Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <6edf76c20807160941i7aac7881v9fe4546ca738c2d7@mail.gmail.com>
Date: Wed, 16 Jul 2008 17:41:17 +0100
From: "Jan Minář" <rdancer@...ncer.org>
To: "Tomas Hoger" <thoger@...hat.com>
Cc: oss-security@...ts.openwall.com, 
	"Jonathan Smith" <smithj@...ethemallocs.com>, coley@...us.mitre.org, 
	"Bram Moolenaar" <Bram@...lenaar.net>, 
	"Charles E Campbell, Jr" <drchip@...pbellfamily.biz>
Subject: Re: Re: More arbitrary code executions in Netrw version 125, Vim 7.2a.10

On Wed, Jul 16, 2008 at 3:42 PM, Tomas Hoger <thoger@...hat.com> wrote:
> On Wed, 16 Jul 2008 11:35:01 +0100 "Jan Minář" <rdancer@...ncer.org>
>> are versioned and dated, so for example the first version of ftp.vim
>> not vulnerable is version 21 of 2008-07-12.

Should read ``zip.vim'' of course.

>> The overall issue is that up until recently Vim  script did not
>> provide any means of quoting metacharacters.  At the time of the
>> first advisory, there were close to a thousand ``execute''
>> statements.
>
> Based on your research, do you believe that all / most of them can
> really be exploited to perform some harmful actions just by user
> opening some file with odd file name?

Let's see:

``zip.vim'':
Version ................ 14
Released ............... 2007-05-08
Lines .................. 373
``execute'' statements:  11
out of which exploitable 10

Version ................ 21
Released ............... 2008-07-12
Lines .................. 387
``execute'' statements:  8
out of which exploitable ???

I wasn't joking when I used grep in the first advisory to estimate the
size of the problem.

>> The particular vulnerabilities detailed in the advisories are
>> examples of a more widespread tendency in the Vim code. Should there
>> be a separate CVE for the overall issue, alongside CVEs for the
>> particular vulnerabilities?
>
> I'm not aware of any example of such generic umbrella CVE and I believe
> "tendency" it not a good candidate for CVE id, as CVE should map to
> particular vulnerability.  Though there are few special cases / CVEs,
> so Steven may correct me in this.

What I meant was, all those execute statements and system() calls
should be fixed, which means quoting introduced, and until that
happens, it doesn't really matter much if the problems with CVEs are
fixed, because any script kiddie can just pick one of the places that
will not have been fixed, and use one of the existing exploits.  But
as I said, I know very little about CVE number assignment, and I fully
submit to you collective wisdom.

Have a nice day,
Jan Minar.

PS: I have published two more advisories:

(1) Vim: Improper Implementation of shellescape()/Arbitrary Code Execution
    http://www.rdancer.org/vulnerablevim-shellescape.html
    -- This is two issues:
          (a) Flawed implementation of shellescape() (not all
metacharacters are escaped)
          (b) Updated still the same tar.vim exploit to use the
abovementioned vulnerability

(2) Arbitrary code execution in Netrw version 127, Vim 7.2b
    http://www.rdancer.org/vulnerablevim-netrw.v5.html
    -- This is new vulnerability, same old pattern: 6 instances of
unsanitized execute statemtents

The updated testsuite:
http://www.rdancer.org/vulnerablevim-latest.tar.bz2

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.