems, the calls for "s:ComposePath(b:netrw_curdir,fname" and "fname" were prefixed with "shellescape(s:ComposePath(b:netrw_curdir,fname)" and "shellescape(fname)" respectively. Attaching netrw.vim plugin code differences between versions v.122 and v.132 for the 'mc' command issue (the relevant affected function is called NetrwMarkFileCopy): netrw.v122: 3760 if a:islocal && s:netrwmfloc 3761 " local to local copy 3762 " call Decho("local to local copy: from b:netrw_curdir<".b:netrw_curdir."> fname<".fname."> to s:netrwmftgt<".s:netrwmftgt.">") 3763 if executable(g:netrw_localcopycmd) 3764 " call Decho("let ret= system(".g:netrw_localcopycmd." ".s:ComposePath(b:netrw_curdir,fname)." ".s:netrwmftgt.")") 3765 let ret= system(g:netrw_localcopycmd." ".s:ComposePath(curdir,fname)." ".s:netrwmftgt) 3766 if v:shell_error < 0 3767 call netrw#ErrorMsg(s:ERROR,"command<".g:netrw_localcopycmd."> failed, aborting",54) 3768 break 3769 endif 3770 else 3771 call netrw#ErrorMsg(s:ERROR,"command<".g:netrw_localcopycmd."> is not executable!",57) 3772 break 3773 endif netrw.v132: 3925 if a:islocal && s:netrwmftgt_islocal 3926 " Copy marked files, local directory to local directory 3927 " call Decho("copy from local to local") 3928 let args= join(map(deepcopy(s:netrwmarkfilelist_{bufnr('%')}),"shellescape(b:netrw_curdir.\"/\".v:val)")) 3929 " call Decho("system(".g:netrw_localcopycmd." ".args." ".shellescape(s:netrwmftgt).")") 3930 call system(s:WinPath(g:netrw_localcopycmd)." ".args." ".shellescape(s:netrwmftgt)) 3931 i.e. the relevant functions were replaced by their 'shellescape()-ed' alternatives. Attaching netrw.vim code differences for the 'D' command issue between versions netrw.vim v.122 and netrw.vim v.132 - the relevant affected code function is called NetrwLocalRmFile: netrw.v122: 6255 if all || ok =~ 'y\%[es]' || ok == "" 6256 " call Decho("1st attempt: system(".g:netrw_local_rmdir.' "'.rmfile.'")') 6257 call s:System("system",g:netrw_local_rmdir.' "'.rmfile.'"') 6258 " call Decho("v:shell_error=".v:shell_error) netrw.v132: 6817 if all || ok =~ 'y\%[es]' || ok == "" 6818 " call Decho("1st attempt: system(s:WinPath(".g:netrw_local_rmdir.') '.shellescape(rmfile).')') 6819 call system(s:WinPath(g:netrw_local_rmdir).' '.shellescape(rmfile)) 6820 " call Decho("v:shell_error=".v:shell_error) i.e. provided 'rmfile' argument was replaced with its shellescape()-ed alternative. Attaching netrw.vim code differences for the 'arbitrary code execution due insufficient directory name sanitization when opening directory' (http://www.rdancer.org/vulnerablevim-netrw.v5.html) between versions v.122 and v.132 -- the relevant affected code function is called BrowserMaps(). netrw.v122: 1709 if g:netrw_mousemaps == 1 1710 nnoremap <buffer> <silent> <leftmouse> <leftmouse>:call <SID>NetrwLeftmouse(1)<cr> 1711 nnoremap <buffer> <silent> <middlemouse> <leftmouse>:call <SID>NetrwPrevWinOpen(1)<cr> 1712 nnoremap <buffer> <silent> <s-leftmouse> <leftmouse>:call <SID>NetrwMarkFile(1,<SID>NetrwGetWord())<cr> 1713 exe 'nnoremap <buffer> <silent> <rightmouse> <leftmouse>:call <SID>NetrwLocalRm("'.b:netrw_curdir.'")<cr>' 1714 exe 'vnoremap <buffer> <silent> <rightmouse> <leftmouse>:call <SID>NetrwLocalRm("'.b:netrw_curdir.'")<cr>' 1715 endif 1716 exe 'nnoremap <buffer> <silent> <del> :call <SID>NetrwLocalRm("'.b:netrw_curdir.'")<cr>' 1717 exe 'vnoremap <buffer> <silent> <del> :call <SID>NetrwLocalRm("'.b:netrw_curdir.'")<cr>' 1718 exe 'nnoremap <buffer> <silent> D :call <SID>NetrwLocalRm("'.b:netrw_curdir.'")<cr>' 1719 exe 'vnoremap <buffer> <silent> D :call <SID>NetrwLocalRm("'.b:netrw_curdir.'")<cr>' 1720 exe 'nnoremap <buffer> <silent> R :call <SID>NetrwLocalRename("'.b:netrw_curdir.'")<cr>' 1721 exe 'vnoremap <buffer> <silent> R :call <SID>NetrwLocalRename("'.b:netrw_curdir.'")<cr>' 1722 exe 'nnoremap <buffer> <silent> <Leader>m :call <SID>NetrwMakeDir("")<cr>' 1723 nnoremap <buffer> <F1> :he netrw-dir<cr> netrv.v132: 1734 if g:netrw_mousemaps == 1 1735 nnoremap <buffer> <silent> <leftmouse> <leftmouse>:call <SID>NetrwLeftmouse(1)<cr> 1736 nnoremap <buffer> <silent> <middlemouse> <leftmouse>:call <SID>NetrwPrevWinOpen(1)<cr> 1737 nnoremap <buffer> <silent> <s-leftmouse> <leftmouse>:call <SID>NetrwMarkFile(1,<SID>NetrwGetWord())<cr> 1738 exe 'nnoremap <buffer> <silent> <rightmouse> <leftmouse>:call <SID>NetrwLocalRm("'.mapsafecurdir.'")<cr>' 1739 exe 'vnoremap <buffer> <silent> <rightmouse> <leftmouse>:call <SID>NetrwLocalRm("'.mapsafecurdir.'")<cr>' 1740 endif 1741 exe 'nnoremap <buffer> <silent> <del> :call <SID>NetrwLocalRm("'.mapsafecurdir.'")<cr>' 1742 exe 'vnoremap <buffer> <silent> <del> :call <SID>NetrwLocalRm("'.mapsafecurdir.'")<cr>' 1743 exe 'nnoremap <buffer> <silent> D :call <SID>NetrwLocalRm("'.mapsafecurdir.'")<cr>' 1744 exe 'vnoremap <buffer> <silent> D :call <SID>NetrwLocalRm("'.mapsafecurdir.'")<cr>' 1745 exe 'nnoremap <buffer> <silent> R :call <SID>NetrwLocalRename("'.mapsafecurdir.'")<cr>' 1746 exe 'vnoremap <buffer> <silent> R :call <SID>NetrwLocalRename("'.mapsafecurdir.'")<cr>' 1747 exe 'nnoremap <buffer> <silent> <Leader>m :call <SID>NetrwMakeDir("")<cr>' 1748 nnoremap <buffer> <F1> :he netrw-quickhelp<cr> i.e. instead of calling unsanitized NetrwLocalRm("'.b:netrw_curdir.'") we now call its more safe NetrwLocalRm("'.mapsafecurdir.'") alternative. *** This bug has been marked as a duplicate of bug 467439 *** |