lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Sun, 1 Apr 2012 17:26:52 +0300
From: Georgi Guninski <>
Subject: So,
	so you think you can tell April 1 joke from a 0day?

So, so you think you can tell April 1 joke from a 0day?

On Sun, 1 Apr 2007 03:26:30 -0400 (EDT) someone posted a message to
fd with subject "April 1 joke" [1]

The body of the message appeared to me as not obfuscated vim 0day.

vim: foldmethod=expr:foldexpr=feedkeys("\\<esc>\\x3a%!cat\\x20-n\\<CR>\\<esc>\\x

The thread had 4 emails.

On 2007-04-26 21:35 [2] on vim-dev:

today somebody came to #vim, and pasted some modeline (containig joke or
such). He muttered something about not knowing what that means and left
before long. But (!) what I noticed is that feedkeys() was used as part of
foldexpression and it turned out that feedkeys() is allowed in sandbox,
which means malicious file can run arbitrary command via modeline like

vim: fdm=expr fde=feedkeys("\\:!touch\ phantom_was_here\\<cr>")

Redhat's bug is at [3].

Appears to me the CVE assigning monkeys and Secunia didn't notice the 0day.

So, so you think you can tell April 1 joke from a 0day?


Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Powered by blists - more mailing lists