The Vim Text Editor Security Advisories
This project is maintained by rdancer
Arbitrary code execution in Netrw, fully patched Vim 7.2a
1. Summary
Product : Vim -- Vi IMproved
Version : Tested with 7.2a.10
Impact : Arbitrary code execution
Wherefrom: Local, possibly remote
Original : http://www.rdancer.org/vulnerablevim-netrw.v2.html
Lack of sanitization can lead to arbitrary code execution.
2. Overview
``Vim is an almost compatible version of the UNIX editor Vi. Many new features
have been added: multi-level undo, syntax highlighting, command line history,
on-line help, spell checking, filename completion, block operations, etc.''
-- VIM 7.1 README.txt
``Netrw makes reading, writing, and browsing over a network connection easy!
[...] Netrw supports "transparent" editing of files on other machines using
urls [...]''
-- Netrw Reference Manual (pi_netrw.txt)
The archive with code that is a part of this advisory can be found at
``http://www.rdancer.org/vulnerablevim-netrw.v2.tar.bz2''.
3. Details
3.0. Vim Version and Netrw Version
In this advisory, we analyse Vim version 7.2a.10, Netrw version 125.
3.1. Prerequisite: Marking Files (The ``mf'' Command)
``One may mark files with the cursor atop a filename and then pressing "mf".
With gvim, one may also mark files with <s-leftmouse>.''
-- Netrw Reference Manual (pi_netrw.txt)
3.2. Compression and Decompression (The ``mz'' Command)
``If any marked files are compressed, then "mz" will decompress them.
If any marked files are decompressed, then "mz" will compress them
using the command specified by |g:netrw_compress|; by default,
that's "gzip".''
-- Netrw Reference Manual (pi_netrw.txt)
Invoking the ``mz'' command upon a file with a crafted file name can lead to
arbitrary code execution.
3.2.1 Vulnerability
In many places, Netrw ($VIMRUNTIME/autoload/netrw.vim) fails to sanitize file
names used as shell arguments.
In function s:NetrwMarkFileExe() (The ``mx'' command): ``apply command to marked
files. Substitute: filename -> % If no %, then append a space and the filename
to the command'':
4036 for fname in s:netrwmarkfilelist_{curbufnr}
4037 if a:islocal
4038 if g:netrw_keepdir
4039 let fname= s:ComposePath(curdir,fname)
4040 endif
4041 else
4042 let fname= b:netrw_curdir.fname
4043 endif
4044 if cmd =~ '%'
4045 let xcmd= substitute(cmd,'%',fname,'g')
4046 else
4047 let xcmd= cmd.' '.fname
4048 endif
4049 if a:islocal
4050 " call Decho("local: xcmd<".xcmd.">")
--> 4051 let ret= system(xcmd)
4052 else
4053 " call Decho("remote: xcmd<".xcmd.">")
--> 4054 let ret= s:RemoteSystem(xcmd)
Following code in function s:NetrwMarkFileCompress() is run when the ``mz''
(compress/decompress) command is invoked. The variable
``s:netrwmarkfilelist_{curbufnr}'' holds the marked files list.:
159 if !exists("g:netrw_decompress")
160 let g:netrw_decompress= { ".gz" : "gunzip" , ".bz2" : "bunzip2" , ".zip" : "unzip" , ".tar" : "tar -xf"}
161 endif
[...]
3816 for fname in s:netrwmarkfilelist_{curbufnr}
3817 " for every filename in the marked list
3818 for sfx in sort(keys(g:netrw_decompress))
3819 if fname =~ '\'.sfx.'$'
3820 " fname has a suffix indicating that its compressed; apply associated decompression routine
3821 let exe= g:netrw_decompress[sfx]
3822 " call Decho("fname<".fname."> is compressed so decompress with <".exe.">")
3823 if a:islocal
3824 if g:netrw_keepdir
3825 let fname= s:ComposePath(curdir,fname)
3826 endif
3827 else
3828 let fname= b:netrw_curdir.fname
3829 endif
3830 if executable(exe)
3831 if a:islocal
--> 3832 call system(exe." ".fname)
3.2.2. Exploit
We exploit the statement on line 3832.
Run ``make demo'' or ``make test'' in the netrw.v2 directory.
For details on the exploit construction, see netrw.v2/Makefile.
Note: ``make test'' may hang when run from within vim.
3.2.3. Remedy
The shellescape() function[1] should be used to sanitize ``fname''.
3.3. Copying Files (The ``mc'' Command)
``[Copying:] Select a target directory with mt (|netrw-mt|). Then change
directory, select file(s) (see |netw-mf|), and press "mc".''
-- Netrw Reference Manual (pi_netrw.txt)
Invoking the ``mc'' command inside a directory with a crafted directory name
can lead to arbitrary code execution.
3.3.1. Vulnerability
Netrw inappropriately uses shellescape() in many places to sanitize arguments of the
``execute'' command.
708 exe s:netrw_silentxfer."!".g:netrw_rcp_cmd." ".s:netrw_rcpmode." ".shellescape(uid_machine.":".escape(b:netrw_fname,' ?&;')." ".tmpfile)
810 exe s:netrw_silentxfer."!".g:netrw_scp_cmd.useport." ".shellescape(g:netrw_machine.":".escape(b:netrw_fname,g:netrw_fname_escape))." ".tmpfile
831 exe s:netrw_silentxfer."!".g:netrw_http_cmd." ".shellescape(tmpfile)." ".shellescape("http://".g:netrw_machine.netrw_fname)
842 exe s:netrw_silentxfer."!".g:netrw_http_cmd." ".shellescape(tmpfile)." ".shellescape("http://".g:netrw_machine.netrw_html)
882 exe s:netrw_silentxfer."!".g:netrw_rsync_cmd." ".shellescape(g:netrw_machine.":".netrw_fname)." ".tmpfile
907 exe s:netrw_silentxfer."!".g:netrw_fetch_cmd." ".tmpfile." ".shellescape(netrw_option."://".g:netrw_uid.':'.s:netrw_passwd.'@'.g:netrw_machine."/".netrw_fname)
910 exe s:netrw_silentxfer."!".g:netrw_fetch_cmd." ".tmpfile." ".shellescape(netrw_option."://".g:netrw_machine."/".netrw_fname)
923 exe s:netrw_silentxfer."!".g:netrw_sftp_cmd." ".shellescape(g:netrw_machine.":".netrw_fname)." ".tmpfile
1084 exe s:netrw_silentxfer."!".g:netrw_rcp_cmd." ".s:netrw_rcpmode." ".shellescape(tmpfile)." ".shellescape(uid_machine.":".netrw_fname)
1177 exe s:netrw_silentxfer."!".g:netrw_scp_cmd.useport." ".shellescape(tmpfile)." ".shellescape(g:netrw_machine.":".netrw_fname)
2976 exe "silent !".viewer." ".viewopt.shellescape(fname).redir
2981 exe 'silent !start rundll32 url.dll,FileProtocolHandler '.shellescape(fname)
2987 exe "silent !gnome-open ".shellescape(fname).redir
2992 exe "silent !kfmclient exec ".shellescape(fname)." ".redir
2997 exe "silent !open ".shellescape(fname)." ".redir
3656 exe "silent! !".g:netrw_local_mkdir.' '.shellescape(newdirname)
3680 exe "silent! !".mkdircmd." ".shellescape(newdirname)
3911 exe "silent! !".g:netrw_local_mkdir.' '.shellescape(tmpdir)
4775 exe s:netrw_silentxfer."!".g:netrw_scp_cmd.useport." ".filelist." ".shellescape(tgtdir)
5058 exe s:netrw_silentxfer."!".g:netrw_scp_cmd.useport." ".args." ".shellescape(machine.":".escape(tgt,g:netrw_fname_escape))
6001 exe "silent r! ".listcmd.shellescape(s:path)
6015 exe "silent r! ".listcmd.' "'.shellescape(s:path).'"'
3888 let args= join(map(copy(s:netrwmarkfilelist_{bufnr('%')}),"b:netrw_curdir.\"/\".shellescape(v:val)"))
3889 " call Decho("system(".g:netrw_localcopycmd." ".args." ".shellescape(s:netrwmftgt).")")
--> 3890 call system(g:netrw_localcopycmd." ".args." ".shellescape(s:netrwmftgt))
3.3.2. Exploit
Run ``make demo'' or ``make test'' in the netrw.v3 directory. Note: ``make
test'' may hang when run from within vim.
3.3.3. Remedy
The shellescape() function[1] should be used to sanitize ``b:netrw_curdir'' --
following patch may be applied:
--- /usr/local/share/vim/vim72a/autoload/netrw.vim 2008-07-01 18:38:09.000000000 +0100
+++ - 2008-07-03 19:01:50.676582822 +0100
@@ -3885,7 +3885,7 @@
if a:islocal && s:netrwmftgt_islocal
" Copy marked files, local directory to local directory
" call Decho("copy from local to local")
- let args= join(map(copy(s:netrwmarkfilelist_{bufnr('%')}),"b:netrw_curdir.\"/\".shellescape(v:val)"))
+ let args= join(map(copy(s:netrwmarkfilelist_{bufnr('%')}),"shellescape(b:netrw_curdir).\"/\".shellescape(v:val)"))
" call Decho("system(".g:netrw_localcopycmd." ".args." ".shellescape(s:netrwmftgt).")")
call system(g:netrw_localcopycmd." ".args." ".shellescape(s:netrwmftgt))
3.4. Deleting Files (The ``D'' Command)
``Deleting/removing files and directories involves moving the cursor to the
file/directory to be deleted and pressing "D".''
-- Netrw Reference Manual (pi_netrw.txt)
Applying the ``D'' to a file with a crafted file name, or inside a directory
with a crafted directory name, can lead to arbitrary code execution.
3.4.1 Vulnerability
Netrw fails to properly sanitize arguments passed to the s:System() function,
which is a wrapper for the ``execute'' command:
7596 fun! s:System(cmd,path)
[...]
7599 let path = a:path
[...]
7615 exe "let result= ".a:cmd."('".path."')"
In function s:NetrwLocalRmFile():
6724 fun! s:NetrwLocalRmFile(path,fname,all)
[...]
6730 let rmfile= s:ComposePath(a:path,a:fname)
[...]
--> 6754 let ret= s:System("delete",rmfile)
[...]
--> 6777 call s:System("system",g:netrw_local_rmdir.' '.shellescape(rmfile))
[...]
--> 6782 let errcode= s:System("delete",rmfile)
[...]
--> 6788 call s:System("system","rm ".shellescape(rmfile))
In function s:NetrwLocalRmFile():
6730 let rmfile= s:ComposePath(a:path,a:fname)
[...]
--> 6754 let ret= s:System("delete",rmfile)
[...]
--> 6777 call s:System("system",g:netrw_local_rmdir.' '.shellescape(rmfile))
6778 " call Decho("v:shell_error=".v:shell_error)
6779
6780 if v:shell_error != 0
6781 " call Decho("2nd attempt to remove directory<".rmfile.">")
--> 6782 let errcode= s:System("delete",rmfile)
6783 " call Decho("errcode=".errcode)
6784
6785 if errcode != 0
6786 if has("unix")
6787 " call Decho("3rd attempt to remove directory<".rmfile.">")
--> 6788 call s:System("system","rm ".shellescape(rmfile))
3.4.2 Exploit
We exploit the statement on the line 6754. Run ``make demo'' or ``make test''
in the netrw.v4 directory. Note: ``make test'' may hang when run from within
vim. We use the TIOCSTY ioctl to simulate keyboard input in ``make test'' --
may not work everywhere.
4. Footnotes
[1] shellescape() was introduced in patch 7.0.111.
5. Copyright
This advisory is Copyright 2008 Jan Minar <rdancer@rdancer.org>
Copying welcome, under the Creative Commons ``Attribution-Share Alike'' License
http://creativecommons.org/licenses/by-sa/2.0/uk/
Code included herein, and accompanying this advisory, may be copied according to
the GNU General Public License version 2, or the Vim license. See the
subdirectory ``licenses''.
Various portions of the accompanying code were written by various parties.
Those parties may hold copyright, and those portions may be copied according
to the respective licenses.
6. History
2008-07-16 Note: The correct address is <vim-dev@vim.org> NOT
<vim_dev@googlegroups.com>
2008-07-03 Sent to: <full-disclosure@lists.grok.org.uk>,
<bugtraq@securityfocus.com>, <vim_dev@googlegroups.com>
Copy to: <bugs@vim.org>