Bug 1718308 (CVE-2019-12735) - CVE-2019-12735 vim/neovim: ':source!' command allows arbitrary command execution via modelines
Summary: CVE-2019-12735 vim/neovim: ':source!' command allows arbitrary command execut...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-12735
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 1717942 (view as bug list)
Depends On: 1718314 1718315 1719812 1718312 1719811 1719963 1719964 1724045 1728009 1728010
Blocks: 1718311
TreeView+ depends on / blocked
 
Reported: 2019-06-07 13:06 UTC by Dhananjay Arunesh
Modified: 2019-10-09 07:42 UTC (History)
21 users (show)

Fixed In Version: vim 8.1.1365, neovim 0.3.6
Doc Type: If docs needed, set a value
Doc Text:
It was found that the `:source!` command was not restricted by the sandbox mode. If modeline was explicitly enabled, opening a specially crafted text file in vim could result in arbitrary command execution.
Clone Of:
Environment:
Last Closed: 2019-07-12 13:07:18 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:1619 None None None 2019-06-27 06:25:32 UTC
Red Hat Product Errata RHSA-2019:1774 None None None 2019-07-15 12:45:38 UTC
Red Hat Product Errata RHSA-2019:1793 None None None 2019-07-16 13:45:56 UTC
Red Hat Product Errata RHSA-2019:1947 None None None 2019-07-30 09:09:08 UTC

Description Dhananjay Arunesh 2019-06-07 13:06:18 UTC
Vim before 8.1.1365 and Neovim before 0.3.6 did not restrict the `:source!` command when executed in a sandbox. 
This allows remote attackers to take advantage of the modeline feature to inject  arbitrary commands when a specially crafted file is opened.

References:
https://github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim-neovim.md

Upstream commits:
* vim: https://github.com/vim/vim/commit/53575521406739cf20bbe4e384d88e7dca11f040
* neovim: https://github.com/neovim/neovim/pull/10082/commits/5e611f32841e746932fbcbea292ca502ed9e694b

Comment 1 Dhananjay Arunesh 2019-06-07 13:08:23 UTC
Created vim tracking bugs for this issue:

Affects: fedora-all [bug 1718312]

Comment 2 Dhananjay Arunesh 2019-06-07 13:08:49 UTC
Created neovim tracking bugs for this issue:

Affects: epel-7 [bug 1718314]

Comment 3 Dhananjay Arunesh 2019-06-07 13:09:12 UTC
Created neovim tracking bugs for this issue:

Affects: fedora-all [bug 1718315]

Comment 12 Dhananjay Arunesh 2019-06-13 07:53:36 UTC
*** Bug 1717942 has been marked as a duplicate of this bug. ***

Comment 18 Cedric Buissart 🐶 2019-06-17 06:53:22 UTC
Mitigation:

The vulnerability can be triggered only if `modeline` is enabled. You can check whether `modeline` is enabled within vim via the command `:set modeline?`
It can be turned off explicitly by adding `set nomodeline` in a vimrc file.

Comment 25 errata-xmlrpc 2019-06-27 06:25:30 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8
  Red Hat Enterprise Linux 7

Via RHSA-2019:1619 https://access.redhat.com/errata/RHSA-2019:1619

Comment 28 Product Security DevOps Team 2019-07-12 13:07:18 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-12735

Comment 29 errata-xmlrpc 2019-07-15 12:45:37 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2019:1774 https://access.redhat.com/errata/RHSA-2019:1774

Comment 30 errata-xmlrpc 2019-07-16 13:45:55 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.5 Extended Update Support

Via RHSA-2019:1793 https://access.redhat.com/errata/RHSA-2019:1793

Comment 31 errata-xmlrpc 2019-07-30 09:09:06 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Extended Update Support

Via RHSA-2019:1947 https://access.redhat.com/errata/RHSA-2019:1947

Comment 34 Cedric Buissart 🐶 2019-10-09 07:42:10 UTC
Statement:

To be successfully and automatically triggered when a specially crafted file is opened, this vulnerability requires 3 parts :

1) The `source!` command inability to check if it is running in sandbox mode (the fix commit prevents this)

2) The `modeline` to be enabled (by default, modeline is disabled when running with root permission. See `Mitigation` steps to disable the modeline)

3) A function, to be inserted in the modeline, that can be used to trigger the `source!` command (e.g.: `assert_fail()` in the public reproducer). To the best of our knowledge, no such functions were found in the default installation of Red Hat Enterprise Linux versions 5, 6 and 7 at the time of the flaw. However, Red Hat Enterprise Linux version 8 contains `assert_fail()`.

Without part 2 or 3, it would be required for an attacker to be able to craft the command line used to open the crafted file, in order to trigger the vulnerability.


Note You need to log in before you can comment on or make changes to this bug.