Security expert Armin Razmjou has recently found a high-severity vulnerability (CVE-2019-12735) in Vim and Neovim command-line text editing applications.
The vulnerability, tracked as CVE-2019-12735, is classified as an arbitrary OS command execution vulnerability. Both Vim and Neovim editing applications are pre-installed in Linux distros.
“Vim before 8.1.1365 and Neovim before 0.3.6 are vulnerable to arbitrary code execution via modelines by opening a specially crafted text file.” reads the security advisory published by the expert.
Vim is a highly configurable text editor for efficiently creating and changing any kind of text, including documents and scripts.
With 30% less source-code than Vim, the vision of Neovim is to enable new applications without compromising Vim’s traditional roles and enhancing the user experience
The vulnerability affects the way the Vim editor handles the “modelines” option. The modeline feature allows users to specify custom editor options near the start or end of a file (i.e. /* vim: set textwidth=80 tabstop=8: */). The feature is enabled by default and it is applied to all file types.
Only a subset of options is allowed in modelines, if an expression is included in the option value, it is executed in a sandbox.
Razmjou explained that it is possible to craft construct a modeline that execute the code outside the sandbox.
“However, the :source! command (with the bang [!] modifier) can be used to bypass the sandbox. It reads and executes commands from a given file as if typed manually, running them after the sandbox has been left.” continues the expert.
The expert demonstrated that by tricking a victim into opening a specially crafted file using Vim or Neovim it is possible to secretly execute commands on its Linux system and remotely take over it.
Razmjou published two proof-of-concept exploits to the public, one of which allows a remote attacker to gain access to a reverse shell.
“This PoC outlines a real-life attack approach in which a reverse shell is launched once the user opens the file. To conceal the attack, the file will be immediately rewritten when opened.” continues the post. “Also, the PoC uses terminal escape sequences to hide the modeline when the content is printed with cat. (cat -v reveals the actual content.)”
Below the video PoC of the attack:
Vim and Neovim development teams already released security updates to address the CVE-2019-12735 flaw, Vim patch 8.1.1365 and Neovim patch (released in v0.3.6).
The expert also suggests to:
Below the timeline of the flaw:
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – CVE-2019-12735, hacking)
[adrotate banner=”5″]
[adrotate banner=”13″]
U.S. CISA added the Windows Print Spooler flaw CVE-2022-38028 to its Known Exploited Vulnerabilities catalog.…
The U.S. Department of Justice (DoJ) announced the arrest of two co-founders of a cryptocurrency mixer…
Google addressed a critical Chrome vulnerability, tracked as CVE-2024-4058, that resides in the ANGLE graphics…
Nation-state actor UAT4356 has been exploiting two zero-days in ASA and FTD firewalls since November…
A malware campaign has been exploiting the updating mechanism of the eScan antivirus to distribute…
The Treasury Department's Office of Foreign Assets Control (OFAC) sanctioned four Iranian nationals for their…
This website uses cookies.