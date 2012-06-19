Stories
Linux Vim and Neovim Editors Vulnerable to High-Severity Bug

posted by janrinok on Wednesday June 12, @11:37PM   Printer-friendly
from the cue-the-EMACS-laughter dept.
Security Software

upstart writes:

Submitted via IRC for SoyCow1944

Linux Command-Line Editors Vulnerable to High-Severity Bug

A bug impacting editors Vim and Neovim could allow a trojan code to escape sandbox mitigations.

A high-severity bug impacting two popular command-line text editing applications, Vim and Neovim, allow remote attackers to execute arbitrary OS commands. Security researcher Armin Razmjou warned that exploiting the bug is as easy as tricking a target into clicking on a specially crafted text file in either editor.

Razmjou outlined his research and created a proof-of-concept (PoC) attack demonstrating how an adversary can compromise a Linux system via Vim or Neowim [sic]. He said Vim versions before 8.1.1365 and Neovim before 0.3.6 are vulnerable to arbitrary code execution.

“[Outlined is] a real-life attack approach in which a reverse shell is launched once the user opens the file. To conceal the attack, the file will be immediately rewritten when opened. Also, the PoC uses terminal escape sequences to hide the modeline when the content is printed with cat. (cat -v reveals the actual content),” wrote Razmjou in a technical analysis of his research.

[...] “However, the :source! command (with the bang [!] modifier) can be used to bypass the sandbox. It reads and executes commands from a given file as if typed manually, running them after the sandbox has been left,” according to the PoC report.

Vim and Neovim have both released patches for the bug (CVE-2019-12735) that the National Institute of Standards and Technology warns, “allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline.”

“Beyond patching, it’s recommended to disable modelines in the vimrc (set nomodeline), to use the securemodelinesplugin, or to disable modelineexpr (since patch 8.1.1366, Vim-only) to disallow expressions in modelines,” the researcher said.

Original Submission


  • (Score: 3, Funny) by FatPhil on Wednesday June 12, @11:49PM (1 child)

    by FatPhil (863) <{pc-soylent} {at} {asdf.fi}> on Wednesday June 12, @11:49PM (#854915) Homepage
    If you type "emacs" from the command line, *emacs will run*!
    (Shut up, I've been an emacs user for >30 years, I can say such things.)
    --
    If vaccination works, then why doesn't eucharist protect kids against Christianity?

    • (Score: 0) by Anonymous Coward on Wednesday June 12, @11:58PM

      by Anonymous Coward on Wednesday June 12, @11:58PM (#854926)

      Came here to say something similar, beaten to the frist piss!

      Just about 40 years since I was introduced to emacs... A few years later started using Mince on Z-80 CP/M.

      [Mince is not complete emacs]

  • (Score: 2) by realDonaldTrump on Thursday June 13, @12:04AM (1 child)

    by realDonaldTrump (6614) Subscriber Badge on Thursday June 13, @12:04AM (#854928) Homepage Journal

    Do you know Passover? It's the celebration of, the Jews painted their doors in blood. So God would know which houses were the Jewish houses. And pass them by, or over. Skipped when He was killing so many baby boys. The Egyptian boys were dieing so painfully when God snatched away their lives. Although you have to wonder, how come God needed the blood to know which houses to skip, right?

    Anyway, so many of these Hack Attacks are just like that. They only happen to the folks that cheaped out on their cyber. The folks that spent a little more money get passed right over. Why not pamper yourself a little? Buy Microsoft Cyber!!!!

    • (Score: 1, Insightful) by Anonymous Coward on Thursday June 13, @12:18AM

      by Anonymous Coward on Thursday June 13, @12:18AM (#854933)

      Microsoft shill identified. Plonk!

