Giters

numirias / security

Some of my security stuff and vulnerabilities. Nothing advanced. More to come.

Home Page:https://twitter.com/rawsec

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Not working for Mac osx

opened this issue · comments

commented

Hi,

The modeline is by default enabled on Mac osx. However, both payloads stated in your advisory are not working for Mac with outdated Vim version. They work fine on Ubuntu OS. Is is possible that the implementation of Vim is different? Can you take a look at what happened?

commented

Using the default vimrc on
GNU bash, version 3.2.57(1)-release (x86_64-apple-darwin18)
the exploit won't run for me, either.

As to why:
[fd:~] $ grep modeline /usr/share/vim/vimrc
outputs
set modelines=0 " CVE-2007-2438

Is the poc.txt just a different version of https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2438 ?

Concise version of CVE-2007-2438

"writefile(), feedkeys() and system() were not filtered"

Now we have

excecute() and assert_fails() are problematic when used with modelines, too (CVE-2019-12735)

commented

Is the poc.txt just a different version of https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2438 ?

Concise version of CVE-2007-2438

"writefile(), feedkeys() and system() were not filtered"

Now we have

excecute() and assert_fails() are problematic when used with modelines, too (CVE-2019-12735)

@fdenzer That's not entirely correct. The cmd argument to execute() still runs in the sandbox. The loophole exists due to how the :source! command works. execute() and assert_fails() are just helpers to run :source!.

commented

The modeline is by default enabled on Mac osx. However, both payloads stated in your advisory are not working for Mac with outdated Vim version. They work fine on Ubuntu OS. Is is possible that the implementation of Vim is different? Can you take a look at what happened?

@innoland I don't use MacOS. While modeline is enabled in Vim by default, some distros ship with a default vimrc which disables the option. It seems @fdenzer has confirmed that for MacOS. To run the PoC, you need to make sure modeline is on, and modelines is not 0.

commented

@numirias i can confirm https://github.com/numirias/security/blob/master/data/2019-06-04_ace-vim-neovim/poc.txt is not working on MacOS with modelines explicitly enabled. vim version shows:

VIM - Vi IMproved 8.0 (2016 Sep 12, compiled Feb 22 2019 19:03:04)
Included patches: 1-503, 505-680, 682-1283
commented

@diracdeltas Odd, let's find out why. Could you please do this:

  • Create a file foo with this exact content:

    vim: set textwidth=55:

  • Open the file in vim.

  • Provide the output of these commands:

    :verbose set modeline? modelines? textwidth?
:version
commented

@diracdeltas Also make sure you're not building the tiny or small version which misses features like eval.

commented

@numirias i'm using the default vim that comes with MacOS Mojave

following your steps:

  modeline
        Last set from ~/.vimrc
  modelines=0
        Last set from /usr/share/vim/vimrc
  textwidth=79
        Last set from ~/.vimrc

VIM - Vi IMproved 8.0 (2016 Sep 12, compiled Feb 22 2019 19:03:04)
Included patches: 1-503, 505-680, 682-1283
Compiled by root@apple.com
Normal version without GUI.  Features included (+) or not (-):
+acl             +dialog_con      +job             -mouse_sgr       -rightleft       -toolbar
-arabic          +diff            +jumplist        -mouse_sysmouse  +ruby/dyn        +user_commands
+autocmd         +digraphs        -keymap          -mouse_urxvt     +scrollbind      +vertsplit
-balloon_eval    -dnd             +lambda          +mouse_xterm     +signs           +virtualedit
-browse          -ebcdic          -langmap         +multi_byte      +smartindent     +visual
+builtin_terms   -emacs_tags      +libcall         +multi_lang      +startuptime     +visualextra
+byte_offset     +eval            +linebreak       -mzscheme        +statusline      +viminfo
+channel         +ex_extra        +lispindent      +netbeans_intg   -sun_workshop    +vreplace
+cindent         +extra_search    +listcmds        +num64           +syntax          +wildignore
-clientserver    -farsi           +localmap        +packages        +tag_binary      +wildmenu
-clipboard       +file_in_path    -lua             +path_extra      +tag_old_static  +windows
+cmdline_compl   +find_in_path    +menu            -perl            -tag_any_white   +writebackup
+cmdline_hist    +float           +mksession       +persistent_undo -tcl             -X11
+cmdline_info    +folding         +modify_fname    +postscript      -termguicolors   -xfontset
+comments        -footer          +mouse           +printer         -terminal        -xim
-conceal         +fork()          -mouseshape      -profile         +terminfo        -xpm
+cryptv          -gettext         -mouse_dec       +python/dyn      +termresponse    -xsmp
+cscope          -hangul_input    -mouse_gpm       -python3         +textobjects     -xterm_clipboard
+cursorbind      +iconv           -mouse_jsbterm   +quickfix        +timers          -xterm_save
+cursorshape     +insert_expand   -mouse_netterm   +reltime         +title
   system vimrc file: "$VIM/vimrc"
     user vimrc file: "$HOME/.vimrc"
 2nd user vimrc file: "~/.vim/vimrc"
      user exrc file: "$HOME/.exrc"
       defaults file: "$VIMRUNTIME/defaults.vim"
  fall-back for $VIM: "/usr/share/vim"
Compilation: gcc -c -I. -Iproto -DHAVE_CONFIG_H   -DMACOS_X_UNIX  -g -O2 -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=1
Linking: gcc   -L/usr/local/lib -o vim        -lm -lncurses  -liconv -framework Cocoa

i assume the problem is that the system default is modelines=0 and it has to be a positive integer for modelines to be executed? i wasn't aware of that previously, thanks!

commented

confirmed that setting modelines=1 in ~/.vimrc makes the first PoC work