Submitted via IRC for SoyCow1944
Linux Command-Line Editors Vulnerable to High-Severity Bug
A bug impacting editors Vim and Neovim could allow a trojan code to escape sandbox mitigations.
A high-severity bug impacting two popular command-line text editing applications, Vim and Neovim, allow remote attackers to execute arbitrary OS commands. Security researcher Armin Razmjou warned that exploiting the bug is as easy as tricking a target into clicking on a specially crafted text file in either editor.
Razmjou outlined his research and created a proof-of-concept (PoC) attack demonstrating how an adversary can compromise a Linux system via Vim or Neowim [sic]. He said Vim versions before 8.1.1365 and Neovim before 0.3.6 are vulnerable to arbitrary code execution.
“[Outlined is] a real-life attack approach in which a reverse shell is launched once the user opens the file. To conceal the attack, the file will be immediately rewritten when opened. Also, the PoC uses terminal escape sequences to hide the modeline when the content is printed with cat. (cat -v reveals the actual content),” wrote Razmjou in a technical analysis of his research.
[...] “However, the :source! command (with the bang [!] modifier) can be used to bypass the sandbox. It reads and executes commands from a given file as if typed manually, running them after the sandbox has been left,” according to the PoC report.
Vim and Neovim have both released patches for the bug (CVE-2019-12735) that the National Institute of Standards and Technology warns, “allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline.”
“Beyond patching, it’s recommended to disable modelines in the vimrc (set nomodeline), to use the securemodelinesplugin, or to disable modelineexpr (since patch 8.1.1366, Vim-only) to disallow expressions in modelines,” the researcher said.
(Score: 3, Interesting) by Acabatag on Thursday June 13 2019, @03:14AM (2 children)
The vi command is available on the BSD oes, and can be used instead of derivatives. vi on OpenBSD is a 374K executable. I'm not sure why it needs to be that big. Actually, top says it's resident in 2,432K of memory. Yikes. Isn't that the sort of thing emacs used to be accused of?
Does anybody know what size the vi binary on the PDP-11 is?
(Score: 2) by coolgopher on Thursday June 13 2019, @06:27AM
Are you sure the vi on BSD isn't nvi? At least it used to be on FreeBSD.
(Score: 2) by FatPhil on Thursday June 13 2019, @07:07AM
Of course, busybox has a minimal vi, you could try that if you want compact.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves