| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20120401142652.GA5365@sivokote.iziade.m$>
Date: Sun, 1 Apr 2012 17:26:52 +0300
From: Georgi Guninski <guninski@...inski.com>
To: full-disclosure@...ts.grok.org.uk
Subject: So,
so you think you can tell April 1 joke from a 0day?
So, so you think you can tell April 1 joke from a 0day?
On Sun, 1 Apr 2007 03:26:30 -0400 (EDT) someone posted a message to
fd with subject "April 1 joke" [1]
The body of the message appeared to me as not obfuscated vim 0day.
vim: foldmethod=expr:foldexpr=feedkeys("\\<esc>\\x3a%!cat\\x20-n\\<CR>\\<esc>\\x
3a%s/./\:)/g\\<CR>\\<esc>\\x3aq!\\<CR>"):
The thread had 4 emails.
On 2007-04-26 21:35 [2] on vim-dev:
today somebody came to #vim, and pasted some modeline (containig joke or
such). He muttered something about not knowing what that means and left
before long. But (!) what I noticed is that feedkeys() was used as part of
foldexpression and it turned out that feedkeys() is allowed in sandbox,
which means malicious file can run arbitrary command via modeline like
this:
vim: fdm=expr fde=feedkeys("\\:!touch\ phantom_was_here\\<cr>")
Redhat's bug is at [3].
Appears to me the CVE assigning monkeys and Secunia didn't notice the 0day.
So, so you think you can tell April 1 joke from a 0day?
[1]: http://seclists.org/fulldisclosure/2007/Apr/0
[2]: http://marc.info/?l=vim-dev&m=117762581821298
[3]: https://bugzilla.redhat.com/show_bug.cgi?id=238259
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists