Description of problem: Ben Schmidt has discovered the following security flaw in Vim, which could lead to arbitrary code execution. Insufficient sanitization can lead to Vim executing arbitrary commands when performing keyword or tag lookup. Flaw description pasted from original rdancer.org report (see [1]): 3.1. Keyword Lookup -- The ``K'' Command 3.1.1. Shell Commands and Ex Commands Because the string passed to the shell for execution is not sanitized, it is possible to specify arbitrary shell commands where Vim expects an argument for the keyword program. Same applies to arbitrary Ex commands. 3.1.2. Keyword Program Command Line Switches It is possible to specify command line switches for the keyword program in place of the argument. The gravity of this vulnerability depends on the keyword program selected. GNU man, the default keyword program in many installations, supports for example the ``--pager'' option (cf. the GNU man(1) manual page). This allows arbitrary command execution. 3.2. Tag Lookup -- the ``Control-]'' and ``g]'' Commands Insufficient sanitization of an Ex command argument allows specifying additional arbitrary Ex commands in place of the argument. 3.3. Unknown Shell/Keyword Program Because the syntax of the shell that is being used to execute the commands is not known beforehand, there may be other unknown vulnerabilities, that are present depending on the shell being used. Ditto for the man(1) program, and other keyword programs. Version-Release number of selected component (if applicable): 3.0--current, possibly older How reproducible: Always Steps to Reproduce: 1. See part "4.EXPLOIT" from the original rdancer.org report [1] Actual results: Arbitrary code execution possible Expected results: No security flaw present. References: [1] http://www.rdancer.org/vulnerablevim-K.html Proposed patch: Report: http://groups.google.com/group/vim_dev/msg/dd32ad3a84f36bb2 Patch: http://groups.google.com/group/vim_dev/attach/dd32ad3a84f36bb2/K-arbitrary-command-execution.patch?part=2 RH SRT official statement: This issue affects all versions of the vim-enhanced package, as shipped with Red Hat Enterprise Linux 2.1, 3, 4 and 5 and within Fedora releases of 8, 9 and 10.
The patch mentioned above is incomplete. Jan Minar has provided v3 of the patch, for the K-shell command Vim issue, available at: http://groups.google.com/group/vim_dev/attach/9290f26f9bc11b33/K-arbitrary-command-execution.patch.v3?part=2 Yet another Vim upstream patch, also facing this issue is: http://ftp.vim.org/pub/vim/patches/7.2/7.2.010
More detailed steps to reproduce the "xclock" issue: 1, Open a new file via Vim: vim /tmp/somenewfile 2, In Vim normal mode type: :set iskeyword=;,@ 3, Switch to Vim insert mode and type/insert into file: ;xclock 4, Switch back to Vim normal mode and with cursor present on the "xclock" substring press the "K" key Actual result: The xclock command is executed / displayed. Expected result: The manual page for the 'xclock' command should be displayed. More detailed steps to reproduce the creation of "pwned" file issue: 1, Open a new file via Vim: vim /tmp/anothernewfile 2, In normal Vim mode type: :set iskeyword=1-255 3, Switch to Vim insert mode and type/insert into file: ;date->pwned 4, Switch back to Vim normal mode and with cursor present on the "date" substring press the "K" key Actual result: File with name "pwned" is created in cwd: # ls -l pwned -rw-r--r-- 1 root root 0 Oct 6 10:19 pwned Expected result: No file created.
This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2008-0580.html http://rhn.redhat.com/errata/RHSA-2008-0617.html http://rhn.redhat.com/errata/RHSA-2008-0618.html Fedora (updated to upstream 7.2.060): https://admin.fedoraproject.org/updates/F9/FEDORA-2008-10587 https://admin.fedoraproject.org/updates/F10/FEDORA-2008-10644