Hide Forgot
Description of problem: Jan Minar has reported the following problem present in Vim netrw.vim plugin: Issue #1: ========= 3.4. Deleting Files (The ``D'' Command) (from vulnerablevim-netrw.html) 3.1 Vulnerability Netrw fails to properly sanitize arguments passed to the s:System() function, which is a wrapper for the ``execute'' command. References: http://www.rdancer.org/vulnerablevim-netrw.html http://www.rdancer.org/vulnerablevim-netrw.v2.html Steps to Reproduce: (run 'make test' or 'make demo' in netrw.v4 testcase or perform the following steps): 1, Open directory with a crafted filename ("sploit" in netrw.v4 testcase) vim sploit 2, Point the cursor to the encoded part of the filename, i.e on some "number" between the "echo" command and "|" sign. (`echo 0:64617465203e3e2070776e6564 | xxd -r`) 3, Press "D" to delete this file 4, Confirm deletion request with "y" 5, Close Vim ":q" Actual result: On vulnerable Vim version file is not deleted and file "pwned" is created in cwd (decode the meaning of the sploit by running: $ echo 0:64617465203e3e2070776e6564 | xxd -r) Expected result: File deleted, no arbitrary code execution possibility. Issue #2: ========= Lack of sanitization throughout Netrw can lead to arbitrary code execution upon opening a directory with a crafted name. References: http://www.rdancer.org/vulnerablevim-netrw.v5.html Steps to Reproduce: run 'make test' or 'make demo' command in netrvw.v5 testcase. Actual result: On vulnerable Vim version file "pwned" is created in cwd. Expected result: No arbitrary code execution possibility. Common references: http://www.rdancer.org/vulnerablevim-netrw.html http://www.rdancer.org/vulnerablevim-netrw.v2.html http://www.rdancer.org/vulnerablevim-netrw.v5.html http://www.openwall.com/lists/oss-security/2008/07/15/4
This issue does not affect the versions of the Vim package, as shipped with Red Hat Enterprise Linux 2.1, 3 and 4. This issue affects the version of the Vim package as shipped with Red Hat Enterprise Linux 5 and Fedora releases of 8 and 9 (only Vim 7.0 and Vim 7.1 are vulnerable to these issues). This issue does not affect the version of the Vim package as shipped with Fedora rawhide release (already fixed in Vim 7.2 and netrw.vim 132).
*** Bug 455023 has been marked as a duplicate of this bug. ***
Attaching netrw.vim plugin code differences between versions v.111 and v.132 for the 'mz' command issue (the relevant affected code function is NetrwMarkFileCompress()): netrw.vim 111: 2705 for sfx in sort(keys(g:netrw_decompress)) 2706 if fname =~ '\'.sfx.'$' 2707 " fname has a suffix indicating that its compressed; apply associated decompression routine 2708 let exe= g:netrw_decompress[sfx] 2709 " call Decho("fname<".fname."> is compressed so decompress with <".exe.">") 2710 if executable(exe) 2711 if a:islocal 2712 call system(exe." ".fname) 2713 else 2714 call s:RemoteSystem(exe." ".fname) 2715 endif 2716 else 2717 call netrw#ErrorMsg(s:WARNING,"unable to apply<".exe."> to file<".fname.">",50) 2718 endif 2719 break 2720 endif 2721 endfor 2722 if exists("exe") 2723 unlet exe 2724 elseif a:islocal 2725 " fname not a compressed file, so compress it 2726 call system(g:netrw_compress." ".fname) 2727 else 2728 " fname not a compressed file, so compress it 2729 call s:RemoteSystem(g:netrw_compress." ".fname) 2730 endif 2731 endfor netrw.v132: 3858 for sfx in sort(keys(g:netrw_decompress)) 3859 if fname =~ '\'.sfx.'$' 3860 " fname has a suffix indicating that its compressed; apply associated decompression routine 3861 let exe= s:WinPath(g:netrw_decompress[sfx]) 3862 " call Decho("fname<".fname."> is compressed so decompress with <".exe.">") 3863 if a:islocal 3864 if g:netrw_keepdir 3865 let fname= shellescape(s:ComposePath(curdir,fname)) 3866 endif 3867 else 3868 let fname= shellescape(b:netrw_curdir.fname,1) 3869 endif 3870 if executable(exe) 3871 if a:islocal 3872 call system(exe." ".fname) 3873 else 3874 call s:RemoteSystem(exe." ".fname) 3875 endif 3876 else 3877 call netrw#ErrorMsg(s:WARNING,"unable to apply<".exe."> to file<".fname.">",50) 3878 endif 3879 break 3880 endif 3881 endfor 3882 if exists("exe") 3883 unlet exe 3884 elseif a:islocal 3885 " fname not a compressed file, so compress it 3886 call system(s:WinPath(g:netrw_compress)." ".shellescape(s:ComposePath(b:netrw_curdir,fname))) 3887 else 3888 " fname not a compressed file, so compress it 3889 call s:RemoteSystem(s:WinPath(g:netrw_compress)." ".shellescape(fname)) 3890 endif 3891 endfor i.e. on Unix systems, the calls for "s:ComposePath(b:netrw_curdir,fname" and "fname" were prefixed with "shellescape(s:ComposePath(b:netrw_curdir,fname)" and "shellescape(fname)" respectively.
Attaching netrw.vim plugin code differences between versions v.122 and v.132 for the 'mc' command issue (the relevant affected function is called NetrwMarkFileCopy): netrw.v122: 3760 if a:islocal && s:netrwmfloc 3761 " local to local copy 3762 " call Decho("local to local copy: from b:netrw_curdir<".b:netrw_curdir."> fname<".fname."> to s:netrwmftgt<".s:netrwmftgt.">") 3763 if executable(g:netrw_localcopycmd) 3764 " call Decho("let ret= system(".g:netrw_localcopycmd." ".s:ComposePath(b:netrw_curdir,fname)." ".s:netrwmftgt.")") 3765 let ret= system(g:netrw_localcopycmd." ".s:ComposePath(curdir,fname)." ".s:netrwmftgt) 3766 if v:shell_error < 0 3767 call netrw#ErrorMsg(s:ERROR,"command<".g:netrw_localcopycmd."> failed, aborting",54) 3768 break 3769 endif 3770 else 3771 call netrw#ErrorMsg(s:ERROR,"command<".g:netrw_localcopycmd."> is not executable!",57) 3772 break 3773 endif netrw.v132: 3925 if a:islocal && s:netrwmftgt_islocal 3926 " Copy marked files, local directory to local directory 3927 " call Decho("copy from local to local") 3928 let args= join(map(deepcopy(s:netrwmarkfilelist_{bufnr('%')}),"shellescape(b:netrw_curdir.\"/\".v:val)")) 3929 " call Decho("system(".g:netrw_localcopycmd." ".args." ".shellescape(s:netrwmftgt).")") 3930 call system(s:WinPath(g:netrw_localcopycmd)." ".args." ".shellescape(s:netrwmftgt)) 3931 i.e. the relevant functions were replaced by their 'shellescape()-ed' alternatives.
Attaching netrw.vim code differences for the 'D' command issue between versions netrw.vim v.122 and netrw.vim v.132 - the relevant affected code function is called NetrwLocalRmFile: netrw.v122: 6255 if all || ok =~ 'y\%[es]' || ok == "" 6256 " call Decho("1st attempt: system(".g:netrw_local_rmdir.' "'.rmfile.'")') 6257 call s:System("system",g:netrw_local_rmdir.' "'.rmfile.'"') 6258 " call Decho("v:shell_error=".v:shell_error) netrw.v132: 6817 if all || ok =~ 'y\%[es]' || ok == "" 6818 " call Decho("1st attempt: system(s:WinPath(".g:netrw_local_rmdir.') '.shellescape(rmfile).')') 6819 call system(s:WinPath(g:netrw_local_rmdir).' '.shellescape(rmfile)) 6820 " call Decho("v:shell_error=".v:shell_error) i.e. provided 'rmfile' argument was replaced with its shellescape()-ed alternative.
Attaching netrw.vim code differences for the 'arbitrary code execution due insufficient directory name sanitization when opening directory' (http://www.rdancer.org/vulnerablevim-netrw.v5.html) between versions v.122 and v.132 -- the relevant affected code function is called BrowserMaps(). netrw.v122: 1709 if g:netrw_mousemaps == 1 1710 nnoremap <buffer> <silent> <leftmouse> <leftmouse>:call <SID>NetrwLeftmouse(1)<cr> 1711 nnoremap <buffer> <silent> <middlemouse> <leftmouse>:call <SID>NetrwPrevWinOpen(1)<cr> 1712 nnoremap <buffer> <silent> <s-leftmouse> <leftmouse>:call <SID>NetrwMarkFile(1,<SID>NetrwGetWord())<cr> 1713 exe 'nnoremap <buffer> <silent> <rightmouse> <leftmouse>:call <SID>NetrwLocalRm("'.b:netrw_curdir.'")<cr>' 1714 exe 'vnoremap <buffer> <silent> <rightmouse> <leftmouse>:call <SID>NetrwLocalRm("'.b:netrw_curdir.'")<cr>' 1715 endif 1716 exe 'nnoremap <buffer> <silent> <del> :call <SID>NetrwLocalRm("'.b:netrw_curdir.'")<cr>' 1717 exe 'vnoremap <buffer> <silent> <del> :call <SID>NetrwLocalRm("'.b:netrw_curdir.'")<cr>' 1718 exe 'nnoremap <buffer> <silent> D :call <SID>NetrwLocalRm("'.b:netrw_curdir.'")<cr>' 1719 exe 'vnoremap <buffer> <silent> D :call <SID>NetrwLocalRm("'.b:netrw_curdir.'")<cr>' 1720 exe 'nnoremap <buffer> <silent> R :call <SID>NetrwLocalRename("'.b:netrw_curdir.'")<cr>' 1721 exe 'vnoremap <buffer> <silent> R :call <SID>NetrwLocalRename("'.b:netrw_curdir.'")<cr>' 1722 exe 'nnoremap <buffer> <silent> <Leader>m :call <SID>NetrwMakeDir("")<cr>' 1723 nnoremap <buffer> <F1> :he netrw-dir<cr> netrv.v132: 1734 if g:netrw_mousemaps == 1 1735 nnoremap <buffer> <silent> <leftmouse> <leftmouse>:call <SID>NetrwLeftmouse(1)<cr> 1736 nnoremap <buffer> <silent> <middlemouse> <leftmouse>:call <SID>NetrwPrevWinOpen(1)<cr> 1737 nnoremap <buffer> <silent> <s-leftmouse> <leftmouse>:call <SID>NetrwMarkFile(1,<SID>NetrwGetWord())<cr> 1738 exe 'nnoremap <buffer> <silent> <rightmouse> <leftmouse>:call <SID>NetrwLocalRm("'.mapsafecurdir.'")<cr>' 1739 exe 'vnoremap <buffer> <silent> <rightmouse> <leftmouse>:call <SID>NetrwLocalRm("'.mapsafecurdir.'")<cr>' 1740 endif 1741 exe 'nnoremap <buffer> <silent> <del> :call <SID>NetrwLocalRm("'.mapsafecurdir.'")<cr>' 1742 exe 'vnoremap <buffer> <silent> <del> :call <SID>NetrwLocalRm("'.mapsafecurdir.'")<cr>' 1743 exe 'nnoremap <buffer> <silent> D :call <SID>NetrwLocalRm("'.mapsafecurdir.'")<cr>' 1744 exe 'vnoremap <buffer> <silent> D :call <SID>NetrwLocalRm("'.mapsafecurdir.'")<cr>' 1745 exe 'nnoremap <buffer> <silent> R :call <SID>NetrwLocalRename("'.mapsafecurdir.'")<cr>' 1746 exe 'vnoremap <buffer> <silent> R :call <SID>NetrwLocalRename("'.mapsafecurdir.'")<cr>' 1747 exe 'nnoremap <buffer> <silent> <Leader>m :call <SID>NetrwMakeDir("")<cr>' 1748 nnoremap <buffer> <F1> :he netrw-quickhelp<cr> i.e. instead of calling unsanitized NetrwLocalRm("'.b:netrw_curdir.'") we now call its more safe NetrwLocalRm("'.mapsafecurdir.'") alternative.
CVE-2008-3076 now covers all netrw.vim plugin related issues: http://www.rdancer.org/vulnerablevim-netrw.html http://www.rdancer.org/vulnerablevim-netrw.v2.html http://www.rdancer.org/vulnerablevim-netrw.v5.html The 'mz' and 'mc' issues does not affect the version of the Vim package, as shipped with Red Hat Enterprise Linux 5 (affects only Vim7.2a+). The 'D' and 'netrw.v5' issues affect the version of the Vim package, as shipped with Red Hat Enterprise Linux 5.
This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2008-0580.html Fedora (updated to upstream 7.2.060): https://admin.fedoraproject.org/updates/F9/FEDORA-2008-10587 https://admin.fedoraproject.org/updates/F10/FEDORA-2008-10644
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-6235 to the following vulnerability: The Netrw plugin (netrw.vim) in Vim 7.0 and 7.1 allows user-assisted attackers to execute arbitrary commands via shell metacharacters in a filename used by the (1) "D" (delete) command or (2) b:netrw_curdir variable, as demonstrated using the netrw.v4 and netrw.v5 test cases. References: ttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6235 http://www.openwall.com/lists/oss-security/2008/10/16/2 http://www.openwall.com/lists/oss-security/2008/10/20/2 http://www.rdancer.org/vulnerablevim-netrw.html http://www.rdancer.org/vulnerablevim-netrw.v2.html http://www.rdancer.org/vulnerablevim-netrw.v5.html
More explanation to comment #c9: After CVE assignment the Vim netrw.vim plugin issues were split: ------------------------------------------------------------------------ The 'mz' and 'mc' issues does not affect the version of the Vim package, as shipped with Red Hat Enterprise Linux 5 (affects only Vim7.2a+). These are covered by CVE-2008-3076. ------------------------------------------------------------------------ The 'D' and 'netrw.v5' issues affect the version of the Vim package, as shipped with Red Hat Enterprise Linux 5. These are covered by CVE-2008-6235.
Adding description of CVE-2008-3076 for completeness: The Netrw plugin 125 in netrw.vim in Vim 7.2a.10 allows user-assisted attackers to execute arbitrary code via shell metacharacters in filenames used by the execute and system functions within the (1) mz and (2) mc commands, as demonstrated by the netrw.v2 and netrw.v3 test cases. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2008-2712. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3076 http://marc.info/?l=bugtraq&m=121494431426308&w=2 http://www.openwall.com/lists/oss-security/2008/07/07/1 http://www.openwall.com/lists/oss-security/2008/07/07/4 http://www.openwall.com/lists/oss-security/2008/07/08/12 http://marc.info/?l=oss-security&m=122416184431388&w=2 http://www.openwall.com/lists/oss-security/2008/10/20/2 http://www.rdancer.org/vulnerablevim-netrw.html http://www.rdancer.org/vulnerablevim-netrw.v2.html http://www.securityfocus.com/bid/30115