Описание
getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline, as demonstrated by execute in Vim, and assert_fails or nvim_input in Neovim.
It was found that the :source! command was not restricted by the sandbox mode. If modeline was explicitly enabled, opening a specially crafted text file in vim could result in arbitrary command execution.
Отчет
To be successfully and automatically triggered when a specially crafted file is opened, this vulnerability requires 3 parts :
- The
source!command inability to check if it is running in sandbox mode (the fix commit prevents this) - The
modelineto be enabled (by default, modeline is disabled when running with root permission. SeeMitigationsteps to disable the modeline) - A function, to be inserted in the modeline, that can be used to trigger the
source!command (e.g.:assert_fail()in the public reproducer). To the best of our knowledge, no such functions were found in the default installation of Red Hat Enterprise Linux versions 5, 6 and 7 at the time of the flaw. However, Red Hat Enterprise Linux version 8 containsassert_fail(). Without part 2 or 3, it would be required for an attacker to be able to craft the command line used to open the crafted file, in order to trigger the vulnerability.
Меры по смягчению последствий
The vulnerability can be triggered only if modeline is enabled. You can check whether modeline is enabled within vim via the command :set modeline?
It can be turned off explicitly by adding set nomodeline in a vimrc file.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 5 | vim | Out of support scope | ||
| Red Hat Enterprise Linux 6 | vim | Fixed | RHSA-2019:1774 | 15.07.2019 |
| Red Hat Enterprise Linux 7 | vim | Fixed | RHSA-2019:1619 | 27.06.2019 |
| Red Hat Enterprise Linux 7.4 Extended Update Support | vim | Fixed | RHSA-2019:1947 | 30.07.2019 |
| Red Hat Enterprise Linux 7.5 Extended Update Support | vim | Fixed | RHSA-2019:1793 | 16.07.2019 |
| Red Hat Enterprise Linux 8 | vim | Fixed | RHSA-2019:1619 | 27.06.2019 |
| Red Hat Enterprise Linux 8 | vim | Fixed | RHSA-2019:1619 | 27.06.2019 |
Показывать по
Дополнительная информация
Статус:
EPSS
5.3 Medium
CVSS3
Связанные уязвимости
getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline, as demonstrated by execute in Vim, and assert_fails or nvim_input in Neovim.
getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline, as demonstrated by execute in Vim, and assert_fails or nvim_input in Neovim.
getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote ...
EPSS
5.3 Medium
CVSS3