Stories
Slash Boxes
Comments

SoylentNews is people

Linux Vim and Neovim Editors Vulnerable to High-Severity Bug

posted by janrinok on Wednesday June 12 2019, @11:37PM   Printer-friendly
from the cue-the-EMACS-laughter dept.

upstart writes:

Submitted via IRC for SoyCow1944

Linux Command-Line Editors Vulnerable to High-Severity Bug

A bug impacting editors Vim and Neovim could allow a trojan code to escape sandbox mitigations.

A high-severity bug impacting two popular command-line text editing applications, Vim and Neovim, allow remote attackers to execute arbitrary OS commands. Security researcher Armin Razmjou warned that exploiting the bug is as easy as tricking a target into clicking on a specially crafted text file in either editor.

Razmjou outlined his research and created a proof-of-concept (PoC) attack demonstrating how an adversary can compromise a Linux system via Vim or Neowim [sic]. He said Vim versions before 8.1.1365 and Neovim before 0.3.6 are vulnerable to arbitrary code execution.

“[Outlined is] a real-life attack approach in which a reverse shell is launched once the user opens the file. To conceal the attack, the file will be immediately rewritten when opened. Also, the PoC uses terminal escape sequences to hide the modeline when the content is printed with cat. (cat -v reveals the actual content),” wrote Razmjou in a technical analysis of his research.

[...] “However, the :source! command (with the bang [!] modifier) can be used to bypass the sandbox. It reads and executes commands from a given file as if typed manually, running them after the sandbox has been left,” according to the PoC report.

Vim and Neovim have both released patches for the bug (CVE-2019-12735) that the National Institute of Standards and Technology warns, “allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline.”

“Beyond patching, it’s recommended to disable modelines in the vimrc (set nomodeline), to use the securemodelinesplugin, or to disable modelineexpr (since patch 8.1.1366, Vim-only) to disallow expressions in modelines,” the researcher said.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Linux Vim and Neovim Editors Vulnerable to High-Severity Bug | Log In/Create an Account | Top | 20 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 0) by Anonymous Coward on Wednesday June 12 2019, @11:58PM (2 children)

    by Anonymous Coward on Wednesday June 12 2019, @11:58PM (#854926)

    Came here to say something similar, beaten to the frist piss!

    Just about 40 years since I was introduced to emacs... A few years later started using Mince on Z-80 CP/M.

    [Mince is not complete emacs]

  • (Score: 2) by FatPhil on Thursday June 13 2019, @07:04AM (1 child)

    by FatPhil (863) <{pc-soylent} {at} {asdf.fi}> on Thursday June 13 2019, @07:04AM (#855024) Homepage
    Yeah, my first emacs experience was not the real thing, it was uEmacs on the Atari ST, which would push me up to ~35 years. I've not headr of Mince. Many of the lightweight editors I use nowadays (mostly zile, but occasionally jed and qemacs) are emacs-alikes. I'm perfectly happy in vi, but I've found that different implementations have enough differences I always end up relying on just the simplest things that everything supports, and that makes it a bit of a drag. Cursor keys not working (multicharacter sequences starting with an escape character kinda fucks things up right royally in a modal editor like vi, which uses ESC to change mode) is the killer feature for me, by which I mean it just kills any enjoyment I have of using the program.

    Strangely, my first CP/M experience was later, when I hit a terribly underfunded college, and I genuinely don't remember what editor that old 380Z had. I did inherit that machine when they upgraded the computer room, and when it were at home, I wrote my BASIC on my ST, and transfered it to the 380Z using pip or kermit, or xmodem, or something, fuck knows, the built-in editor was so bad. It was at that point I did the course that required emacs on the university's VAX cluster, so I got introduced to the abomination called VMS...
    --
    Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves

    • (Score: 1, Interesting) by Anonymous Coward on Thursday June 13 2019, @10:54PM

      by Anonymous Coward on Thursday June 13 2019, @10:54PM (#855337)

      https://en.wikipedia.org/wiki/MINCE [wikipedia.org]

      Note that MINCE grew into Perfect Writer (and others) and later was sold to Borland and became the Sprint word processor (with some updates).

      We ran MINCE on the Microsoft CP/M card that plugged into the Apple ][ bus. Then later on an S-100 bus dedicated CP/M system.

      It was fast, never lost key strokes, a really efficient design given the small amount of processor and memory available.