Date: Wed, 16 Jul 2008 17:41:17 +0100 From: "Jan Minář" <rdancer@...ncer.org> To: "Tomas Hoger" <thoger@...hat.com> Cc: oss-security@...ts.openwall.com, "Jonathan Smith" <smithj@...ethemallocs.com>, coley@...us.mitre.org, "Bram Moolenaar" <Bram@...lenaar.net>, "Charles E Campbell, Jr" <drchip@...pbellfamily.biz> Subject: Re: Re: More arbitrary code executions in Netrw version 125, Vim 7.2a.10 On Wed, Jul 16, 2008 at 3:42 PM, Tomas Hoger <thoger@...hat.com> wrote: > On Wed, 16 Jul 2008 11:35:01 +0100 "Jan Minář" <rdancer@...ncer.org> >> are versioned and dated, so for example the first version of ftp.vim >> not vulnerable is version 21 of 2008-07-12. Should read ``zip.vim'' of course. >> The overall issue is that up until recently Vim script did not >> provide any means of quoting metacharacters. At the time of the >> first advisory, there were close to a thousand ``execute'' >> statements. > > Based on your research, do you believe that all / most of them can > really be exploited to perform some harmful actions just by user > opening some file with odd file name? Let's see: ``zip.vim'': Version ................ 14 Released ............... 2007-05-08 Lines .................. 373 ``execute'' statements: 11 out of which exploitable 10 Version ................ 21 Released ............... 2008-07-12 Lines .................. 387 ``execute'' statements: 8 out of which exploitable ??? I wasn't joking when I used grep in the first advisory to estimate the size of the problem. >> The particular vulnerabilities detailed in the advisories are >> examples of a more widespread tendency in the Vim code. Should there >> be a separate CVE for the overall issue, alongside CVEs for the >> particular vulnerabilities? > > I'm not aware of any example of such generic umbrella CVE and I believe > "tendency" it not a good candidate for CVE id, as CVE should map to > particular vulnerability. Though there are few special cases / CVEs, > so Steven may correct me in this. What I meant was, all those execute statements and system() calls should be fixed, which means quoting introduced, and until that happens, it doesn't really matter much if the problems with CVEs are fixed, because any script kiddie can just pick one of the places that will not have been fixed, and use one of the existing exploits. But as I said, I know very little about CVE number assignment, and I fully submit to you collective wisdom. Have a nice day, Jan Minar. PS: I have published two more advisories: (1) Vim: Improper Implementation of shellescape()/Arbitrary Code Execution http://www.rdancer.org/vulnerablevim-shellescape.html -- This is two issues: (a) Flawed implementation of shellescape() (not all metacharacters are escaped) (b) Updated still the same tar.vim exploit to use the abovementioned vulnerability (2) Arbitrary code execution in Netrw version 127, Vim 7.2b http://www.rdancer.org/vulnerablevim-netrw.v5.html -- This is new vulnerability, same old pattern: 6 instances of unsanitized execute statemtents The updated testsuite: http://www.rdancer.org/vulnerablevim-latest.tar.bz2
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.