lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <eli$0809181613@qz.little-neck.ny.us>
Date: Thu, 18 Sep 2008 16:57:57 -0400 (EDT)
From: Eli the Bearded <*@....users.panix.com>
To: bugtraq@...urityfocus.com
Cc: 
Subject: vi can run arbitrary commands via 'tags' file

The vi editor can run arbitrary commands via 'tags' file

An advisory from Eli the Bearded

Programs involved:
vi and ex in their many guises, *when descended from the originals*.
None of the clones I have tested (recent vim, nvi) suffer from this.

Problem synopsis:
A number of editors, vi included, support the use of a 'tags' file
which functions as an hypertext index. The user selects a string in
the file, issues a command and the editor will open a file and run
that command. The typical use is to have tags that correspond to
function names, with files and commands to take the user to the
definition of the function. That need not be the case, however.

The tags file format used by vi is not adequately documented. No where
is it made clear that the target command in the tags file can contain
any ex mode command, which is means arbitrary shell code. This is just
like the old modelines vulnerability, but it was never as widely known. 

Example:
Use tabs where <TAB> is noted.

$ echo "This is line 1" > file1
$ echo "file1line1<TAB>file1<TAB>:1|!touch gotcha" > tags
$ ls
file1   tags
$ vi -t file1line1
:q!
$ ls
file1   gotcha   tags
$ 

Workaround:
Do not trust tags files from unknown sources. Inspect them first
or delete and recreate them.

History and notifications:
I discovered this loophole in tags processing in 1997 by studying
vim (version 4.5), which closely followed vi at time.

http://groups.google.com/group/comp.editors/msg/f4db1b5aed7ad225

This has long been fixed in vim.

Then about ten years later I remembered this, tried it again on a Sun
box and submitted a bug. A year or so later they've got a response:

http://sunsolve.sun.com/search/document.do?assetkey=1-66-237987-1

Which essentially boils down to the workaround given above.


Elijah
------
has forgotten more about vi than many people ever knew

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ