[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <141682862.1082961224161815369.JavaMail.root@zmail01.collab.prod.int.phx2.redhat.com>
Date: Thu, 16 Oct 2008 08:56:55 -0400 (EDT)
From: Jan Lieskovsky <jlieskov@...hat.com>
To: coley <coley@...re.org>
Cc: Jan Minář <rdancer@...ncer.org>,
", \"oss-security" <oss-security@...ts.openwall.com>
Subject: CVE request - Vim netrw.plugin
Hello Steve,
summarizing till today known information about the Vim netrw.vim
plugin issues.
1. issue:
=========
* Original advisories: http://www.rdancer.org/vulnerablevim-netrw.html
http://www.rdancer.org/vulnerablevim-netrw.v2.html
* CVE id: CVE-2008-3076 already used in rPath advisory
http://www.openwall.com/lists/oss-security/2008/07/10/7
* Testcases: netrw.v2 (the 'mz' command issue)
netrw.v3 (the 'mc' command issue)
netrw.v4 (the "D' command issue)
* Steps to reproduce:
1, The 'mz' command (testcase netrw.v2)
a, Open directory containing a file with malicious name
b, Point the cursor to line with this file
c, In Vim shell type ":normal mfmz" (selects this file to be compressed/decompressed)
d, Close Vim ":q"
Result: In vulnerable Vim versions file isn't (de)compressed and "pwned" file is
created.
Affected Vim versions: Vim 7.2alpha+
Not affected Vim versions:
-- Vim 7.0, 7.1 affected only in case you manually reinstall
older version of netrw.vim via vimball.
manually reinstall older (vul
-- Vim 6.0 not affected (netrw.vim not shipped there).
Affected netrw.vim plugin versions: 111 <= x <= 123
Proposed solution: Should stay as a part of CVE-2008-3076.
2, The 'mc' command (testcase netrw.v3)
a, Open directory containing a file with malicious name
b, Select some directory as move/copy target (moving via ../)
c, Mark this directory as move/copy target, i.e in Vim
shell perform command ":normal mfmt"
(new line containing "Copy/Move Tgt: selected_directory"
should appear)
d, In Vim return to directory containing file with malicious
filename
e, Point the cursor to line containing this filename
f, In Vim perform copy command, i.e. in Vim shell
"normal mfmc"
g, Close Vim ":q"
Result: Vulnerable Vim and netrw.vim versions don't copy the file,
"pwned" file is created.
Affected Vim versions: Vim 7.2alpha+
Not affected Vim versions:
-- Vim 7.0, Vim 7.1 affected only in case you manually reinstall
older version of netrv.vim via vimball.
-- Vim 6.0 not affected (netrw.vim not shipped there).
Affected netrw.vim plugin versions: 113 <= x <= 122
Proposed solution: Should stay as a part of CVE-2008-3076.
3, The 'D' command (testcase netrw.v4)
a, Open directory containing a file with malicious name
b, Point the cursor to the "executable' part of the
filename (i.e. "eval `echo 0:64617465203e3e2070776e6564 | xxd -r`)
c, Press the 'D' key
d, Confirm the deletion request with 'y'.
e, Close Vim ":q"
Result: Vulnerable Vim and netrw.vim versions don't delete the file,
"pwned" file is created.
Affected Vim versions: Vim 7.0, Vim 7.1 (affected every time,
no manual reinstallation of older netrw.vim
plugin needed).
Not affected Vim versions:
-- Vim.6.0 (netrw.vim not shipped there).
-- Vim 7.2 (already fixed).
Affected vim.netrw plugin versions: 102 <= x <= 123
Proposed solution: Should be split into a new CVE id (and possibly
merged with netrw.v5 issue as it affects Vim 7.0,
Vim 7.1 and is fixed in Vim 7.2 as the netrw.v5 issue).
* Action: Formulate CVE-2008-3076 as covering the 'mz' and 'mc' command issues.
Merge the 'D' command issue with new CVE id allocated to netrw.v5
issue (as both of these issues affect Vim 7.0, 7.1 and are already
fixed in Vim 7.2).
* References: http://www.rdancer.org/vulnerablevim-netrw.html
http://www.rdancer.org/vulnerablevim-netrw.v2.html
2. issue:
=========
* Original advisory: http://www.rdancer.org/vulnerablevim-netrw.v5.html
http://www.rdancer.org/vulnerablevim-netrw.v2.html (the 'D' command part)
* CVE id: Still needs a new CVE id
* Testcase: netrw.v5
* Affected Vim versions: Vim 7.0, Vim 7.1
Not affected Vim versions:
-- Vim 6.0 (netrw.vim not shipped there)
-- Vim 7.2 (already fixed)
* Action: Allocate a new CVE id, merge the description with the 'D' command issue
from the CVE-2008-3076 issue.
* References: http://www.rdancer.org/vulnerablevim-netrw.v5.html
3. issue:
=========
* Original advisory: http://www.rdancer.org/vulnerablevim-netrw-credentials-dis.html
* CVE id: Still needs a new CVE id
* Testcase: Available in original advisory, part "4. EXPLOIT"
* Affected Vim versions: Vim 7.1, Vim 7.2
Affected vim.netrw versions: <= 131
* Thread disccusing this issue: http://groups.google.com/group/vim_dev/browse_thread/thread/2f6fad581a037971/a5fcf4c4981d34e6?show_docid=a5fcf4c4981d34e6
* Proposed patch: http://mysite.verizon.net/astronaut/vim/index.html#NETRW
* Action: Allocate a new CVE id describing this issue.
* References: http://www.rdancer.org/vulnerablevim-netrw-credentials-dis.html
Other netrw issues:
==================
CVE-2008-3432 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3432
Affects: Vim 6.2, 6.3 (others not affected)
Hope has answered questions from: http://www.openwall.com/lists/oss-security/2008/08/01/1
Steve, could you please: 1, join netrw 'mz' and 'mc' commnad issues under CVE-2008-3076,
2, allocate a new CVE id and merge the 'D' command issue and
netrw.v5 issue under this new CVE (as these two both affect
Vim 7.0 and 7.1) and
3, allocate a new CVE id for the Vim netrw: FTP user credentials
disclosure issue?
Jan, your comments are appreciated.
Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
