Bug 461927 (CVE-2008-4101)

Summary: CVE-2008-4101 vim: arbitrary code execution in commands: K, Control-], g]
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: karsten, kreilly, mjc, psplicha
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-01-09 08:36:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 465813, 465814, 465815, 465817, 465818, 465819    
Bug Blocks:    

Description Jan Lieskovsky 2008-09-11 14:11:12 UTC 
Description of problem:

Ben Schmidt has discovered the following security flaw in Vim, which
could lead to arbitrary code execution. Insufficient sanitization can lead to Vim executing arbitrary commands when performing keyword or tag lookup.

Flaw description pasted from original rdancer.org report (see [1]):

3.1. Keyword Lookup -- The ``K'' Command
3.1.1. Shell Commands and Ex Commands

Because the string passed to the shell for execution is not sanitized,
it is possible to specify arbitrary shell commands where Vim expects an
argument for the keyword program.  Same applies to arbitrary Ex commands.

3.1.2. Keyword Program Command Line Switches

It is possible to specify command line switches for the keyword program
in place of the argument.  The gravity of this vulnerability depends on
the keyword program selected.  GNU man, the default keyword program in
many installations, supports for example the ``--pager'' option (cf.
the GNU man(1) manual page).  This allows arbitrary command execution.

3.2. Tag Lookup -- the ``Control-]'' and ``g]'' Commands

Insufficient sanitization of an Ex command argument allows specifying
additional arbitrary Ex commands in place of the argument.

3.3. Unknown Shell/Keyword Program

Because the syntax of the shell that is being used to execute the
commands is not known beforehand, there may be other unknown
vulnerabilities, that are present depending on the shell being used.
Ditto for the man(1) program, and other keyword programs.

Version-Release number of selected component (if applicable):
3.0--current, possibly older

How reproducible:
Always

Steps to Reproduce:
1. See part "4.EXPLOIT" from the original rdancer.org report [1]
  
Actual results:
Arbitrary code execution possible

Expected results:
No security flaw present.

References:

[1] http://www.rdancer.org/vulnerablevim-K.html

Proposed patch:

Report: http://groups.google.com/group/vim_dev/msg/dd32ad3a84f36bb2 
Patch:  
  http://groups.google.com/group/vim_dev/attach/dd32ad3a84f36bb2/K-arbitrary-command-execution.patch?part=2

RH SRT official statement:

This issue affects all versions of the vim-enhanced package, as shipped
with Red Hat Enterprise Linux 2.1, 3, 4 and 5 and within Fedora releases
of 8, 9 and 10.
Comment 1 Jan Lieskovsky 2008-09-12 12:20:56 UTC 
The patch mentioned above is incomplete. Jan Minar has provided v3 of 
the patch, for the K-shell command Vim issue, available at:

http://groups.google.com/group/vim_dev/attach/9290f26f9bc11b33/K-arbitrary-command-execution.patch.v3?part=2

Yet another Vim upstream patch, also facing this issue is:

http://ftp.vim.org/pub/vim/patches/7.2/7.2.010
Comment 2 Jan Lieskovsky 2008-10-06 08:28:31 UTC 
More detailed steps to reproduce the "xclock" issue:

1, Open a new file via Vim: vim /tmp/somenewfile
2, In Vim normal mode type: :set iskeyword=;,@
3, Switch to Vim insert mode and type/insert into file: ;xclock
4, Switch back to Vim normal mode and with cursor present on the
   "xclock" substring press the "K" key

Actual result:

The xclock command is executed / displayed.

Expected result:

The manual page for the 'xclock' command should be displayed.

More detailed steps to reproduce the creation of "pwned" file issue:

1, Open a new file via Vim: vim /tmp/anothernewfile
2, In normal Vim mode type: :set iskeyword=1-255
3, Switch to Vim insert mode and type/insert into file: ;date->pwned
4, Switch back to Vim normal mode and with cursor present on the
   "date" substring press the "K" key

Actual result:

File with name "pwned" is created in cwd:

# ls -l pwned
-rw-r--r-- 1 root root 0 Oct  6 10:19 pwned

Expected result:

No file created.
Comment 6 Red Hat Product Security 2009-01-09 08:36:16 UTC 
This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2008-0580.html
  http://rhn.redhat.com/errata/RHSA-2008-0617.html
  http://rhn.redhat.com/errata/RHSA-2008-0618.html

Fedora (updated to upstream 7.2.060): 
  https://admin.fedoraproject.org/updates/F9/FEDORA-2008-10587
  https://admin.fedoraproject.org/updates/F10/FEDORA-2008-10644