Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 15 Oct 2008 06:12:38 -0400 (EDT)
From: Jan Lieskovsky <jlieskov@...hat.com>
To: coley@...re.org
Cc: oss-security@...ts.openwall.com,
        Jan Minář <rdancer@...ncer.org>
Subject: Vim CVE issues cleanup (plugins tar.vim, zip.vim) - CVE-2008-3074
 and CVE-2008-3075

Hello Steve and Jan,


  got time to dive deeply into these issues and attempting to 
summarize all the information about them known till today,
in order to clear specification of CVE-2008-3074 and CVE-2008-3075
to be able to reference them in our advisories.

Tar.vim plugin issues:

Original advisory:  http://www.rdancer.org/vulnerablevim-shellescape.html

Part 1 -- TAR Observations:
===========================

* Jan Minar says: Version  : >= 7.2a.013; < 7.2b.005; tested with 7.2b
                            The shellescape() function added by patch 7.0.111.
* Patch 7.0.111: http://www.mail-archive.com/vim-dev@vim.org/msg02313.html

* Vulnerability (from vulnerablevim-shellescape.html)

   3. Vulnerability

   shellescape() does not escape all special items.  In particular,
   shellescape() does not escape the ``!'' character.

   4. Exploit -- Proof of Concept

  To show that this vulnerability can be exploited, we have updated our
  ``tar.vim'' exploit.   Run ``make test'' in the ``tarplugin.v2''
  directory.

* Testcases for this issue (from Vim testsuite) (self research):

  -- shellescape (from Makefile - rdancer's exploit of the Vim 7.2b shellescape vuln)
  -- tarplugin.v2 (from Makefile - rdancer's exploit of the Vim shellescape() vuln)
  -- tarplugin (from Makefile -- rdancer's exploit of the vim 7.1 tar plugin)
  -- tarplugin.updated (from Makefile - rdancer's exploit of the vim 7.1 tar plugin)


   Differences between Makefiles in particular testcases:

   tarplugin vs tarplugin.v2:

    24c22
    < TARBALL_NAME = "sploit/$(INITIAL)'|so%|retu|'$(FINAL).tar"
    ---
    > TARBALL_NAME = "sploit/$(INITIAL);eval eval \`echo 0:64617465203e2070776e6564 | xxd -r\`;: $(FINAL).tar"

    and Vim debug options added:

    40a39,42
    > # For the test target -- Non-interactive run
    > VIM_TEST_OPTIONS = ${VIM_OPTIONS} +:'exe "norm \<CR>"' +:qa
    > # For the debug target -- Add breakpoints
    > VIM_DEBUG_OPTIONS = +':breakadd func 38 tar\#Read' ${VIM_TEST_OPTIONS}
    62a65,69

    tarplugin vs tarplugin.updated:

    c24
    < TARBALL_NAME = "sploit/$(INITIAL)'|so%|retu|'$(FINAL).tar"
    ---
    > TARBALL_NAME = "sploit/$(INITIAL)%;eval eval \`echo 0:64617465203e2070776e6564 | xxd -r\`;'$(FINAL).tar"

* Your questions in  http://www.openwall.com/lists/oss-security/2008/08/01/1 :

    Report TAR-1

    rdancer says "shellescape() does not escape all special items"
    specifically the "!" character

    - http://www.rdancer.org/vulnerablevim-shellescape.html

    - 7.2a.013 and other versions before 7.2b.005

    - mentions tar.vim (tarplugin)

    - test case: tarplugin.v2

  - Report TAR-2

     Tomas Hoger says affects 7.0 and 7.1:

     http://www.openwall.com/lists/oss-security/2008/07/15/2

  - Report TAR-3

     assignment of CVE-2008-3074 to "tarplugin"

         http://www.openwall.com/lists/oss-security/2008/07/10/7

         - already used by rPath in advisory

  - Report TAR-4

     rdancer tar.vim issue

           http://www.rdancer.org/vulnerablevim.html

  - Report TAR-5

    rdancer says tar.vim test was omitted from Makefile

        http://www.openwall.com/lists/oss-security/2008/07/13/1

   1) Are TAR-1, TAR-2, TAR-3, and TAR-4 all talking about the same
      issue?  If not - which ones are the same?

   2) Since tar.vim doesn't affect 6.x, it should stay SPLIT from
      CVE-2008-2712.

* Affected Vim versions: Vim 7.0, tar.vim v.10 (from Jul 24,2006) <= x < Vim 7.2, tar.vim v.23 (from Aug 08, 2008)
                         Vim 6.0 DOES NOT include tar.vim plugin.
                         (based on self testing)

Part 2 -- TAR Conclusions:
==========================

  The testcase to find out if Vim is vulnerable to the
  shellescape vulnerability is in 'shellescape'. The proof
  this issue can be exploited is in 'tarplugin.v2'. (Report TAR-1)
  Rdancer has originally claimed, this issue affects only Vim
  (>= 7.2a.013; < 7.2b.005;), But 'tarplugin.v2' testcase
  run proofs it affects also Vim 7.0 and Vim 7.1. (Report TAR-2)
  We should probably use CVE-2008-3074 when referencing to
  these issues (Report TAR-3).
  Report TAR-4 issue is covered by 'tarplugin' testcase
  (the same issue).
  Report TAR-5 - only top-most Makefile change.

Replies to your questions: 1, TAR-1, TAR-2, TAR-3 and TAR-4 are talking about the same issue.
                              The 'only' slight difference between them is the provided
                              "TARBALL_NAME" to the testcase.

                           2, This issue should be definitely split from CVE-2008-2712 -- reasons:
                              a, it does not affect Vim 6.0,
                              b, CVE-2008-2712 has no mention about tar.vim plugin
                              c, we should use already assigned CVE-2008-3074 for this 
                                 issue (as it was already used in the rPath advisory).
                              d, See also part "Proposed description for CVE-2008-3074".


Part 3 -- ZIP Observations:
===========================

* Original advisory: http://www.rdancer.org/vulnerablevim.html (Part 3.4.2.4. zip.vim)
* Testcases: zipplugin
             zipplugin.v2

  Difference between Makefiles:

    a, different name used for the zip archive

    24c24,25
    < ARCHIVE_NAME = "sploit/$(INITIAL)'|so%|retu|'$(FINAL).zip"
    ---
    > ARCHIVE_NAME = "sploit/$(INITIAL)|call system(\"eval eval \`echo 0:64617465203e3e2070776e6564 | xxd -r\`\")|$(FINAL).zip"

    b, Different "# Compile the exploit\n# The ar\n.PHONY: sploit\nsploit: exploit.vim plugin" part

* Relation between zip.vim and zipPlugin.vim (zipplugin mentioned in bullet (2) of CVE-2008-2172)

  /usr/share/vim/vim71/plugin/zipPlugin.vim "only" calls zip functions (zipBrowse, zipRead, zipWrite etc.)
  defined in /usr/share/vim/vim71/autoload/zip.vim


* Your questions in http://www.openwall.com/lists/oss-security/2008/08/01/1 related to ZIP plugin:

  zip.vim

  - Report ZIP-1

    rdancer says "zip.vim" as well as "zipPlugin.vim"

    - http://www.rdancer.org/vulnerablevim.html

	- Vim 7.1.298 and 6.4

	- *part* of the advisory used CVE-2008-2712, but CVE-2008-2712
       didn't include it

  - Report ZIP-2

    Tomas Hoger suggests "still unfixed"

	   http://www.openwall.com/lists/oss-security/2008/07/10/7

    - CVE-2008-3075 assigned; used by rPath

	- since CVE-2008-2712 issues were fixed and zip.vim remains
      unfixed, a SPLIT from CVE-2008-2712 is reasonable

  - Report ZIP-3

    Tomas Hoger says "only 7.0 and 7.1" affected

	  http://www.openwall.com/lists/oss-security/2008/07/15/2

  - Report ZIP-4

    rdancer says zip "has not been fixed as of Vim 7.2a.19/zip.vim
    v19"

	  http://www.openwall.com/lists/oss-security/2008/07/13/1

  - Report ZIP-5

    CVE-2008-2712 bullet (2) mentions zipplugin based on same advisory
    as ZIP-1:

	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2712


    1) Are ZIP-1, ZIP-2, ZIP-3, and ZIP-4 all talking about the same
       issue?

    2) What differences, if any, are there in zip.vim and zipplugin.vim?

    3) Given the varying results for TAR-1 through TAR-4, should zip.vim
       be split from the tar issues?  What about zipplugin.vim?

    4) It might be reasonable to remove item (2) from CVE-2008-2712.

* Affected Vim versions: Vim 7.0, zip.vim v.11 (from Jul 24, 2006) < Vim 7.2, zip.vim v.22 (Jul 30, 2008)
                         Vim 6.0+ DOES NOT include zip.vim plugin.


Part 4 -- ZIP Conclusions:
==========================

  zipPlugin.vim was mentioned in CVE-2008-2712, but zip.vim omitted. zipPlugin.vim
  "only" calls functions (zipWrite, zipRead, zipBrowse) provided by the zip.vim
  plugin. The text of CVE-2008-2712 should be modified -- the bullet (2) -- mention
  about zipplugin should be removed from it, as the issue was fixed only later
  in zip.vim plugin (Report ZIP-1).

  CVE-2008-3075 was used by rPath for this issue (Report ZIP-2).

  According to zipplugin testcases (zipplugin, zipplugin.v2) also Vim 7.0, and
  Vim 7.1 affected by this issue (Report ZIP-3).

  zip.vim v.19 is still vulnerable to this issue. Fixed in version zip.vim v.22
  (see Affected Vim versions). (Report ZIP-4).

  Bullet (2) -- mention about zipplugin should be removed from CVE-2008-2712.
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2712 (Report ZIP-5).

* Replies to your questions:
  
    1) Are ZIP-1, ZIP-2, ZIP-3, and ZIP-4 all talking about the same issue?

      Reply: Yes, these all are clones of the same issue.

   2) What differences, if any, are there in zip.vim and zipplugin.vim?

      Reply: zip.vim defines the functions (zipBrowse, zipRead, zipWrite),
             zipPlugin.vim "only calls" them.

   3) Given the varying results for TAR-1 through TAR-4, should zip.vim
      be split from the tar issues?  What about zipplugin.vim?

      Reply: The issue in its nature is the same as by TAR plugin
            (inproper sanitization of the '!' character as in the tar
             archives, but projected to zip archives)

Part 5 -- Needed actions:
==========================

  1, Remove bullet (2) -- mention about zipplugin from CVE-2008-2712.
  2, 

     a, either merge TAR, ZIP Vim issues under CVE-2008-3074 and reject CVE-2008-3075.
        This one is the PREFERRED SOLUTION.

     Proposed description of CVE-2008-3074:

     "The shellescape() function in Vim 7.0 through 7.2 does not properly escape
      all special items (in particular the '!' character). This results in  
      untrusted data being insufficiently sanitized, possibly leading to
      arbitrary code execution as demonstrated on VIM TAR plugin
      (tar.vim) from v.10 through v.22 or VIM ZIP plugin (zip.vim) from version v.11 
      through v.21."

     References:

       http://www.rdancer.org/vulnerablevim-shellescape.html
       http://www.openwall.com/lists/oss-security/2008/08/01/1
       http://www.openwall.com/lists/oss-security/2008/07/10/7         
       http://www.rdancer.org/vulnerablevim.html (Part 3.4.2.4. zip.vim)
 
     b, or modify descriptions of CVE-2008-3074 and CVE-2008-3075.

     Proposed description of CVE-2008-3074:

     "The shellescape() function in Vim 7.0 through 7.2 does not properly escape
      al special items (in particular the '!' character). This results in
      untrusted data being insufficiently sanitized, possibly leading to
      arbitrary code execution as demonstrated on VIM TAR plugin (tar.vim)
      from v.10 through v.22."

     References:

       http://www.rdancer.org/vulnerablevim-shellescape.html
       http://www.openwall.com/lists/oss-security/2008/08/01/1
       http://www.openwall.com/lists/oss-security/2008/07/10/7

  
     Proposed description of CVE-2008-3075:

     "The shellescape() function in Vim 7.0 through 7.2 does not properly escape
      all special items (in particular the '!' character). This results in
      untrusted data being insufficiently sanitized, possibly leading to
      arbitrary code execution as demonstrated on VIM ZIP plugin (zip.vim)
      from v.11 through v.21"

     References:

       http://www.rdancer.org/vulnerablevim-shellescape.html
       http://www.openwall.com/lists/oss-security/2008/08/01/1
       http://www.rdancer.org/vulnerablevim.html (Part 3.4.2.4. zip.vim)
 

Jan, any your comments to the above are appreciated.

Thanks, Jan.
-- 
Jan iankko Lieskovsky / Red Hat Security Response Team
















Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.