Bug 467439 (CVE-2008-3076, CVE-2008-6235) - CVE-2008-6235 Vim netrw.vim plugin: lack of sanitization throughout netrw.vim can lead to arbitrary code execution
Summary: CVE-2008-6235 Vim netrw.vim plugin: lack of sanitization throughout netrw.vim...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2008-3076, CVE-2008-6235
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 455023 (view as bug list)
Depends On: 467453 467454
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-10-17 14:19 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:26 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-01-09 08:34:51 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2008:0580 0 normal SHIPPED_LIVE Moderate: vim security update 2008-11-25 08:41:07 UTC

Description Jan Lieskovsky 2008-10-17 14:19:24 UTC
Description of problem:

Jan Minar has reported the following problem present in Vim netrw.vim
plugin:

Issue #1:
=========

 3.4. Deleting Files (The ``D'' Command) (from vulnerablevim-netrw.html)
 3.1 Vulnerability 

 Netrw fails to properly sanitize arguments passed to the s:System() function,  
 which is a wrapper for the ``execute'' command.

References: http://www.rdancer.org/vulnerablevim-netrw.html
            http://www.rdancer.org/vulnerablevim-netrw.v2.html

Steps to Reproduce: (run 'make test' or 'make demo' in netrw.v4 testcase
or perform the following steps):

1, Open directory with a crafted filename ("sploit" in netrw.v4 testcase)
   vim sploit
2, Point the cursor to the encoded part of the filename, i.e 
   on some "number" between the "echo" command and "|" sign.
   (`echo 0:64617465203e3e2070776e6564 | xxd -r`)
3, Press "D" to delete this file
4, Confirm deletion request with "y"
5, Close Vim ":q"

Actual result:

  On vulnerable Vim version file is not deleted and file "pwned"
  is created in cwd (decode the meaning of the sploit by running:
  $ echo 0:64617465203e3e2070776e6564 | xxd -r)

Expected result:

  File deleted, no arbitrary code execution possibility.

Issue #2: 
=========

  Lack of sanitization throughout Netrw can lead to arbitrary code execution 
  upon opening a directory with a crafted name.

References: http://www.rdancer.org/vulnerablevim-netrw.v5.html

Steps to Reproduce: run 'make test' or 'make demo' command in netrvw.v5
                    testcase.

Actual result:

  On vulnerable Vim version file "pwned" is created in cwd.

Expected result:

  No arbitrary code execution possibility.


Common references: 

http://www.rdancer.org/vulnerablevim-netrw.html
http://www.rdancer.org/vulnerablevim-netrw.v2.html
http://www.rdancer.org/vulnerablevim-netrw.v5.html

http://www.openwall.com/lists/oss-security/2008/07/15/4

Comment 1 Jan Lieskovsky 2008-10-17 14:22:55 UTC
This issue does not affect the versions of the Vim package, as shipped with
Red Hat Enterprise Linux 2.1, 3 and 4.

This issue affects the version of the Vim package as shipped with Red Hat
Enterprise Linux 5 and Fedora releases of 8 and 9 (only Vim 7.0 and Vim 7.1
are vulnerable to these issues).

This issue does not affect the version of the Vim package as shipped with
Fedora rawhide release (already fixed in Vim 7.2 and netrw.vim 132).

Comment 4 Jan Lieskovsky 2008-10-27 12:37:05 UTC
*** Bug 455023 has been marked as a duplicate of this bug. ***

Comment 5 Jan Lieskovsky 2008-10-27 12:39:27 UTC
Attaching netrw.vim plugin code differences between versions v.111 and v.132
for the 'mz' command issue (the relevant affected code function is
NetrwMarkFileCompress()):

netrw.vim 111:

   2705     for sfx in sort(keys(g:netrw_decompress))
   2706      if fname =~ '\'.sfx.'$'
   2707       " fname has a suffix indicating that its compressed; apply
associated decompression routine
   2708       let exe= g:netrw_decompress[sfx]
   2709 "      call Decho("fname<".fname."> is compressed so decompress with
<".exe.">")
   2710       if executable(exe)
   2711        if a:islocal
   2712         call system(exe." ".fname)
   2713        else
   2714         call s:RemoteSystem(exe." ".fname)
   2715        endif
   2716       else
   2717        call netrw#ErrorMsg(s:WARNING,"unable to apply<".exe."> to
file<".fname.">",50)
   2718       endif
   2719       break
   2720      endif
   2721     endfor
   2722     if exists("exe")
   2723      unlet exe
   2724     elseif a:islocal
   2725      " fname not a compressed file, so compress it
   2726      call system(g:netrw_compress." ".fname)
   2727     else
   2728      " fname not a compressed file, so compress it
   2729      call s:RemoteSystem(g:netrw_compress." ".fname)
   2730     endif
   2731    endfor

netrw.v132: 

   3858     for sfx in sort(keys(g:netrw_decompress))
   3859      if fname =~ '\'.sfx.'$'
   3860       " fname has a suffix indicating that its compressed; apply
associated decompression routine
   3861       let exe= s:WinPath(g:netrw_decompress[sfx])
   3862 "      call Decho("fname<".fname."> is compressed so decompress with
<".exe.">")
   3863       if a:islocal
   3864        if g:netrw_keepdir
   3865         let fname= shellescape(s:ComposePath(curdir,fname))
   3866        endif
   3867       else
   3868        let fname= shellescape(b:netrw_curdir.fname,1)
   3869       endif
   3870       if executable(exe)
   3871        if a:islocal
   3872         call system(exe." ".fname)
   3873        else
   3874         call s:RemoteSystem(exe." ".fname)
   3875        endif
   3876       else
   3877        call netrw#ErrorMsg(s:WARNING,"unable to apply<".exe."> to
file<".fname.">",50)
   3878       endif
   3879       break
   3880      endif
   3881     endfor
   3882     if exists("exe")
   3883      unlet exe
   3884     elseif a:islocal
   3885      " fname not a compressed file, so compress it
   3886      call system(s:WinPath(g:netrw_compress)."
".shellescape(s:ComposePath(b:netrw_curdir,fname)))
   3887     else
   3888      " fname not a compressed file, so compress it
   3889      call s:RemoteSystem(s:WinPath(g:netrw_compress)."
".shellescape(fname))
   3890     endif
   3891    endfor


i.e. on Unix systems, the calls for "s:ComposePath(b:netrw_curdir,fname"
and "fname" were prefixed with
"shellescape(s:ComposePath(b:netrw_curdir,fname)"
and "shellescape(fname)" respectively.

Comment 6 Jan Lieskovsky 2008-10-27 12:40:31 UTC
Attaching netrw.vim plugin code differences between versions v.122 and v.132
for the 'mc' command issue (the relevant affected function is called
NetrwMarkFileCopy):

netrw.v122:

3760      if  a:islocal &&  s:netrwmfloc
3761       " local to local copy
3762 "      call Decho("local to local copy: from
b:netrw_curdir<".b:netrw_curdir."> fname<".fname."> to
s:netrwmftgt<".s:netrwmftgt.">")
3763       if executable(g:netrw_localcopycmd)
3764 "       call Decho("let ret= system(".g:netrw_localcopycmd."
".s:ComposePath(b:netrw_curdir,fname)." ".s:netrwmftgt.")")
3765        let ret= system(g:netrw_localcopycmd."
".s:ComposePath(curdir,fname)." ".s:netrwmftgt)
3766        if v:shell_error < 0
3767         call netrw#ErrorMsg(s:ERROR,"command<".g:netrw_localcopycmd.">
failed, aborting",54)
3768         break
3769        endif
3770       else
3771        call netrw#ErrorMsg(s:ERROR,"command<".g:netrw_localcopycmd."> is
not executable!",57)
3772        break
3773       endif

netrw.v132:

   3925   if      a:islocal &&  s:netrwmftgt_islocal
   3926    " Copy marked files, local directory to local directory
   3927 "   call Decho("copy from local to local")
   3928    let args=
join(map(deepcopy(s:netrwmarkfilelist_{bufnr('%')}),"shellescape(b:netrw_curdir.\"/\".v:val)"))
   3929 "   call Decho("system(".g:netrw_localcopycmd." ".args."
".shellescape(s:netrwmftgt).")")
   3930    call system(s:WinPath(g:netrw_localcopycmd)." ".args."
".shellescape(s:netrwmftgt))
   3931 

i.e. the relevant functions were replaced by their 'shellescape()-ed' 
alternatives.

Comment 7 Jan Lieskovsky 2008-10-27 12:41:00 UTC
Attaching netrw.vim code differences for the 'D' command issue between versions
netrw.vim v.122 and netrw.vim v.132 - the relevant affected code function
is called NetrwLocalRmFile:

netrw.v122:

6255    if all || ok =~ 'y\%[es]' || ok == ""
6256 "     call Decho("1st attempt: system(".g:netrw_local_rmdir.'
"'.rmfile.'")')
6257     call s:System("system",g:netrw_local_rmdir.' "'.rmfile.'"')
6258 "     call Decho("v:shell_error=".v:shell_error)

netrw.v132: 

   6817    if all || ok =~ 'y\%[es]' || ok == ""
   6818 "    call Decho("1st attempt: system(s:WinPath(".g:netrw_local_rmdir.')
'.shellescape(rmfile).')')
   6819     call system(s:WinPath(g:netrw_local_rmdir).' '.shellescape(rmfile))
   6820 "    call Decho("v:shell_error=".v:shell_error)

i.e. provided 'rmfile' argument was replaced with its shellescape()-ed
alternative.

Comment 8 Jan Lieskovsky 2008-10-27 12:41:27 UTC
Attaching netrw.vim code differences for the 'arbitrary code execution
due insufficient directory name sanitization when opening directory'
(http://www.rdancer.org/vulnerablevim-netrw.v5.html) between versions
v.122 and v.132 -- the relevant affected code function is called BrowserMaps().

netrw.v122:

1709    if g:netrw_mousemaps == 1
1710     nnoremap <buffer> <silent> <leftmouse>   <leftmouse>:call
<SID>NetrwLeftmouse(1)<cr>
1711     nnoremap <buffer> <silent> <middlemouse> <leftmouse>:call
<SID>NetrwPrevWinOpen(1)<cr>
1712     nnoremap <buffer> <silent> <s-leftmouse> <leftmouse>:call
<SID>NetrwMarkFile(1,<SID>NetrwGetWord())<cr>
1713     exe 'nnoremap <buffer> <silent> <rightmouse>  <leftmouse>:call
<SID>NetrwLocalRm("'.b:netrw_curdir.'")<cr>'
1714     exe 'vnoremap <buffer> <silent> <rightmouse>  <leftmouse>:call
<SID>NetrwLocalRm("'.b:netrw_curdir.'")<cr>'
1715    endif
1716    exe 'nnoremap <buffer> <silent> <del>        :call
<SID>NetrwLocalRm("'.b:netrw_curdir.'")<cr>'
1717    exe 'vnoremap <buffer> <silent> <del>        :call
<SID>NetrwLocalRm("'.b:netrw_curdir.'")<cr>'
1718    exe 'nnoremap <buffer> <silent> D            :call
<SID>NetrwLocalRm("'.b:netrw_curdir.'")<cr>'
1719    exe 'vnoremap <buffer> <silent> D            :call
<SID>NetrwLocalRm("'.b:netrw_curdir.'")<cr>'
1720    exe 'nnoremap <buffer> <silent> R            :call
<SID>NetrwLocalRename("'.b:netrw_curdir.'")<cr>'
1721    exe 'vnoremap <buffer> <silent> R            :call
<SID>NetrwLocalRename("'.b:netrw_curdir.'")<cr>'
1722    exe 'nnoremap <buffer> <silent> <Leader>m    :call
<SID>NetrwMakeDir("")<cr>'
1723    nnoremap <buffer> <F1>               :he netrw-dir<cr>


netrv.v132: 

   1734    if g:netrw_mousemaps == 1
   1735     nnoremap <buffer> <silent> <leftmouse>   <leftmouse>:call
<SID>NetrwLeftmouse(1)<cr>
   1736     nnoremap <buffer> <silent> <middlemouse> <leftmouse>:call
<SID>NetrwPrevWinOpen(1)<cr>
   1737     nnoremap <buffer> <silent> <s-leftmouse> <leftmouse>:call
<SID>NetrwMarkFile(1,<SID>NetrwGetWord())<cr>
   1738     exe 'nnoremap <buffer> <silent> <rightmouse>  <leftmouse>:call
<SID>NetrwLocalRm("'.mapsafecurdir.'")<cr>'
   1739     exe 'vnoremap <buffer> <silent> <rightmouse>  <leftmouse>:call
<SID>NetrwLocalRm("'.mapsafecurdir.'")<cr>'
   1740    endif
   1741    exe 'nnoremap <buffer> <silent> <del>        :call
<SID>NetrwLocalRm("'.mapsafecurdir.'")<cr>'
   1742    exe 'vnoremap <buffer> <silent> <del>        :call
<SID>NetrwLocalRm("'.mapsafecurdir.'")<cr>'
   1743    exe 'nnoremap <buffer> <silent> D            :call
<SID>NetrwLocalRm("'.mapsafecurdir.'")<cr>'
   1744    exe 'vnoremap <buffer> <silent> D            :call
<SID>NetrwLocalRm("'.mapsafecurdir.'")<cr>'
   1745    exe 'nnoremap <buffer> <silent> R            :call
<SID>NetrwLocalRename("'.mapsafecurdir.'")<cr>'
   1746    exe 'vnoremap <buffer> <silent> R            :call
<SID>NetrwLocalRename("'.mapsafecurdir.'")<cr>'
   1747    exe 'nnoremap <buffer> <silent> <Leader>m    :call
<SID>NetrwMakeDir("")<cr>'
   1748    nnoremap <buffer> <F1>               :he netrw-quickhelp<cr>


i.e. instead of calling unsanitized NetrwLocalRm("'.b:netrw_curdir.'") we 
now call its more safe NetrwLocalRm("'.mapsafecurdir.'") alternative.

Comment 9 Jan Lieskovsky 2008-10-27 12:44:18 UTC
CVE-2008-3076 now covers all netrw.vim plugin related issues:

http://www.rdancer.org/vulnerablevim-netrw.html
http://www.rdancer.org/vulnerablevim-netrw.v2.html
http://www.rdancer.org/vulnerablevim-netrw.v5.html

The 'mz' and 'mc' issues does not affect the version of the Vim package,
as shipped with Red Hat Enterprise Linux 5 (affects only Vim7.2a+).

The 'D' and 'netrw.v5' issues affect the version of the Vim package,
as shipped with Red Hat Enterprise Linux 5.

Comment 10 Red Hat Product Security 2009-01-09 08:34:51 UTC
This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2008-0580.html

Fedora (updated to upstream 7.2.060):
  https://admin.fedoraproject.org/updates/F9/FEDORA-2008-10587
  https://admin.fedoraproject.org/updates/F10/FEDORA-2008-10644

Comment 11 Jan Lieskovsky 2009-02-24 10:56:33 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-6235 to
the following vulnerability:

The Netrw plugin (netrw.vim) in Vim 7.0 and 7.1 allows user-assisted
attackers to execute arbitrary commands via shell metacharacters in a
filename used by the (1) "D" (delete) command or (2) b:netrw_curdir
variable, as demonstrated using the netrw.v4 and netrw.v5 test cases.

References:
ttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6235
http://www.openwall.com/lists/oss-security/2008/10/16/2
http://www.openwall.com/lists/oss-security/2008/10/20/2
http://www.rdancer.org/vulnerablevim-netrw.html
http://www.rdancer.org/vulnerablevim-netrw.v2.html
http://www.rdancer.org/vulnerablevim-netrw.v5.html

Comment 12 Jan Lieskovsky 2009-02-24 10:59:08 UTC
More explanation to comment #c9:

After CVE assignment the Vim netrw.vim plugin issues were split:

------------------------------------------------------------------------

The 'mz' and 'mc' issues does not affect the version of the Vim package,
as shipped with Red Hat Enterprise Linux 5 (affects only Vim7.2a+).

These are covered by CVE-2008-3076.

------------------------------------------------------------------------

The 'D' and 'netrw.v5' issues affect the version of the Vim package,
as shipped with Red Hat Enterprise Linux 5.

These are covered by CVE-2008-6235.

Comment 13 Jan Lieskovsky 2009-02-24 11:04:41 UTC
Adding description of CVE-2008-3076 for completeness:

The Netrw plugin 125 in netrw.vim in Vim 7.2a.10 allows user-assisted
attackers to execute arbitrary code via shell metacharacters in
filenames used by the execute and system functions within the (1) mz
and (2) mc commands, as demonstrated by the netrw.v2 and netrw.v3 test
cases. NOTE: this issue reportedly exists because of an incomplete
fix for CVE-2008-2712.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3076
http://marc.info/?l=bugtraq&m=121494431426308&w=2
http://www.openwall.com/lists/oss-security/2008/07/07/1
http://www.openwall.com/lists/oss-security/2008/07/07/4
http://www.openwall.com/lists/oss-security/2008/07/08/12
http://marc.info/?l=oss-security&m=122416184431388&w=2
http://www.openwall.com/lists/oss-security/2008/10/20/2
http://www.rdancer.org/vulnerablevim-netrw.html
http://www.rdancer.org/vulnerablevim-netrw.v2.html
http://www.securityfocus.com/bid/30115


Note You need to log in before you can comment on or make changes to this bug.