Bug 461927 - (CVE-2008-4101) CVE-2008-4101 vim: arbitrary code execution in commands: K, Control-], g]
CVE-2008-4101 vim: arbitrary code execution in commands: K, Control-], g]
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
reported=20080820,public=20080822,sou...
: Security
Depends On: 465813 465814 465815 465817 465818 465819
Blocks:
  Show dependency treegraph
 
Reported: 2008-09-11 10:11 EDT by Jan Lieskovsky
Modified: 2009-06-11 08:56 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-01-09 03:36:16 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2008-09-11 10:11:12 EDT
Description of problem:

Ben Schmidt has discovered the following security flaw in Vim, which
could lead to arbitrary code execution. Insufficient sanitization can lead to Vim executing arbitrary commands when performing keyword or tag lookup.

Flaw description pasted from original rdancer.org report (see [1]):

3.1. Keyword Lookup -- The ``K'' Command
3.1.1. Shell Commands and Ex Commands

Because the string passed to the shell for execution is not sanitized,
it is possible to specify arbitrary shell commands where Vim expects an
argument for the keyword program.  Same applies to arbitrary Ex commands.

3.1.2. Keyword Program Command Line Switches

It is possible to specify command line switches for the keyword program
in place of the argument.  The gravity of this vulnerability depends on
the keyword program selected.  GNU man, the default keyword program in
many installations, supports for example the ``--pager'' option (cf.
the GNU man(1) manual page).  This allows arbitrary command execution.

3.2. Tag Lookup -- the ``Control-]'' and ``g]'' Commands

Insufficient sanitization of an Ex command argument allows specifying
additional arbitrary Ex commands in place of the argument.

3.3. Unknown Shell/Keyword Program

Because the syntax of the shell that is being used to execute the
commands is not known beforehand, there may be other unknown
vulnerabilities, that are present depending on the shell being used.
Ditto for the man(1) program, and other keyword programs.

Version-Release number of selected component (if applicable):
3.0--current, possibly older

How reproducible:
Always

Steps to Reproduce:
1. See part "4.EXPLOIT" from the original rdancer.org report [1]
  
Actual results:
Arbitrary code execution possible

Expected results:
No security flaw present.

References:

[1] http://www.rdancer.org/vulnerablevim-K.html

Proposed patch:

Report: http://groups.google.com/group/vim_dev/msg/dd32ad3a84f36bb2 
Patch:  
  http://groups.google.com/group/vim_dev/attach/dd32ad3a84f36bb2/K-arbitrary-command-execution.patch?part=2

RH SRT official statement:

This issue affects all versions of the vim-enhanced package, as shipped
with Red Hat Enterprise Linux 2.1, 3, 4 and 5 and within Fedora releases
of 8, 9 and 10.
Comment 1 Jan Lieskovsky 2008-09-12 08:20:56 EDT
The patch mentioned above is incomplete. Jan Minar has provided v3 of 
the patch, for the K-shell command Vim issue, available at:

http://groups.google.com/group/vim_dev/attach/9290f26f9bc11b33/K-arbitrary-command-execution.patch.v3?part=2

Yet another Vim upstream patch, also facing this issue is:

http://ftp.vim.org/pub/vim/patches/7.2/7.2.010
Comment 2 Jan Lieskovsky 2008-10-06 04:28:31 EDT
More detailed steps to reproduce the "xclock" issue:

1, Open a new file via Vim: vim /tmp/somenewfile
2, In Vim normal mode type: :set iskeyword=;,@
3, Switch to Vim insert mode and type/insert into file: ;xclock
4, Switch back to Vim normal mode and with cursor present on the
   "xclock" substring press the "K" key

Actual result:

The xclock command is executed / displayed.

Expected result:

The manual page for the 'xclock' command should be displayed.

More detailed steps to reproduce the creation of "pwned" file issue:

1, Open a new file via Vim: vim /tmp/anothernewfile
2, In normal Vim mode type: :set iskeyword=1-255
3, Switch to Vim insert mode and type/insert into file: ;date->pwned
4, Switch back to Vim normal mode and with cursor present on the
   "date" substring press the "K" key

Actual result:

File with name "pwned" is created in cwd:

# ls -l pwned
-rw-r--r-- 1 root root 0 Oct  6 10:19 pwned

Expected result:

No file created.

Note You need to log in before you can comment on or make changes to this bug.