VIM statusline Text-Embedded Command Execution Vulnerability

VIM is an enhanced version of the popular programmer's unix text editor vi. In versions up to and including the current release, 5.7, it is possible for an attacker to embed malicious commands in a normal text file; these commands will be executed when the text file is opened, with the privilege of the user opening the text file. In order for this vulnerability to be exploited, the ability to modify status lines must be turned on (as set in a .vimrc file with the "statusline" or "stl" option). VIM contains a built in function, system(), which executes shell commands. This function is available from a statusline (stl) command, which can be embedded in a text file. To exploit this vulnerability, a vim command similar to the following can be used:

vim:ls=2:stl=%{system('/tmp/getroot&')}

This command tells vim to display the status line "always" and to set the status line to the output of "/tmp/getroot&". This will execute /tmp/getroot, provided this exists and is executable by the user running vim; the ampersand causes the command to run as a background process.


 

Privacy Statement
Copyright 2010, SecurityFocus