[Full-Disclosure] Some vim problems, yet still vim much better than windows

From: Georgi Guninski (guninski@guninski.com)
Date: 12/12/02

From: guninski@guninski.com (Georgi Guninski)
Date: Thu, 12 Dec 2002 21:59:43 +0200

Georgi Guninski security advisory #59, 2002

Some vim problems, yet still vim much better than windows

Systems affected:
probably default install of vim6.0/6.1 on real OSes, windows may also be
affected, have not tested personally
Debian 3.0 & Redhat 8.0 confirmed vulnerable
According to Solar Designer:
How about a "not vulnerable", for Openwall GNU/*/Linux? :-)

Risk: medium
Date: 12 December 2002

Legal Notice:
This Advisory is Copyright (c) 2002 Georgi Guninski.
You may distribute it unmodified.
You may not modify it and distribute it or distribute parts
of it without the author's written permission - this especially applies to
so called "vulnerabilities databases" and securityfocus, microsoft, cert
and mitre.
If you want to link to this content use the URL:
Anything in this document may change without notice.

The information in this advisory is believed to be true though
it may be false.
The opinions expressed in this advisory and program are my own and
not of any company. The usual standard disclaimer applies,
especially the fact that Georgi Guninski is not liable for any damages
caused by direct or indirect use of the information or functionality
provided by this advisory or program. Georgi Guninski bears no
responsibility for content or misuse of this advisory or program or
any derivatives thereof.

Opening a specially crafted text file with vim can execute arbitrary shell
commands and pass parameters to them.
Some exploit scenarios include mail user agents which use vim as editor
(mutt) or examining log files with vim. The malicous text should be near
the begining or the end of the file which mitigates the risk.

The problem are so called modelines, which can execute some commands in
vim, though they are intended to be sandboxed.

Consider the following file (may be wrapped):
/* vim:set foldmethod=expr: */
/* vim:set
foldexpr=confirm(libcall("/lib/libc.so.6","system","/bin/ls"),"ms_sux"): */

vim better than windoze


Put the following in your ~/.vimrc or better in a system wide config file:

set modelines=0

It disables modelines without breaking significant functionality - there is
no compatibility in this stuff between vim and emacs anyway.

Even when/if vim is fixed, I strongly recommend keeping this solution to
prevent from similar exploits in the future. Scripting sux - check windows

Emacs addicts are recommended to disable local variables which may pose
similar threat by putting the following in ~/.emacs

;; disable local variables
(setq enable-local-variables nil)

Vendor status:
vim.org and some vendors were notified on Mon, 25 Nov 2002

"Daddy, why are we hiding?"
"We use vi, son. They use emacs."

Anyway, this was written in vim :)

Georgi Guninski

Relevant Pages

  • Re: Great SWT Program
    ... using computers was with Windows. ... Moving the cursor can be done in a number of ways (arrow keys plus ... But vim does. ...
  • Re: Im absolutely stuck!!
    ... I use vim for quick edits from the commandline, ... and moved via Brief to Windows GUIs -- I ... never occur to me to use vi as a programming editor, ... I'm curious as to what you see as a "lack of productivity". ...
  • Re: Hello to Perl World
    ... I dont think VIM or VI is available with me.... ... On 11/21/06, Derek B. Smith ... I know Perl docs are free via ... environment on Windows. ...
  • Re: Ruby Tool Survey
    ... manage multiple tabs than multiple windows in Vim. ... remember which session is which. ...
  • Re: [slrn] How to collapse the tree in articles window?
    ... The vim installer actually did a good job in Windows. ... command window anywhere in Windows and give the command "vim ... I just cannot stand that white background with black text in gvim. ...