[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 15 Oct 2008 06:12:38 -0400 (EDT)
From: Jan Lieskovsky <jlieskov@...hat.com>
To: coley@...re.org
Cc: oss-security@...ts.openwall.com,
Jan Minář <rdancer@...ncer.org>
Subject: Vim CVE issues cleanup (plugins tar.vim, zip.vim) - CVE-2008-3074
and CVE-2008-3075
Hello Steve and Jan,
got time to dive deeply into these issues and attempting to
summarize all the information about them known till today,
in order to clear specification of CVE-2008-3074 and CVE-2008-3075
to be able to reference them in our advisories.
Tar.vim plugin issues:
Original advisory: http://www.rdancer.org/vulnerablevim-shellescape.html
Part 1 -- TAR Observations:
===========================
* Jan Minar says: Version : >= 7.2a.013; < 7.2b.005; tested with 7.2b
The shellescape() function added by patch 7.0.111.
* Patch 7.0.111: http://www.mail-archive.com/vim-dev@vim.org/msg02313.html
* Vulnerability (from vulnerablevim-shellescape.html)
3. Vulnerability
shellescape() does not escape all special items. In particular,
shellescape() does not escape the ``!'' character.
4. Exploit -- Proof of Concept
To show that this vulnerability can be exploited, we have updated our
``tar.vim'' exploit. Run ``make test'' in the ``tarplugin.v2''
directory.
* Testcases for this issue (from Vim testsuite) (self research):
-- shellescape (from Makefile - rdancer's exploit of the Vim 7.2b shellescape vuln)
-- tarplugin.v2 (from Makefile - rdancer's exploit of the Vim shellescape() vuln)
-- tarplugin (from Makefile -- rdancer's exploit of the vim 7.1 tar plugin)
-- tarplugin.updated (from Makefile - rdancer's exploit of the vim 7.1 tar plugin)
Differences between Makefiles in particular testcases:
tarplugin vs tarplugin.v2:
24c22
< TARBALL_NAME = "sploit/$(INITIAL)'|so%|retu|'$(FINAL).tar"
---
> TARBALL_NAME = "sploit/$(INITIAL);eval eval \`echo 0:64617465203e2070776e6564 | xxd -r\`;: $(FINAL).tar"
and Vim debug options added:
40a39,42
> # For the test target -- Non-interactive run
> VIM_TEST_OPTIONS = ${VIM_OPTIONS} +:'exe "norm \<CR>"' +:qa
> # For the debug target -- Add breakpoints
> VIM_DEBUG_OPTIONS = +':breakadd func 38 tar\#Read' ${VIM_TEST_OPTIONS}
62a65,69
tarplugin vs tarplugin.updated:
c24
< TARBALL_NAME = "sploit/$(INITIAL)'|so%|retu|'$(FINAL).tar"
---
> TARBALL_NAME = "sploit/$(INITIAL)%;eval eval \`echo 0:64617465203e2070776e6564 | xxd -r\`;'$(FINAL).tar"
* Your questions in http://www.openwall.com/lists/oss-security/2008/08/01/1 :
Report TAR-1
rdancer says "shellescape() does not escape all special items"
specifically the "!" character
- http://www.rdancer.org/vulnerablevim-shellescape.html
- 7.2a.013 and other versions before 7.2b.005
- mentions tar.vim (tarplugin)
- test case: tarplugin.v2
- Report TAR-2
Tomas Hoger says affects 7.0 and 7.1:
http://www.openwall.com/lists/oss-security/2008/07/15/2
- Report TAR-3
assignment of CVE-2008-3074 to "tarplugin"
http://www.openwall.com/lists/oss-security/2008/07/10/7
- already used by rPath in advisory
- Report TAR-4
rdancer tar.vim issue
http://www.rdancer.org/vulnerablevim.html
- Report TAR-5
rdancer says tar.vim test was omitted from Makefile
http://www.openwall.com/lists/oss-security/2008/07/13/1
1) Are TAR-1, TAR-2, TAR-3, and TAR-4 all talking about the same
issue? If not - which ones are the same?
2) Since tar.vim doesn't affect 6.x, it should stay SPLIT from
CVE-2008-2712.
* Affected Vim versions: Vim 7.0, tar.vim v.10 (from Jul 24,2006) <= x < Vim 7.2, tar.vim v.23 (from Aug 08, 2008)
Vim 6.0 DOES NOT include tar.vim plugin.
(based on self testing)
Part 2 -- TAR Conclusions:
==========================
The testcase to find out if Vim is vulnerable to the
shellescape vulnerability is in 'shellescape'. The proof
this issue can be exploited is in 'tarplugin.v2'. (Report TAR-1)
Rdancer has originally claimed, this issue affects only Vim
(>= 7.2a.013; < 7.2b.005;), But 'tarplugin.v2' testcase
run proofs it affects also Vim 7.0 and Vim 7.1. (Report TAR-2)
We should probably use CVE-2008-3074 when referencing to
these issues (Report TAR-3).
Report TAR-4 issue is covered by 'tarplugin' testcase
(the same issue).
Report TAR-5 - only top-most Makefile change.
Replies to your questions: 1, TAR-1, TAR-2, TAR-3 and TAR-4 are talking about the same issue.
The 'only' slight difference between them is the provided
"TARBALL_NAME" to the testcase.
2, This issue should be definitely split from CVE-2008-2712 -- reasons:
a, it does not affect Vim 6.0,
b, CVE-2008-2712 has no mention about tar.vim plugin
c, we should use already assigned CVE-2008-3074 for this
issue (as it was already used in the rPath advisory).
d, See also part "Proposed description for CVE-2008-3074".
Part 3 -- ZIP Observations:
===========================
* Original advisory: http://www.rdancer.org/vulnerablevim.html (Part 3.4.2.4. zip.vim)
* Testcases: zipplugin
zipplugin.v2
Difference between Makefiles:
a, different name used for the zip archive
24c24,25
< ARCHIVE_NAME = "sploit/$(INITIAL)'|so%|retu|'$(FINAL).zip"
---
> ARCHIVE_NAME = "sploit/$(INITIAL)|call system(\"eval eval \`echo 0:64617465203e3e2070776e6564 | xxd -r\`\")|$(FINAL).zip"
b, Different "# Compile the exploit\n# The ar\n.PHONY: sploit\nsploit: exploit.vim plugin" part
* Relation between zip.vim and zipPlugin.vim (zipplugin mentioned in bullet (2) of CVE-2008-2172)
/usr/share/vim/vim71/plugin/zipPlugin.vim "only" calls zip functions (zipBrowse, zipRead, zipWrite etc.)
defined in /usr/share/vim/vim71/autoload/zip.vim
* Your questions in http://www.openwall.com/lists/oss-security/2008/08/01/1 related to ZIP plugin:
zip.vim
- Report ZIP-1
rdancer says "zip.vim" as well as "zipPlugin.vim"
- http://www.rdancer.org/vulnerablevim.html
- Vim 7.1.298 and 6.4
- *part* of the advisory used CVE-2008-2712, but CVE-2008-2712
didn't include it
- Report ZIP-2
Tomas Hoger suggests "still unfixed"
http://www.openwall.com/lists/oss-security/2008/07/10/7
- CVE-2008-3075 assigned; used by rPath
- since CVE-2008-2712 issues were fixed and zip.vim remains
unfixed, a SPLIT from CVE-2008-2712 is reasonable
- Report ZIP-3
Tomas Hoger says "only 7.0 and 7.1" affected
http://www.openwall.com/lists/oss-security/2008/07/15/2
- Report ZIP-4
rdancer says zip "has not been fixed as of Vim 7.2a.19/zip.vim
v19"
http://www.openwall.com/lists/oss-security/2008/07/13/1
- Report ZIP-5
CVE-2008-2712 bullet (2) mentions zipplugin based on same advisory
as ZIP-1:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2712
1) Are ZIP-1, ZIP-2, ZIP-3, and ZIP-4 all talking about the same
issue?
2) What differences, if any, are there in zip.vim and zipplugin.vim?
3) Given the varying results for TAR-1 through TAR-4, should zip.vim
be split from the tar issues? What about zipplugin.vim?
4) It might be reasonable to remove item (2) from CVE-2008-2712.
* Affected Vim versions: Vim 7.0, zip.vim v.11 (from Jul 24, 2006) < Vim 7.2, zip.vim v.22 (Jul 30, 2008)
Vim 6.0+ DOES NOT include zip.vim plugin.
Part 4 -- ZIP Conclusions:
==========================
zipPlugin.vim was mentioned in CVE-2008-2712, but zip.vim omitted. zipPlugin.vim
"only" calls functions (zipWrite, zipRead, zipBrowse) provided by the zip.vim
plugin. The text of CVE-2008-2712 should be modified -- the bullet (2) -- mention
about zipplugin should be removed from it, as the issue was fixed only later
in zip.vim plugin (Report ZIP-1).
CVE-2008-3075 was used by rPath for this issue (Report ZIP-2).
According to zipplugin testcases (zipplugin, zipplugin.v2) also Vim 7.0, and
Vim 7.1 affected by this issue (Report ZIP-3).
zip.vim v.19 is still vulnerable to this issue. Fixed in version zip.vim v.22
(see Affected Vim versions). (Report ZIP-4).
Bullet (2) -- mention about zipplugin should be removed from CVE-2008-2712.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2712 (Report ZIP-5).
* Replies to your questions:
1) Are ZIP-1, ZIP-2, ZIP-3, and ZIP-4 all talking about the same issue?
Reply: Yes, these all are clones of the same issue.
2) What differences, if any, are there in zip.vim and zipplugin.vim?
Reply: zip.vim defines the functions (zipBrowse, zipRead, zipWrite),
zipPlugin.vim "only calls" them.
3) Given the varying results for TAR-1 through TAR-4, should zip.vim
be split from the tar issues? What about zipplugin.vim?
Reply: The issue in its nature is the same as by TAR plugin
(inproper sanitization of the '!' character as in the tar
archives, but projected to zip archives)
Part 5 -- Needed actions:
==========================
1, Remove bullet (2) -- mention about zipplugin from CVE-2008-2712.
2,
a, either merge TAR, ZIP Vim issues under CVE-2008-3074 and reject CVE-2008-3075.
This one is the PREFERRED SOLUTION.
Proposed description of CVE-2008-3074:
"The shellescape() function in Vim 7.0 through 7.2 does not properly escape
all special items (in particular the '!' character). This results in
untrusted data being insufficiently sanitized, possibly leading to
arbitrary code execution as demonstrated on VIM TAR plugin
(tar.vim) from v.10 through v.22 or VIM ZIP plugin (zip.vim) from version v.11
through v.21."
References:
http://www.rdancer.org/vulnerablevim-shellescape.html
http://www.openwall.com/lists/oss-security/2008/08/01/1
http://www.openwall.com/lists/oss-security/2008/07/10/7
http://www.rdancer.org/vulnerablevim.html (Part 3.4.2.4. zip.vim)
b, or modify descriptions of CVE-2008-3074 and CVE-2008-3075.
Proposed description of CVE-2008-3074:
"The shellescape() function in Vim 7.0 through 7.2 does not properly escape
al special items (in particular the '!' character). This results in
untrusted data being insufficiently sanitized, possibly leading to
arbitrary code execution as demonstrated on VIM TAR plugin (tar.vim)
from v.10 through v.22."
References:
http://www.rdancer.org/vulnerablevim-shellescape.html
http://www.openwall.com/lists/oss-security/2008/08/01/1
http://www.openwall.com/lists/oss-security/2008/07/10/7
Proposed description of CVE-2008-3075:
"The shellescape() function in Vim 7.0 through 7.2 does not properly escape
all special items (in particular the '!' character). This results in
untrusted data being insufficiently sanitized, possibly leading to
arbitrary code execution as demonstrated on VIM ZIP plugin (zip.vim)
from v.11 through v.21"
References:
http://www.rdancer.org/vulnerablevim-shellescape.html
http://www.openwall.com/lists/oss-security/2008/08/01/1
http://www.rdancer.org/vulnerablevim.html (Part 3.4.2.4. zip.vim)
Jan, any your comments to the above are appreciated.
Thanks, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
