|
Message-ID: <254001047.727621224065558577.JavaMail.root@zmail01.collab.prod.int.phx2.redhat.com> Date: Wed, 15 Oct 2008 06:12:38 -0400 (EDT) From: Jan Lieskovsky <jlieskov@...hat.com> To: coley@...re.org Cc: oss-security@...ts.openwall.com, Jan Minář <rdancer@...ncer.org> Subject: Vim CVE issues cleanup (plugins tar.vim, zip.vim) - CVE-2008-3074 and CVE-2008-3075 Hello Steve and Jan, got time to dive deeply into these issues and attempting to summarize all the information about them known till today, in order to clear specification of CVE-2008-3074 and CVE-2008-3075 to be able to reference them in our advisories. Tar.vim plugin issues: Original advisory: http://www.rdancer.org/vulnerablevim-shellescape.html Part 1 -- TAR Observations: =========================== * Jan Minar says: Version : >= 7.2a.013; < 7.2b.005; tested with 7.2b The shellescape() function added by patch 7.0.111. * Patch 7.0.111: http://www.mail-archive.com/vim-dev@vim.org/msg02313.html * Vulnerability (from vulnerablevim-shellescape.html) 3. Vulnerability shellescape() does not escape all special items. In particular, shellescape() does not escape the ``!'' character. 4. Exploit -- Proof of Concept To show that this vulnerability can be exploited, we have updated our ``tar.vim'' exploit. Run ``make test'' in the ``tarplugin.v2'' directory. * Testcases for this issue (from Vim testsuite) (self research): -- shellescape (from Makefile - rdancer's exploit of the Vim 7.2b shellescape vuln) -- tarplugin.v2 (from Makefile - rdancer's exploit of the Vim shellescape() vuln) -- tarplugin (from Makefile -- rdancer's exploit of the vim 7.1 tar plugin) -- tarplugin.updated (from Makefile - rdancer's exploit of the vim 7.1 tar plugin) Differences between Makefiles in particular testcases: tarplugin vs tarplugin.v2: 24c22 < TARBALL_NAME = "sploit/$(INITIAL)'|so%|retu|'$(FINAL).tar" --- > TARBALL_NAME = "sploit/$(INITIAL);eval eval \`echo 0:64617465203e2070776e6564 | xxd -r\`;: $(FINAL).tar" and Vim debug options added: 40a39,42 > # For the test target -- Non-interactive run > VIM_TEST_OPTIONS = ${VIM_OPTIONS} +:'exe "norm \<CR>"' +:qa > # For the debug target -- Add breakpoints > VIM_DEBUG_OPTIONS = +':breakadd func 38 tar\#Read' ${VIM_TEST_OPTIONS} 62a65,69 tarplugin vs tarplugin.updated: c24 < TARBALL_NAME = "sploit/$(INITIAL)'|so%|retu|'$(FINAL).tar" --- > TARBALL_NAME = "sploit/$(INITIAL)%;eval eval \`echo 0:64617465203e2070776e6564 | xxd -r\`;'$(FINAL).tar" * Your questions in http://www.openwall.com/lists/oss-security/2008/08/01/1 : Report TAR-1 rdancer says "shellescape() does not escape all special items" specifically the "!" character - http://www.rdancer.org/vulnerablevim-shellescape.html - 7.2a.013 and other versions before 7.2b.005 - mentions tar.vim (tarplugin) - test case: tarplugin.v2 - Report TAR-2 Tomas Hoger says affects 7.0 and 7.1: http://www.openwall.com/lists/oss-security/2008/07/15/2 - Report TAR-3 assignment of CVE-2008-3074 to "tarplugin" http://www.openwall.com/lists/oss-security/2008/07/10/7 - already used by rPath in advisory - Report TAR-4 rdancer tar.vim issue http://www.rdancer.org/vulnerablevim.html - Report TAR-5 rdancer says tar.vim test was omitted from Makefile http://www.openwall.com/lists/oss-security/2008/07/13/1 1) Are TAR-1, TAR-2, TAR-3, and TAR-4 all talking about the same issue? If not - which ones are the same? 2) Since tar.vim doesn't affect 6.x, it should stay SPLIT from CVE-2008-2712. * Affected Vim versions: Vim 7.0, tar.vim v.10 (from Jul 24,2006) <= x < Vim 7.2, tar.vim v.23 (from Aug 08, 2008) Vim 6.0 DOES NOT include tar.vim plugin. (based on self testing) Part 2 -- TAR Conclusions: ========================== The testcase to find out if Vim is vulnerable to the shellescape vulnerability is in 'shellescape'. The proof this issue can be exploited is in 'tarplugin.v2'. (Report TAR-1) Rdancer has originally claimed, this issue affects only Vim (>= 7.2a.013; < 7.2b.005;), But 'tarplugin.v2' testcase run proofs it affects also Vim 7.0 and Vim 7.1. (Report TAR-2) We should probably use CVE-2008-3074 when referencing to these issues (Report TAR-3). Report TAR-4 issue is covered by 'tarplugin' testcase (the same issue). Report TAR-5 - only top-most Makefile change. Replies to your questions: 1, TAR-1, TAR-2, TAR-3 and TAR-4 are talking about the same issue. The 'only' slight difference between them is the provided "TARBALL_NAME" to the testcase. 2, This issue should be definitely split from CVE-2008-2712 -- reasons: a, it does not affect Vim 6.0, b, CVE-2008-2712 has no mention about tar.vim plugin c, we should use already assigned CVE-2008-3074 for this issue (as it was already used in the rPath advisory). d, See also part "Proposed description for CVE-2008-3074". Part 3 -- ZIP Observations: =========================== * Original advisory: http://www.rdancer.org/vulnerablevim.html (Part 3.4.2.4. zip.vim) * Testcases: zipplugin zipplugin.v2 Difference between Makefiles: a, different name used for the zip archive 24c24,25 < ARCHIVE_NAME = "sploit/$(INITIAL)'|so%|retu|'$(FINAL).zip" --- > ARCHIVE_NAME = "sploit/$(INITIAL)|call system(\"eval eval \`echo 0:64617465203e3e2070776e6564 | xxd -r\`\")|$(FINAL).zip" b, Different "# Compile the exploit\n# The ar\n.PHONY: sploit\nsploit: exploit.vim plugin" part * Relation between zip.vim and zipPlugin.vim (zipplugin mentioned in bullet (2) of CVE-2008-2172) /usr/share/vim/vim71/plugin/zipPlugin.vim "only" calls zip functions (zipBrowse, zipRead, zipWrite etc.) defined in /usr/share/vim/vim71/autoload/zip.vim * Your questions in http://www.openwall.com/lists/oss-security/2008/08/01/1 related to ZIP plugin: zip.vim - Report ZIP-1 rdancer says "zip.vim" as well as "zipPlugin.vim" - http://www.rdancer.org/vulnerablevim.html - Vim 7.1.298 and 6.4 - *part* of the advisory used CVE-2008-2712, but CVE-2008-2712 didn't include it - Report ZIP-2 Tomas Hoger suggests "still unfixed" http://www.openwall.com/lists/oss-security/2008/07/10/7 - CVE-2008-3075 assigned; used by rPath - since CVE-2008-2712 issues were fixed and zip.vim remains unfixed, a SPLIT from CVE-2008-2712 is reasonable - Report ZIP-3 Tomas Hoger says "only 7.0 and 7.1" affected http://www.openwall.com/lists/oss-security/2008/07/15/2 - Report ZIP-4 rdancer says zip "has not been fixed as of Vim 7.2a.19/zip.vim v19" http://www.openwall.com/lists/oss-security/2008/07/13/1 - Report ZIP-5 CVE-2008-2712 bullet (2) mentions zipplugin based on same advisory as ZIP-1: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2712 1) Are ZIP-1, ZIP-2, ZIP-3, and ZIP-4 all talking about the same issue? 2) What differences, if any, are there in zip.vim and zipplugin.vim? 3) Given the varying results for TAR-1 through TAR-4, should zip.vim be split from the tar issues? What about zipplugin.vim? 4) It might be reasonable to remove item (2) from CVE-2008-2712. * Affected Vim versions: Vim 7.0, zip.vim v.11 (from Jul 24, 2006) < Vim 7.2, zip.vim v.22 (Jul 30, 2008) Vim 6.0+ DOES NOT include zip.vim plugin. Part 4 -- ZIP Conclusions: ========================== zipPlugin.vim was mentioned in CVE-2008-2712, but zip.vim omitted. zipPlugin.vim "only" calls functions (zipWrite, zipRead, zipBrowse) provided by the zip.vim plugin. The text of CVE-2008-2712 should be modified -- the bullet (2) -- mention about zipplugin should be removed from it, as the issue was fixed only later in zip.vim plugin (Report ZIP-1). CVE-2008-3075 was used by rPath for this issue (Report ZIP-2). According to zipplugin testcases (zipplugin, zipplugin.v2) also Vim 7.0, and Vim 7.1 affected by this issue (Report ZIP-3). zip.vim v.19 is still vulnerable to this issue. Fixed in version zip.vim v.22 (see Affected Vim versions). (Report ZIP-4). Bullet (2) -- mention about zipplugin should be removed from CVE-2008-2712. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2712 (Report ZIP-5). * Replies to your questions: 1) Are ZIP-1, ZIP-2, ZIP-3, and ZIP-4 all talking about the same issue? Reply: Yes, these all are clones of the same issue. 2) What differences, if any, are there in zip.vim and zipplugin.vim? Reply: zip.vim defines the functions (zipBrowse, zipRead, zipWrite), zipPlugin.vim "only calls" them. 3) Given the varying results for TAR-1 through TAR-4, should zip.vim be split from the tar issues? What about zipplugin.vim? Reply: The issue in its nature is the same as by TAR plugin (inproper sanitization of the '!' character as in the tar archives, but projected to zip archives) Part 5 -- Needed actions: ========================== 1, Remove bullet (2) -- mention about zipplugin from CVE-2008-2712. 2, a, either merge TAR, ZIP Vim issues under CVE-2008-3074 and reject CVE-2008-3075. This one is the PREFERRED SOLUTION. Proposed description of CVE-2008-3074: "The shellescape() function in Vim 7.0 through 7.2 does not properly escape all special items (in particular the '!' character). This results in untrusted data being insufficiently sanitized, possibly leading to arbitrary code execution as demonstrated on VIM TAR plugin (tar.vim) from v.10 through v.22 or VIM ZIP plugin (zip.vim) from version v.11 through v.21." References: http://www.rdancer.org/vulnerablevim-shellescape.html http://www.openwall.com/lists/oss-security/2008/08/01/1 http://www.openwall.com/lists/oss-security/2008/07/10/7 http://www.rdancer.org/vulnerablevim.html (Part 3.4.2.4. zip.vim) b, or modify descriptions of CVE-2008-3074 and CVE-2008-3075. Proposed description of CVE-2008-3074: "The shellescape() function in Vim 7.0 through 7.2 does not properly escape al special items (in particular the '!' character). This results in untrusted data being insufficiently sanitized, possibly leading to arbitrary code execution as demonstrated on VIM TAR plugin (tar.vim) from v.10 through v.22." References: http://www.rdancer.org/vulnerablevim-shellescape.html http://www.openwall.com/lists/oss-security/2008/08/01/1 http://www.openwall.com/lists/oss-security/2008/07/10/7 Proposed description of CVE-2008-3075: "The shellescape() function in Vim 7.0 through 7.2 does not properly escape all special items (in particular the '!' character). This results in untrusted data being insufficiently sanitized, possibly leading to arbitrary code execution as demonstrated on VIM ZIP plugin (zip.vim) from v.11 through v.21" References: http://www.rdancer.org/vulnerablevim-shellescape.html http://www.openwall.com/lists/oss-security/2008/08/01/1 http://www.rdancer.org/vulnerablevim.html (Part 3.4.2.4. zip.vim) Jan, any your comments to the above are appreciated. Thanks, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.