Another Vim modeline vulnerability

Ciaran McCreesh ciaranm at ciaranm.org
Mon Jun 18 19:50:11 UTC 2007


Hi,

Vim 7 includes what may or may not be considered a vulnerability with
the modeline feature (this is a different vulnerability than all the
other modeline problems that have already been fixed). I've spoken to
Bram about it, and he doesn't consider it to be a security issue or
indeed a bug at all; I'd imagine some distributions would think
otherwise, so I'm sending you all details so you can decide for
yourselves.

Prerequisites: Vim must have modelines enabled. ':set modeline?' will
tell you whether this is the case (it's off by default for Gentoo;
other distributions will vary). For testing purposes, you can 'set
modeline' before opening a file.

The attack: A malicious user can make a small spell file that, when
used, will cause Vim to allocate large (2GBytes is easy) amounts of
memory. The malicious user can then create a document with a modeline
that tells Vim to use this spell file.

The malicious user creates a world-readable file in his home directory
called 'naughty.spl' with the following contents:

0000000: 5649 4d73 7065 6c6c 320f 0079 0000 000a  VIMspell2..y....
0000010: 0a

The malicious user then creates a world-readable file that is to be
opened by the target user. The last line of this file should be:

# vim: set spell spelllang=/home/naughtyuser/naughty :

Depending upon how the kernel and Vim are configured, this might a)
make Vim simply display an 'out of memory' notice, b) make the OOM
killer kick in or c) make Vim eat lots of CPU for a long time and then
crash.

The fix: The attached patch bans pathnames for the spelllang option.
(This affects both modeline and non-modeline settings of the value.)

I haven't published details of this anywhere, so unless someone else
has worked it out independently and isn't telling anyone, there's no
exploit in the wild.

-- 
Ciaran McCreesh

-------------- next part --------------
A non-text attachment was scrubbed...
Name: vim-7.1-spelllang-modelines.patch
Type: text/x-patch
Size: 495 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-vim-maintainers/attachments/20070618/bcfdc00d/attachment.bin 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-vim-maintainers/attachments/20070618/bcfdc00d/attachment.pgp 


More information about the pkg-vim-maintainers mailing list