Submitted via IRC for SoyCow1944
Linux Command-Line Editors Vulnerable to High-Severity Bug
A bug impacting editors Vim and Neovim could allow a trojan code to escape sandbox mitigations.
A high-severity bug impacting two popular command-line text editing applications, Vim and Neovim, allow remote attackers to execute arbitrary OS commands. Security researcher Armin Razmjou warned that exploiting the bug is as easy as tricking a target into clicking on a specially crafted text file in either editor.
Razmjou outlined his research and created a proof-of-concept (PoC) attack demonstrating how an adversary can compromise a Linux system via Vim or Neowim [sic]. He said Vim versions before 8.1.1365 and Neovim before 0.3.6 are vulnerable to arbitrary code execution.
“[Outlined is] a real-life attack approach in which a reverse shell is launched once the user opens the file. To conceal the attack, the file will be immediately rewritten when opened. Also, the PoC uses terminal escape sequences to hide the modeline when the content is printed with cat. (cat -v reveals the actual content),” wrote Razmjou in a technical analysis of his research.
[...] “However, the :source! command (with the bang [!] modifier) can be used to bypass the sandbox. It reads and executes commands from a given file as if typed manually, running them after the sandbox has been left,” according to the PoC report.
Vim and Neovim have both released patches for the bug (CVE-2019-12735) that the National Institute of Standards and Technology warns, “allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline.”
“Beyond patching, it’s recommended to disable modelines in the vimrc (set nomodeline), to use the securemodelinesplugin, or to disable modelineexpr (since patch 8.1.1366, Vim-only) to disallow expressions in modelines,” the researcher said.
(Score: 5, Funny) by FatPhil on Wednesday June 12 2019, @11:49PM (6 children)
(Shut up, I've been an emacs user for >30 years, I can say such things.)
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 0) by Anonymous Coward on Wednesday June 12 2019, @11:58PM (2 children)
Came here to say something similar, beaten to the frist piss!
Just about 40 years since I was introduced to emacs... A few years later started using Mince on Z-80 CP/M.
[Mince is not complete emacs]
(Score: 2) by FatPhil on Thursday June 13 2019, @07:04AM (1 child)
Strangely, my first CP/M experience was later, when I hit a terribly underfunded college, and I genuinely don't remember what editor that old 380Z had. I did inherit that machine when they upgraded the computer room, and when it were at home, I wrote my BASIC on my ST, and transfered it to the 380Z using pip or kermit, or xmodem, or something, fuck knows, the built-in editor was so bad. It was at that point I did the course that required emacs on the university's VAX cluster, so I got introduced to the abomination called VMS...
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 1, Interesting) by Anonymous Coward on Thursday June 13 2019, @10:54PM
https://en.wikipedia.org/wiki/MINCE [wikipedia.org]
Note that MINCE grew into Perfect Writer (and others) and later was sold to Borland and became the Sprint word processor (with some updates).
We ran MINCE on the Microsoft CP/M card that plugged into the Apple ][ bus. Then later on an S-100 bus dedicated CP/M system.
It was fast, never lost key strokes, a really efficient design given the small amount of processor and memory available.
(Score: 2, Funny) by Anonymous Coward on Thursday June 13 2019, @12:37AM (1 child)
No it won't, it's too big to load.
(Score: 4, Funny) by maxwell demon on Thursday June 13 2019, @08:08AM
Maybe you should finally upgrade your machine to more than 8 megabytes.
(Emacs = Eight Megabytes And Continuously Swapping)
The Tao of math: The numbers you can count are not the real numbers.
(Score: 0) by Anonymous Coward on Thursday June 13 2019, @02:45PM
Emacs is a nice operating system, but it could use a better text editor.
(Score: 0, Offtopic) by realDonaldTrump on Thursday June 13 2019, @12:04AM (1 child)
Do you know Passover? It's the celebration of, the Jews painted their doors in blood. So God would know which houses were the Jewish houses. And pass them by, or over. Skipped when He was killing so many baby boys. The Egyptian boys were dieing so painfully when God snatched away their lives. Although you have to wonder, how come God needed the blood to know which houses to skip, right?
Anyway, so many of these Hack Attacks are just like that. They only happen to the folks that cheaped out on their cyber. The folks that spent a little more money get passed right over. Why not pamper yourself a little? Buy Microsoft Cyber!!!!
(Score: 2, Insightful) by Anonymous Coward on Thursday June 13 2019, @12:18AM
Microsoft shill identified. Plonk!
(Score: 0, Disagree) by Anonymous Coward on Thursday June 13 2019, @01:06AM (5 children)
I can't tell the difference between vim with all them "modern" flashes and emacs these days. At least emacs comes with a lisp interpreter, and that comes from a career-long emacs hater.
(Score: 4, Funny) by Anonymous Coward on Thursday June 13 2019, @02:56AM (4 children)
The difference is carpel tunnel
(Score: 0) by Anonymous Coward on Thursday June 13 2019, @09:47AM (1 child)
Which one gives you carpet tunnel syndrome?
(Score: 0) by Anonymous Coward on Thursday June 13 2019, @09:14PM
EMACS == Escape-Meta-Alt-Control-Shift
(Score: 2) by srobert on Thursday June 13 2019, @10:23PM (1 child)
Not if you use evil mode. But I still prefer Neovim.
(Score: 2) by hendrikboom on Wednesday June 26 2019, @01:45PM
What's the evil mode?
(Score: 3, Interesting) by Acabatag on Thursday June 13 2019, @03:14AM (2 children)
The vi command is available on the BSD oes, and can be used instead of derivatives. vi on OpenBSD is a 374K executable. I'm not sure why it needs to be that big. Actually, top says it's resident in 2,432K of memory. Yikes. Isn't that the sort of thing emacs used to be accused of?
Does anybody know what size the vi binary on the PDP-11 is?
(Score: 2) by coolgopher on Thursday June 13 2019, @06:27AM
Are you sure the vi on BSD isn't nvi? At least it used to be on FreeBSD.
(Score: 2) by FatPhil on Thursday June 13 2019, @07:07AM
Of course, busybox has a minimal vi, you could try that if you want compact.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 3, Funny) by DannyB on Thursday June 13 2019, @02:02PM
Think worst case scenario. An exploit on Vim that is so unthinkably awful, I almost dare not mention it. Something that could bring about world destruction on a scale that could only be matched by the release of Windows 11.
Imagine a Vim exploit that caused Vim to have every key bound to a lisp function.
And demanded ransom to change it back.
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 1, Interesting) by Anonymous Coward on Thursday June 13 2019, @02:12PM
This vulnerability is not really news. It is in a specific feature of Vim, not enabled by default, which is intended to configure the editor to match the style of the current file. It appears that the big issue is that someone changed the documentation (at least, the Vim wiki) since I last looked and removed the warning to never enable this feature because it's horribly insecure to run arbitrary vim commands from untrusted input.