Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 16 Jul 2008 17:41:17 +0100
From: "Jan Minář" <>
To: "Tomas Hoger" <>
	"Jonathan Smith" <>,, 
	"Bram Moolenaar" <>, 
	"Charles E Campbell, Jr" <>
Subject: Re: Re: More arbitrary code executions in Netrw version 125, Vim 7.2a.10

On Wed, Jul 16, 2008 at 3:42 PM, Tomas Hoger <> wrote:
> On Wed, 16 Jul 2008 11:35:01 +0100 "Jan Minář" <>
>> are versioned and dated, so for example the first version of ftp.vim
>> not vulnerable is version 21 of 2008-07-12.

Should read ``zip.vim'' of course.

>> The overall issue is that up until recently Vim  script did not
>> provide any means of quoting metacharacters.  At the time of the
>> first advisory, there were close to a thousand ``execute''
>> statements.
> Based on your research, do you believe that all / most of them can
> really be exploited to perform some harmful actions just by user
> opening some file with odd file name?

Let's see:

Version ................ 14
Released ............... 2007-05-08
Lines .................. 373
``execute'' statements:  11
out of which exploitable 10

Version ................ 21
Released ............... 2008-07-12
Lines .................. 387
``execute'' statements:  8
out of which exploitable ???

I wasn't joking when I used grep in the first advisory to estimate the
size of the problem.

>> The particular vulnerabilities detailed in the advisories are
>> examples of a more widespread tendency in the Vim code. Should there
>> be a separate CVE for the overall issue, alongside CVEs for the
>> particular vulnerabilities?
> I'm not aware of any example of such generic umbrella CVE and I believe
> "tendency" it not a good candidate for CVE id, as CVE should map to
> particular vulnerability.  Though there are few special cases / CVEs,
> so Steven may correct me in this.

What I meant was, all those execute statements and system() calls
should be fixed, which means quoting introduced, and until that
happens, it doesn't really matter much if the problems with CVEs are
fixed, because any script kiddie can just pick one of the places that
will not have been fixed, and use one of the existing exploits.  But
as I said, I know very little about CVE number assignment, and I fully
submit to you collective wisdom.

Have a nice day,
Jan Minar.

PS: I have published two more advisories:

(1) Vim: Improper Implementation of shellescape()/Arbitrary Code Execution
    -- This is two issues:
          (a) Flawed implementation of shellescape() (not all
metacharacters are escaped)
          (b) Updated still the same tar.vim exploit to use the
abovementioned vulnerability

(2) Arbitrary code execution in Netrw version 127, Vim 7.2b
    -- This is new vulnerability, same old pattern: 6 instances of
unsanitized execute statemtents

The updated testsuite:

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.