Linux Command-Line Editors Vulnerable to High-Severity Bug

linux vim vulnerability

A bug impacting editors Vim and Neovim could allow a trojan code to escape sandbox mitigations.

A high-severity bug impacting two popular command-line text editing applications, Vim and Neovim, allow remote attackers to execute arbitrary OS commands. Security researcher Armin Razmjou warned that exploiting the bug is as easy as tricking a target into clicking on a specially crafted text file in either editor.

Razmjou outlined his research and created a proof-of-concept (PoC) attack demonstrating how an adversary can compromise a Linux system via Vim or Neowim. He said Vim versions before 8.1.1365 and Neovim before 0.3.6 are vulnerable to arbitrary code execution.

“[Outlined is] a real-life attack approach in which a reverse shell is launched once the user opens the file. To conceal the attack, the file will be immediately rewritten when opened. Also, the PoC uses terminal escape sequences to hide the modeline when the content is printed with cat. (cat -v reveals the actual content),” wrote Razmjou in a technical analysis of his research.

Vim is a popular modal (insert, visual or command) text editor based on the vi editor, a screen-oriented text editor originally created for the Unix operating system. A modeline is a configuration line that shares settings data to a display server and communicates display settings data.

Razmjou’s PoC is able to bypass modeline mitigations, which execute value expressions in a sandbox. That’s to prevent somebody from creating a trojan horse text file in modelines, the researcher said.

“However, the :source! command (with the bang [!] modifier) can be used to bypass the sandbox. It reads and executes commands from a given file as if typed manually, running them after the sandbox has been left,” according to the PoC report.

Vim and Neovim have both released patches for the bug (CVE-2019-12735) that the National Institute of Standards and Technology warns, “allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline.”

“Beyond patching, it’s recommended to disable modelines in the vimrc (set nomodeline), to use the securemodelinesplugin, or to disable modelineexpr (since patch 8.1.1366, Vim-only) to disallow expressions in modelines,” the researcher said.

Suggested articles

Discussion

  • anon on

    Fun fact: Debian, Ubuntu, Gentoo, OSX, etc. by default disable modelines for security reasons. Confirmed disabled on Linux Mint. To check: within vim run ":verbose set modeline? modelines?" It will display where your config file is and something like "set modelines=5". If it is set to anything other than "0", you are safe. Within your config, if "set nomodeline" is set not commented out, you are safe. Shame this wasn't in the article.
  • Anonymous on

    Calling vim and such "command-line editors" is both confusing and misleading. Most editors can be launched from the command line, and vim can also be launched graphically. Is a new title in order?
  • Chen on

    Modelines is disabled by default on most popular distrbutions such as ubuntu and centos.
  • dmacleo on

    can compromise a Linux system via Vim or Neowim **************************************** isn't it neovim not neowin?
  • Anonymous on

    I agree. I expected the article to be about some vulnerability related to modern shells allowing the editing of command lines via emacs or vi key sequences to kill/yank/etc or something
  • pDale Campbell on

    Yes, a new title is needed. "Command-line editor" is a separate, specific thing.
  • Anonymous on

    This statement from an above comment is in error: " If it is set to anything other than "0", you are safe. " The opposite is true. "0" is safe, anything other than "0" is not safe.
  • Reve on

    Modelines is NOT disabled by default on Cent OS 7. You can check with :set modelines? in vim, it will return nomodeline if it's disabled, or modeline if it's enabled.
  • Reve on

    Clarification. Defaults on Cent OS 7 are: modeline Last set from /etc/vimrc modelines=5 IOTW, enabled, but set to modelines=5

Leave A Comment

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.