Vulnerable Vim
Arbitrary Code Execution in Commands: K, Control-], g]

1. SUMMARY

Product  : Vim -- Vi IMproved
Versions : >= 3.0 (possibly older), < 7.2.010 (?)
Impact   : Arbitrary code execution
Wherefrom: Local
CVE      : CVE-2008-4101
Original : http://www.rdancer.org/vulnerablevim-K.html

Insufficient sanitization can lead to Vim executing arbitrary commands
when performing keyword or tag lookup.  Ben Schmidt discovered this
vulnerability[1].


2. BACKGROUND

  ``Vim is an almost compatible version of the UNIX editor Vi. Many new
    features have been added: multi-level undo, syntax highlighting,
    command line history, on-line help, spell checking, filename
    completion, block operations, etc.''

    		-- Vim README.txt 

  ``[Normal mode command] K [...] Run a program to lookup the keyword
    under the cursor.  The name of the program is given with the
    'keywordprg' (kp) option (default is "man").''

  		-- Vim Reference Manual (``various.txt'')

  ``[Normal mode command] CTRL-] [...] Jump to the definition of the
    keyword under the cursor.''

  		-- Vim Reference Manual (``tagsrch.txt'')


3. VULNERABILITIES

  ``src/normal.c'':

    5514	    if (cmdchar == '*')
    5515		aux_ptr = (char_u *)(p_magic ? "/.*~[^$\\" : "/^$\\");
    5516	    else if (cmdchar == '#')
    5517		aux_ptr = (char_u *)(p_magic ? "/?.*~[^$\\" : "/?^$\\");
    5518	    else if (cmdchar == 'K' && !kp_help)
--> 5519		aux_ptr = (char_u *)" \t\\\"|!";
    5520	    else
    5521		/* Don't escape spaces and Tabs in a tag with a backslash */
--> 5522		aux_ptr = (char_u *)"\\|\"";
    5523	
    5524	    p = buf + STRLEN(buf);
    5525	    while (n-- > 0)
    5526	    {
    5527		/* put a backslash before \ and some others */
    5528		if (vim_strchr(aux_ptr, *ptr) != NULL)
    5529		    *p++ = '\\';
    5530	#ifdef FEAT_MBYTE
    5531		/* When current byte is a part of multibyte character, copy all bytes
    5532		 * of that character. */
    5533		if (has_mbyte)
    5534		{
    5535		    int i;
    5536		    int len = (*mb_ptr2len)(ptr) - 1;
    5537	
    5538		    for (i = 0; i < len && n >= 1; ++i, --n)
    5539			*p++ = *ptr++;
    5540		}
    5541	#endif
    5542		*p++ = *ptr++;
    5543	    }
    5544	    *p = NUL;
    5545	
    5546	    /*
    5547	     * Execute the command.
    5548	     */
    5549	    if (cmdchar == '*' || cmdchar == '#')
    5550	    {
    5551		if (!g_cmd && (
    5552	#ifdef FEAT_MBYTE
    5553			has_mbyte ? vim_iswordp(mb_prevptr(ml_get_curline(), ptr)) :
    5554	#endif
    5555			vim_iswordc(ptr[-1])))
    5556		    STRCAT(buf, "\\>");
    5557	#ifdef FEAT_CMDHIST
    5558		/* put pattern in search history */
    5559		add_to_history(HIST_SEARCH, buf, TRUE, NUL);
    5560	#endif
    5561		normal_search(cap, cmdchar == '*' ? '/' : '?', buf, 0);
    5562	    }
    5563	    else
--> 5564		do_cmdline_cmd(buf);
  
The variable ``aux_ptr'' contains characters to be escaped.  Line 5519
for the ``K'' command, line 5522 for the ``Control-]'' and ``g]''
commands.  Both values leave out characters that must be escaped.  The
command is assembled, and on line 5564, it is executed as a regular Ex
command.  No special shell escaping is done for the ``K'' command,
although the string is passed to shell for execution.


3.1. Keyword Lookup -- The ``K'' Command

3.1.1. Shell Commands and Ex Commands

Because the string passed to the shell for execution is not sanitized,
it is possible to specify arbitrary shell commands where Vim expects an
argument for the keyword program.  Same applies to arbitrary Ex commands.


3.1.2. Keyword Program Command Line Switches

It is possible to specify command line switches for the keyword program
in place of the argument.  The gravity of this vulnerability depends on
the keyword program selected.  GNU man, the default keyword program in
many installations, supports for example the ``--pager'' option (cf.
the GNU man(1) manual page).  This allows arbitrary command execution.


3.2. Tag Lookup -- the ``Control-]'' and ``g]'' Commands

Insufficient sanitization of an Ex command argument allows specifying
additional arbitrary Ex commands in place of the argument.


3.3. Unknown Shell/Keyword Program

Because the syntax of the shell that is being used to execute the
commands is not known beforehand, there may be other unknown
vulnerabilities, that are present depending on the shell being used.
Ditto for the man(1) program, and other keyword programs.


4. EXPLOIT

Copy-and-paste these examples into separate files:

    ;xclock
    vim: set iskeyword=;,@

Place your cursor on ``xclock'', and press K.  xclock appears.

    ;date>>pwned
    vim: set iskeyword=1-255

Place your cursor on ``date'' and press K.  File ``pwned'' is created in
the current working directory.

Please note: If modeline processing is disabled, set the 'iskeyword'
option manually.

See the thread on the Vim Developers' mailing list for some other
examples[2].


5. PATCH

A patch that fixes some of the vulnerabilities has been developed[3].

Update: Patch 7.2.010 may fix (some of) the issues.


6. REFERENCES

[1] Ben Schmidt discovered this vulnerability in:
    Message-Id: <48AB91B3.9000709@yahoo.com.au>
    http://groups.google.com/group/vim_dev/msg/6ad2d5b50a96668e

[2] http://groups.google.com/group/vim_dev/browse_thread/thread/1434d0812b5c817e/6ad2d5b50a96668e

[3] Update: Version 3 of the patch
    http://groups.google.com/group/vim_dev/msg/9290f26f9bc11b33

[4] http://ftp.vim.org/pub/vim/patches/7.2/7.2.010


7. COPYRIGHT

This advisory is Copyright 2008 Jan Minar <rdancer@rdancer.org>

Copying welcome, under the Creative Commons ``Attribution-Share Alike''
License http://creativecommons.org/licenses/by-sa/2.0/uk/

Code included herein, and accompanying this advisory, may be copied
according to the GNU General Public License version 2, or the Vim
license.  See the subdirectory ``licenses''.

Various portions of the accompanying code may have been written by
various parties.  Those parties may hold copyright, and those portions
may be copied according to their respective licenses.


8. HISTORY

2008-09-16 CVE reference added (Source: Message-ID:
           <Pine.GSO.4.51.0809152108300.6953@faron.mitre.org>)
2008-09-12 Update: Mention patch 7.2.010
2008-09-12 Update: Link to patch version 3
2008-08-22 Sent to: <bugs@vim.org>, <vim-dev@vim.org> 
	   <full-disclosure@lists.grok.org.uk>,
	   <bugtraq@securityfocus.com>
2008-08-20 Ben Schmidt reported this vulnerability to <vim-dev@vim.org>