Bug 164488 - CAN-2005-2368 modelines in vim can own you
CAN-2005-2368 modelines in vim can own you
Status: CLOSED WONTFIX
Product: Fedora Legacy
Classification: Retired
Component: vim (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
http://www.guninski.com/where_do_you_...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-07-28 04:27 EDT by Pavel Kankovsky
Modified: 2007-08-30 15:57 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-08-30 15:57:07 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Pavel Kankovsky 2005-07-28 04:27:24 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Mozilla rulez!)

Description of problem:
An evil modeline can execute arbitrary shell commands when you open a file with Vim.

Version-Release number of selected component (if applicable):
vim-common-6.1-18.7x.2.3.legacy (rh7.3) vim-common-6.1-29.3.legacy (rh9)

How reproducible:
Always

Steps to Reproduce:
1. echo 'vim: foldmethod=expr:foldexpr=glob("`touch\ /tmp/where_do_you_want_bill_gates_to_go_today\?`")+expand("$(touch$IFS/tmp/where_do_you_want_billg_to_go\?)"):' > /tmp/guninski.txt
   (combination of Georgi's methods 1 and 2)
2. vim +p +q /tmp/guninski.txt 
3. ls -l /tmp/where_do_you_want_*


Additional info:

Verified on RH73 a RH9 (with FL updates). FC1/2 are probably affected as well.

There is an official two-part patch for 6.3 at  ftp://ftp.vim.org/pub/vim/patches/6.3/6.3.081 and ftp://ftp.vim.org/pub/vim/patches/6.3/6.3.082

Here is a merged version from Ubuntu (debian/patches/06_modeline_codeexec.diff):
diff -urN vim63/src/os_unix.c vim63.new/src/os_unix.c
--- vim63/src/os_unix.c        2005-07-26 11:16:28.769865769 +0000
+++ vim63.new/src/os_unix.c    2005-07-26 11:16:05.786180086 +0000
@@ -4697,6 +4697,12 @@
     if (!have_wildcard(num_pat, pat))
       return save_patterns(num_pat, pat, num_file, file);
 
+# ifdef HAVE_SANDBOX
+    /* Don't allow any shell command in the sandbox. */
+    if (sandbox != 0 && check_secure())
+      return FAIL;
+# endif
+
     /*
      * Don't allow the use of backticks in secure and restricted mode.
      */

The patch appears to modify mch_expand_wildcards(). The code 6.1 looks similar enough to make this patch applicable without any substantial changes.
Comment 1 Jeff Sheltren 2005-08-28 08:49:06 EDT
See https://rhn.redhat.com/errata/RHSA-2005-745.html for updated packages.

This effects all legacy distributions.
Comment 2 John Dalbec 2005-09-01 09:10:52 EDT
FYI:
05.30.24 CVE: CAN-2005-2368
Platform: Cross Platform
Title: Vim ModeLines Further Variant Arbitrary Command Execution
Description: Vim is a text editor. It is susceptible to an arbitrary
command execution vulnerability which can be caused by modifying a
text file to include "ModeLines" containing the "glob()" or "expand()"
functions with shell metacharacters. Vim version 6.3.082 is released
to fix this issue.
Ref: http://www.securityfocus.com/advisories/8955 
Comment 3 Jesse Keating 2007-08-30 15:57:07 EDT
Fedora Legacy project has ended.  These will not be fixed by Fedora Legacy.

Note You need to log in before you can comment on or make changes to this bug.