CVE-2008-4101: Input Validation
First published: Thu Sep 11 2008(Updated: )
Description of problem: Ben Schmidt has discovered the following security flaw in Vim, which could lead to arbitrary code execution. Insufficient sanitization can lead to Vim executing arbitrary commands when performing keyword or tag lookup. Flaw description pasted from original rdancer.org report (see [1]): 3.1. Keyword Lookup -- The ``K'' Command 3.1.1. Shell Commands and Ex Commands Because the string passed to the shell for execution is not sanitized, it is possible to specify arbitrary shell commands where Vim expects an argument for the keyword program. Same applies to arbitrary Ex commands. 3.1.2. Keyword Program Command Line Switches It is possible to specify command line switches for the keyword program in place of the argument. The gravity of this vulnerability depends on the keyword program selected. GNU man, the default keyword program in many installations, supports for example the ``--pager'' option (cf. the GNU man(1) manual page). This allows arbitrary command execution. 3.2. Tag Lookup -- the ``Control-]'' and ``g]'' Commands Insufficient sanitization of an Ex command argument allows specifying additional arbitrary Ex commands in place of the argument. 3.3. Unknown Shell/Keyword Program Because the syntax of the shell that is being used to execute the commands is not known beforehand, there may be other unknown vulnerabilities, that are present depending on the shell being used. Ditto for the man(1) program, and other keyword programs. Version-Release number of selected component (if applicable): 3.0--current, possibly older How reproducible: Always Steps to Reproduce: 1. See part "4.EXPLOIT" from the original rdancer.org report [1] Actual results: Arbitrary code execution possible Expected results: No security flaw present. References: [1] <a href="http://www.rdancer.org/vulnerablevim-K.html">http://www.rdancer.org/vulnerablevim-K.html</a> Proposed patch: Report: <a href="http://groups.google.com/group/vim_dev/msg/dd32ad3a84f36bb2">http://groups.google.com/group/vim_dev/msg/dd32ad3a84f36bb2</a> Patch: <a href="http://groups.google.com/group/vim_dev/attach/dd32ad3a84f36bb2/K-arbitrary-command-execution.patch?part=2">http://groups.google.com/group/vim_dev/attach/dd32ad3a84f36bb2/K-arbitrary-command-execution.patch?part=2</a> RH SRT official statement: This issue affects all versions of the vim-enhanced package, as shipped with Red Hat Enterprise Linux 2.1, 3, 4 and 5 and within Fedora releases of 8, 9 and 10.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Vim Vim | =5.7 | |
| Vim Vim | =6.4 | |
| Vim Vim | =3.0 | |
| Vim Vim | =6.3 | |
| Vim Vim | =5.4 | |
| Vim Vim | =7.1 | |
| Vim Vim | =7.0 | |
| Vim Vim | <=7.2 | |
| Vim Vim | =5.2 | |
| Vim Vim | =5.3 | |
| Vim Vim | =5.5 | |
| Vim Vim | =6.2 | |
| Vim Vim | =5.8 | |
| Vim Vim | =6.0 | |
| Vim Vim | =5.6 | |
| Vim Vim | =6.1 | |
| Vim Vim | =5.1 | |
| Vim Vim | =5.0 | |
| Vim Vim | =4.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://groups.google.com/group/vim_dev/attach/dd32ad3a84f36bb2/K-arbitrary-command-execution.patch?part=2
- http://groups.google.com/group/vim_dev/browse_thread/thread/1434d0812b5c817e/6ad2d5b50a96668e
- http://www.openwall.com/lists/oss-security/2008/09/11/4
- http://www.openwall.com/lists/oss-security/2008/09/16/5
- http://ftp.vim.org/pub/vim/patches/7.2/7.2.010
- http://www.rdancer.org/vulnerablevim-K.html
- http://www.openwall.com/lists/oss-security/2008/09/16/6
- http://groups.google.com/group/vim_dev/msg/9290f26f9bc11b33
- https://bugzilla.redhat.com/show_bug.cgi?id=461927
- http://groups.google.com/group/vim_dev/attach/9290f26f9bc11b33/K-arbitrary-command-execution.patch.v3?part=2
- http://www.openwall.com/lists/oss-security/2008/09/11/3
- http://www.securityfocus.com/bid/31681
- http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.html
- http://support.apple.com/kb/HT3216
- http://secunia.com/advisories/32222
- http://secunia.com/advisories/33410
- http://support.avaya.com/elmodocs2/security/ASA-2009-001.htm
- http://www.ubuntu.com/usn/USN-712-1
- http://www.redhat.com/support/errata/RHSA-2008-0617.html
- http://www.mandriva.com/security/advisories?name=MDVSA-2008:236
- http://www.redhat.com/support/errata/RHSA-2008-0580.html
- http://www.securityfocus.com/bid/30795
- http://www.securityfocus.com/archive/1/495662
- http://www.securityfocus.com/archive/1/495703
- http://support.avaya.com/elmodocs2/security/ASA-2008-457.htm
- http://www.vmware.com/security/advisories/VMSA-2009-0004.html
- http://www.vupen.com/english/advisories/2009/0904
- http://secunia.com/advisories/31592
- http://support.apple.com/kb/HT4077
- http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html
- http://www.vupen.com/english/advisories/2009/0033
- http://www.vupen.com/english/advisories/2008/2780
- http://secunia.com/advisories/32858
- http://secunia.com/advisories/32864
- http://www.redhat.com/support/errata/RHSA-2008-0618.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/44626
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5812
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10894
- http://www.securityfocus.com/archive/1/502322/100/0/threaded
- http://groups.google.com/group/vim_dev/msg/dd32ad3a84f36bb2
- http://rhn.redhat.com/errata/RHSA-2008-0580.html
- http://rhn.redhat.com/errata/RHSA-2008-0617.html
- http://rhn.redhat.com/errata/RHSA-2008-0618.html
- https://admin.fedoraproject.org/updates/F9/FEDORA-2008-10587
- https://admin.fedoraproject.org/updates/F10/FEDORA-2008-10644
- collector/nvd-historical
- collector/nvd-index
- agent/type
- agent/remedy
- agent/first-publish-date
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/weakness
- agent/last-modified-date
- agent/severity
- agent/author
- agent/description
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2008-4101
- agent/tags
- agent/trending
- vendor/vim
- canonical/vim vim
- version/vim vim/5.7
- version/vim vim/6.4
- version/vim vim/3.0
- version/vim vim/6.3
- version/vim vim/5.4
- version/vim vim/7.1
- version/vim vim/7.0
- version/vim vim/7.2
- version/vim vim/5.2
- version/vim vim/5.3
- version/vim vim/5.5
- version/vim vim/6.2
- version/vim vim/5.8
- version/vim vim/6.0
- version/vim vim/5.6
- version/vim vim/6.1
- version/vim vim/5.1
- version/vim vim/5.0
- version/vim vim/4.0