CVE-2019-12735 – opening a specially crafted file in Vim or Neovim Editor could compromise your Linux system

Bad news for Linux users, a flaw tracked as CVE-2019-12735 allows to hack their systems by tricking them into opening a specially crafted file in Vim or Neovim Editor.

Security expert Armin Razmjou has recently found a high-severity vulnerability (CVE-2019-12735) in Vim and Neovim command-line text editing applications.

The vulnerability, tracked as CVE-2019-12735, is classified as an arbitrary OS command execution vulnerability. Both Vim and Neovim editing applications are pre-installed in Linux distros.

“Vim before 8.1.1365 and Neovim before 0.3.6 are vulnerable to arbitrary code execution via modelines by opening a specially crafted text file.” reads the security advisory published by the expert.

Vim is a highly configurable text editor for efficiently creating and changing any kind of text, including documents and scripts.

With 30% less source-code than Vim, the vision of Neovim is to enable new applications without compromising Vim’s traditional roles and enhancing the user experience

The vulnerability affects the way the Vim editor handles the “modelines” option. The modeline feature allows users to specify custom editor options near the start or end of a file (i.e. /* vim: set textwidth=80 tabstop=8: */). The feature is enabled by default and it is applied to all file types.

Only a subset of options is allowed in modelines, if an expression is included in the option value, it is executed in a sandbox.

Razmjou explained that it is possible to craft construct a modeline that execute the code outside the sandbox.

“However, the :source! command (with the bang [!] modifier) can be used to bypass the sandbox. It reads and executes commands from a given file as if typed manually, running them after the sandbox has been left.” continues the expert.

The expert demonstrated that by tricking a victim into opening a specially crafted file using Vim or Neovim it is possible to secretly execute commands on its Linux system and remotely take over it.

Razmjou published two proof-of-concept exploits to the public, one of which allows a remote attacker to gain access to a reverse shell.

“This PoC outlines a real-life attack approach in which a reverse shell is launched once the user opens the file. To conceal the attack, the file will be immediately rewritten when opened.” continues the post. “Also, the PoC uses terminal escape sequences to hide the modeline when the content is printed with cat. (cat -v reveals the actual content.)”

Below the video PoC of the attack:

Vim and Neovim development teams already released security updates to address the CVE-2019-12735 flaw, Vim patch 8.1.1365 and Neovim patch (released in v0.3.6).

The expert also suggests to:

• disable modelines feature,
• disable “modelineexpr” to disallow expressions in modelines,
• use “securemodelines plugin,” a secure alternative to Vim modelines.

Below the timeline of the flaw:

• 2019-05-22 Vim and Neovim maintainers notified
• 2019-05-23 Vim patch released
• 2019-05-29 Neovim patch released
• 2019-06-05 CVE ID CVE-2019-12735 assigned

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – CVE-2019-12735, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]