Title: VIM statusline Text-Embedded Command Execution Vulnerability
Severity: CRITICAL
Description:
VIM is an enhanced version of the popular programmer's unix text editor vi. In versions up to and including the current release, 5.7, it is possible for an attacker to embed malicious commands in a normal text file; these commands will be executed when the text file is opened, with the privilege of the user opening the text file.
VIM allows use of a "builtin function", system(), which executes shell commands and displays the output. VIM also provides the optional ability to display custom status-lines when an option in a .vimrc file is set ("statusline", also abbreviated "stl"). The system() function can be called from a "statusline" (equivalent to "stl") command, which can be embedded in a text file. An attacker can create a text file containing a vim command similar to the following:
vim:ls=2:stl=%{system('/tmp/getroot&')}
The command need not be found at the beginning of a line; it can be placed anywhere in the text file. This could conceivably facilitate hiding it, by placing it at the end of an excessively long line of dashes, for example.
The first part of this example command, ls=2, sets the value of the 'laststatus' option to 2 - this tells vim to always display the status line, of importance since code execution is dependant on the status line being displayed. The second part of the command denotes the contents of the status line. In this simplified example it is only the output of the "/tmp/getroot&" process; the ampersand tells the shell to run the process in the background. A sophisticated attacker might include the appropriate statusline options to make the status line look exactly the same as the one normally displayed; since this example only includes the system() function call, it will appear blank.
An interesting side effect of this sort of attack is that the command is executed every time the status line is updated, typically every keystroke. This could have the effect of exhausting system resources.
In order for this vulnerability to be exploited, the ability to modify status lines must be turned on (as set in a .vimrc file with the "statusline" or "stl" option). This is not the default configuration with VIM 5.7 stand-alone distribution; this does not guarantee that some vendors who include VIM packages as part of a distribution have not turned this option on.
Affected Products:
- Caldera OpenLinux 2.3.0
- RedHat Linux 5.2.0
- RedHat Linux 5.2.0 alpha
- RedHat Linux 5.2.0 i386
- RedHat Linux 5.2.0 sparc
- RedHat Linux 6.2.0
- RedHat Linux 6.2.0 alpha
- RedHat Linux 6.2.0 i386
- RedHat Linux 6.2.0 sparc
- RedHat Linux 7.0.0
- RedHat Linux 7.0.0 alpha
- RedHat Linux 7.0.0 i386
- RedHat Linux 7.0.0 sparc
- S.u.S.E. Linux 6.1.0
- S.u.S.E. Linux 6.2.0
- S.u.S.E. Linux 6.3.0
- S.u.S.E. Linux 6.4.0
- S.u.S.E. Linux 7.0.0
- S.u.S.E. Linux 7.1.0
- SCO eDesktop 2.4.0
- SCO eServer 2.3.1
- VIM Development Group VIM 5.7.0
References:
- RedHat: bugzilla: 25194
- VIM Development Group: VIM Homepage
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
