....
 

Guardian Digital Inc. > InfoCenter > Mailing List Archives > Full Disclosure

Full Disclosure Mailing List Archive

From: Liu Die Yu (liudieyu@umbrella.name)
Date: Thu Dec 23 2004 - 23:31:12 EST


the credit really should go to Georgi Guninski who said:
----------
[...]
Opening a specially crafted text file with vim can execute arbitrary
shell commands and pass parameters to them.
[...]
The problem are so called modelines, which can execute some commands in
vim, though they are intended to be sandboxed.
[...]
----------
and provided a working demo:
----------
/* vim:set foldmethod=expr: */
/* vim:set
foldexpr=confirm(libcall("/lib/libc.so.6","system","/bin/ls"),"ms_sux"): */

vim better than windoze
----------
in 2002 at
http://www.guninski.com/vim1.html

BTW, i really want to a video showing advanced VIM typer editing text
extremely fast. it can be a good material to convince newbie to use VIM.

http://editive.com/referrer

Martin Pitt wrote:

>===========================================================
>Ubuntu Security Notice USN-52-1 December 23, 2004
>vim vulnerability
>CAN-2004-1138
>===========================================================
>
>A security issue affects the following Ubuntu releases:
>
>Ubuntu 4.10 (Warty Warthog)
>
>The following packages are affected:
>
>kvim
>vim
>vim-gnome
>vim-gtk
>vim-lesstif
>vim-perl
>vim-python
>vim-tcl
>
>The problem can be corrected by upgrading the affected package to
>version 1:6.3-025+1ubuntu2.1. In general, a standard system upgrade is
>sufficient to effect the necessary changes.
>
>Details follow:
>
>Ciaran McCreesh found several vulnerabilities related to the use of
>options in Vim modeline commands, such as 'termcap', 'printdevice',
>'titleold', 'filetype', 'syntax', 'backupext', 'keymap', 'patchmode',
>and 'langmenu'.
>
>If an attacker tricked an user to open a file with a specially crafted
>modeline, he could exploit this to execute arbitrary commands with the
>user's privileges.
>
> Source archives:
>
> http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim_6.3-025+1ubuntu2.1.diff.gz
> Size/MD5: 424979 4965410b651e6f5ac01ba2500e45d1ad
> http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim_6.3-025+1ubuntu2.1.dsc
> Size/MD5: 1122 fbabe18da525c6874e00e7144dc1015f
> http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim_6.3.orig.tar.gz
> Size/MD5: 5624622 de1c964ceedbc13538da87d2d73fd117
>
> Architecture independent packages:
>
> http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-common_6.3-025+1ubuntu2.1_all.deb
> Size/MD5: 3421062 5e19fadc78b2d58baf8b9c0e469bffe9
> http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-doc_6.3-025+1ubuntu2.1_all.deb
> Size/MD5: 1646594 0aacbc8f415aac67d4ff67c2567ea9fc
>
> amd64 architecture (Athlon64, Opteron, EM64T Xeon)
>
> http://security.ubuntu.com/ubuntu/pool/universe/v/vim/kvim_6.3-025+1ubuntu2.1_amd64.deb
> Size/MD5: 2586 dffb544da03f75c78a04240c1a226034
> http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-gnome_6.3-025+1ubuntu2.1_amd64.deb
> Size/MD5: 805718 684db5c3346c4369b47131fa1e12130e
> http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-gtk_6.3-025+1ubuntu2.1_amd64.deb
> Size/MD5: 802444 d62cb45626f58a3d04286734c9f0fff4
> http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-lesstif_6.3-025+1ubuntu2.1_amd64.deb
> Size/MD5: 784098 b6023cf232ce1177206aebc3a002ea10
> http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-perl_6.3-025+1ubuntu2.1_amd64.deb
> Size/MD5: 809126 2414707b703fb83ac166eef291e00f14
> http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-python_6.3-025+1ubuntu2.1_amd64.deb
> Size/MD5: 802464 f9fc02b7e2bddaf8c579b88556b49e52
> http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-tcl_6.3-025+1ubuntu2.1_amd64.deb
> Size/MD5: 801154 63c0de866afbe3e898c22dd1c571e4f9
> http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim_6.3-025+1ubuntu2.1_amd64.deb
> Size/MD5: 764954 4efd27d92715dd0b3d518b85a5fdaa23
>
> i386 architecture (x86 compatible Intel/AMD)
>
> http://security.ubuntu.com/ubuntu/pool/universe/v/vim/kvim_6.3-025+1ubuntu2.1_i386.deb
> Size/MD5: 2590 d66ae294e991c2a7795800ce109c4ed2
> http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-gnome_6.3-025+1ubuntu2.1_i386.deb
> Size/MD5: 702646 0b2b804684a446045fc7b459f80b1c33
> http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-gtk_6.3-025+1ubuntu2.1_i386.deb
> Size/MD5: 699996 38435bc2a97e3dae68aeacb41aa6ee46
> http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-lesstif_6.3-025+1ubuntu2.1_i386.deb
> Size/MD5: 682456 7346dca98d32990cbda11b28dcf9de98
> http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-perl_6.3-025+1ubuntu2.1_i386.deb
> Size/MD5: 707678 0cebe040f27ff421c046c0bba0c7be5a
> http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-python_6.3-025+1ubuntu2.1_i386.deb
> Size/MD5: 700016 218129f6116b1ed0cac566b4ed3bb91a
> http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-tcl_6.3-025+1ubuntu2.1_i386.deb
> Size/MD5: 699624 8f41f595aeb4b798b932cafdae5b428c
> http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim_6.3-025+1ubuntu2.1_i386.deb
> Size/MD5: 680000 648b6f8d31502eb282c6c8e598b1bfb3
>
> powerpc architecture (Apple Macintosh G3/G4/G5)
>
> http://security.ubuntu.com/ubuntu/pool/universe/v/vim/kvim_6.3-025+1ubuntu2.1_powerpc.deb
> Size/MD5: 2594 9b73d310934283adb3443ba1cf698cfc
> http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-gnome_6.3-025+1ubuntu2.1_powerpc.deb
> Size/MD5: 788010 a0fb73fac7af675b50670878eff5e7a1
> http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-gtk_6.3-025+1ubuntu2.1_powerpc.deb
> Size/MD5: 785336 fa097c36bb3fbdde3cc61131e06894b3
> http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-lesstif_6.3-025+1ubuntu2.1_powerpc.deb
> Size/MD5: 769820 960874ca1a9d2f184fb70a7c67712ff2
> http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-perl_6.3-025+1ubuntu2.1_powerpc.deb
> Size/MD5: 792352 33cdd008c6f7ee7ce5b7eb207e3a23d3
> http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-python_6.3-025+1ubuntu2.1_powerpc.deb
> Size/MD5: 785350 f9ea0ded3300b32c8f464469666a2739
> http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-tcl_6.3-025+1ubuntu2.1_powerpc.deb
> Size/MD5: 784864 1b286b54ecb25d6aa7b611122c5ad7b3
> http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim_6.3-025+1ubuntu2.1_powerpc.deb
> Size/MD5: 754470 04d272608873af561b091de313b7167c
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html



[ About Guardian Digital ] - [ Press Center ] - [ Contact Us ] - [ System Activation ] - [ Reseller Info ] - [ Online Store ] - [ Site Map ]
Copyright (c) 2000 - 2004 Guardian Digital, Inc. Linux Lockbox and EnGarde are Trademarks of Guardian Digital, Inc.