Vulnerable Vim

The Vim Text Editor Security Advisories

This project is maintained by rdancer

Arbitrary code execution in Netrw, fully patched Vim 7.2a

1. Summary

Product  : Vim -- Vi IMproved
Version  : Tested with 7.2a.10
Impact   : Arbitrary code execution
Wherefrom: Local, possibly remote
Original : http://www.rdancer.org/vulnerablevim-netrw.v2.html

Lack of sanitization can lead to arbitrary code execution.


2. Overview

``Vim is an almost compatible version of the UNIX editor Vi.  Many new features
have been added: multi-level undo, syntax highlighting, command line history,
on-line help, spell checking, filename completion, block operations, etc.''
	-- VIM 7.1 README.txt

``Netrw makes reading, writing, and browsing over a network connection easy!
[...] Netrw supports "transparent" editing of files on other machines using
urls [...]''

	-- Netrw Reference Manual (pi_netrw.txt)

The archive with code that is a part of this advisory can be found at
``http://www.rdancer.org/vulnerablevim-netrw.v2.tar.bz2''.


3. Details

3.0. Vim Version and Netrw Version

In this advisory, we analyse Vim version 7.2a.10, Netrw version	125.


3.1. Prerequisite: Marking Files (The ``mf'' Command)

``One may mark files with the cursor atop a filename and then pressing "mf".
With gvim, one may also mark files with <s-leftmouse>.''

	-- Netrw Reference Manual (pi_netrw.txt)


3.2. Compression and Decompression (The ``mz'' Command)

``If any marked files are compressed,   then "mz" will decompress them.
If any marked files are decompressed, then "mz" will compress them
using the command specified by |g:netrw_compress|; by default,
that's "gzip".''

	-- Netrw Reference Manual (pi_netrw.txt)

Invoking the ``mz'' command upon a file with a crafted file name can lead to
arbitrary code execution.


3.2.1 Vulnerability

In many places, Netrw ($VIMRUNTIME/autoload/netrw.vim) fails to sanitize file
names used as shell arguments.

In function s:NetrwMarkFileExe() (The ``mx'' command): ``apply command to marked
files.  Substitute: filename -> % If no %, then append a space and the filename
to the command'':

        4036    for fname in s:netrwmarkfilelist_{curbufnr}
        4037     if a:islocal
        4038      if g:netrw_keepdir
        4039       let fname= s:ComposePath(curdir,fname)
        4040      endif
        4041     else
        4042      let fname= b:netrw_curdir.fname
        4043     endif
        4044     if cmd =~ '%'
        4045      let xcmd= substitute(cmd,'%',fname,'g')
        4046     else
        4047      let xcmd= cmd.' '.fname
        4048     endif
        4049     if a:islocal
        4050 "     call Decho("local: xcmd<".xcmd.">")
    --> 4051      let ret= system(xcmd)
        4052     else
        4053 "     call Decho("remote: xcmd<".xcmd.">")
    --> 4054      let ret= s:RemoteSystem(xcmd)

Following code in function s:NetrwMarkFileCompress() is run when the ``mz''
(compress/decompress) command is invoked.  The variable
``s:netrwmarkfilelist_{curbufnr}'' holds the marked files list.:

	 159 if !exists("g:netrw_decompress")
	 160  let g:netrw_decompress= { ".gz" : "gunzip" , ".bz2" : "bunzip2" , ".zip" : "unzip" , ".tar" : "tar -xf"}
	 161 endif
	[...]
        3816    for fname in s:netrwmarkfilelist_{curbufnr}
        3817     " for every filename in the marked list
        3818     for sfx in sort(keys(g:netrw_decompress))
        3819      if fname =~ '\'.sfx.'$'
        3820       " fname has a suffix indicating that its compressed; apply associated decompression routine
        3821       let exe= g:netrw_decompress[sfx]
        3822 "      call Decho("fname<".fname."> is compressed so decompress with <".exe.">")
        3823       if a:islocal
        3824        if g:netrw_keepdir
        3825         let fname= s:ComposePath(curdir,fname)
        3826        endif
        3827       else
        3828        let fname= b:netrw_curdir.fname
        3829       endif
        3830       if executable(exe)
        3831        if a:islocal
    --> 3832         call system(exe." ".fname)


3.2.2. Exploit

We exploit the statement on line 3832.

Run ``make demo'' or ``make test'' in the netrw.v2 directory.

For details on the exploit construction, see netrw.v2/Makefile.

Note: ``make test'' may hang when run from within vim.


3.2.3. Remedy

The shellescape() function[1] should be used to sanitize ``fname''.


3.3. Copying Files (The ``mc'' Command)

``[Copying:]  Select a target directory with mt (|netrw-mt|).  Then change
directory, select file(s) (see |netw-mf|), and press "mc".''

	-- Netrw Reference Manual (pi_netrw.txt)

Invoking the ``mc'' command inside a directory with a crafted directory name
can lead to arbitrary code execution.


3.3.1. Vulnerability

Netrw inappropriately uses shellescape() in many places to sanitize arguments of the
``execute'' command.

        708   exe s:netrw_silentxfer."!".g:netrw_rcp_cmd." ".s:netrw_rcpmode." ".shellescape(uid_machine.":".escape(b:netrw_fname,' ?&;')." ".tmpfile)
        810    exe s:netrw_silentxfer."!".g:netrw_scp_cmd.useport." ".shellescape(g:netrw_machine.":".escape(b:netrw_fname,g:netrw_fname_escape))." ".tmpfile
        831     exe s:netrw_silentxfer."!".g:netrw_http_cmd." ".shellescape(tmpfile)." ".shellescape("http://".g:netrw_machine.netrw_fname)
        842     exe s:netrw_silentxfer."!".g:netrw_http_cmd." ".shellescape(tmpfile)." ".shellescape("http://".g:netrw_machine.netrw_html)
        882    exe s:netrw_silentxfer."!".g:netrw_rsync_cmd." ".shellescape(g:netrw_machine.":".netrw_fname)." ".tmpfile
        907     exe s:netrw_silentxfer."!".g:netrw_fetch_cmd." ".tmpfile." ".shellescape(netrw_option."://".g:netrw_uid.':'.s:netrw_passwd.'@'.g:netrw_machine."/".netrw_fname)
        910     exe s:netrw_silentxfer."!".g:netrw_fetch_cmd." ".tmpfile." ".shellescape(netrw_option."://".g:netrw_machine."/".netrw_fname)
        923    exe s:netrw_silentxfer."!".g:netrw_sftp_cmd." ".shellescape(g:netrw_machine.":".netrw_fname)." ".tmpfile
        1084    exe s:netrw_silentxfer."!".g:netrw_rcp_cmd." ".s:netrw_rcpmode." ".shellescape(tmpfile)." ".shellescape(uid_machine.":".netrw_fname)
        1177    exe s:netrw_silentxfer."!".g:netrw_scp_cmd.useport." ".shellescape(tmpfile)." ".shellescape(g:netrw_machine.":".netrw_fname)
        2976   exe "silent !".viewer." ".viewopt.shellescape(fname).redir
        2981   exe 'silent !start rundll32 url.dll,FileProtocolHandler '.shellescape(fname)
        2987   exe "silent !gnome-open ".shellescape(fname).redir
        2992   exe "silent !kfmclient exec ".shellescape(fname)." ".redir
        2997   exe "silent !open ".shellescape(fname)." ".redir
        3656    exe "silent! !".g:netrw_local_mkdir.' '.shellescape(newdirname)
        3680   exe "silent! !".mkdircmd." ".shellescape(newdirname)
        3911    exe "silent! !".g:netrw_local_mkdir.' '.shellescape(tmpdir)
        4775    exe s:netrw_silentxfer."!".g:netrw_scp_cmd.useport." ".filelist." ".shellescape(tgtdir)
        5058    exe s:netrw_silentxfer."!".g:netrw_scp_cmd.useport." ".args." ".shellescape(machine.":".escape(tgt,g:netrw_fname_escape))
        6001    exe "silent r! ".listcmd.shellescape(s:path)
        6015     exe "silent r! ".listcmd.' "'.shellescape(s:path).'"'


        3888    let args= join(map(copy(s:netrwmarkfilelist_{bufnr('%')}),"b:netrw_curdir.\"/\".shellescape(v:val)"))
        3889 "   call Decho("system(".g:netrw_localcopycmd." ".args." ".shellescape(s:netrwmftgt).")")
    --> 3890    call system(g:netrw_localcopycmd." ".args." ".shellescape(s:netrwmftgt))

3.3.2. Exploit

Run ``make demo'' or ``make test'' in the netrw.v3 directory.  Note: ``make
test'' may hang when run from within vim.


3.3.3. Remedy

The shellescape() function[1] should be used to sanitize ``b:netrw_curdir'' --
following patch may be applied:

--- /usr/local/share/vim/vim72a/autoload/netrw.vim      2008-07-01 18:38:09.000000000 +0100
+++ -   2008-07-03 19:01:50.676582822 +0100
@@ -3885,7 +3885,7 @@
   if      a:islocal &&  s:netrwmftgt_islocal
       " Copy marked files, local directory to local directory
        "   call Decho("copy from local to local")
        -   let args= join(map(copy(s:netrwmarkfilelist_{bufnr('%')}),"b:netrw_curdir.\"/\".shellescape(v:val)"))
        +   let args= join(map(copy(s:netrwmarkfilelist_{bufnr('%')}),"shellescape(b:netrw_curdir).\"/\".shellescape(v:val)"))
         "   call Decho("system(".g:netrw_localcopycmd." ".args." ".shellescape(s:netrwmftgt).")")
             call system(g:netrw_localcopycmd." ".args." ".shellescape(s:netrwmftgt))



3.4. Deleting Files (The ``D'' Command)

``Deleting/removing files and directories involves moving the cursor to the
file/directory to be deleted and pressing "D".''

	-- Netrw Reference Manual (pi_netrw.txt)

Applying the ``D'' to a file with a crafted file name, or inside a directory
with a crafted directory name, can lead to arbitrary code execution.


3.4.1 Vulnerability

Netrw fails to properly sanitize arguments passed to the s:System() function,
which is a wrapper for the ``execute'' command:

        7596    fun! s:System(cmd,path)
        [...]
        7599      let path = a:path
        [...]
        7615        exe "let result= ".a:cmd."('".path."')"

In  function s:NetrwLocalRmFile():

        6724	fun! s:NetrwLocalRmFile(path,fname,all)
        [...]
        6730	  let rmfile= s:ComposePath(a:path,a:fname)
        [...]
    --> 6754	    let ret= s:System("delete",rmfile)
        [...]
    --> 6777	    call s:System("system",g:netrw_local_rmdir.' '.shellescape(rmfile))
        [...]
    --> 6782	     let errcode= s:System("delete",rmfile)
        [...]
    --> 6788	       call s:System("system","rm ".shellescape(rmfile))

In function s:NetrwLocalRmFile():
        6730   let rmfile= s:ComposePath(a:path,a:fname)
        [...]
    --> 6754     let ret= s:System("delete",rmfile)
        [...]
    --> 6777     call s:System("system",g:netrw_local_rmdir.' '.shellescape(rmfile))
        6778 "    call Decho("v:shell_error=".v:shell_error)
        6779
        6780     if v:shell_error != 0
        6781 "     call Decho("2nd attempt to remove directory<".rmfile.">")
    --> 6782      let errcode= s:System("delete",rmfile)
        6783 "     call Decho("errcode=".errcode)
        6784
        6785      if errcode != 0
        6786       if has("unix")
        6787 "       call Decho("3rd attempt to remove directory<".rmfile.">")
    --> 6788        call s:System("system","rm ".shellescape(rmfile))


3.4.2 Exploit

We exploit the statement on the line 6754.  Run ``make demo'' or ``make test''
in the netrw.v4 directory.  Note: ``make test'' may hang when run from within
vim.  We use the TIOCSTY ioctl to simulate keyboard input in ``make test'' --
may not work everywhere.


4. Footnotes

[1] shellescape() was introduced in patch 7.0.111.


5. Copyright

This advisory is Copyright 2008 Jan Minar <rdancer@rdancer.org>

Copying welcome, under the Creative Commons ``Attribution-Share Alike'' License
http://creativecommons.org/licenses/by-sa/2.0/uk/

Code included herein, and accompanying this advisory, may be copied according to
the GNU General Public License version 2, or the Vim license.  See the
subdirectory ``licenses''.

Various portions of the accompanying code were written by various parties.
Those parties may hold copyright, and those portions may be copied according
to the respective licenses.


6. History

2008-07-16 Note: The correct address is <vim-dev@vim.org> NOT
	   <vim_dev@googlegroups.com>
2008-07-03 Sent to: <full-disclosure@lists.grok.org.uk>,
	   <bugtraq@securityfocus.com>, <vim_dev@googlegroups.com>
	   Copy to: <bugs@vim.org>