Vim and Neo Editors Vulnerable To High-Severity Bug

JustAnotherOldGuy quotes Threatpost: A high-severity bug impacting two popular command-line text editing applications, Vim and Neovim, allow remote attackers to execute arbitrary OS commands. Security researcher Armin Razmjou warned that exploiting the bug is as easy as tricking a target into clicking on a specially crafted text file in either editor. Razmjou outlined his research and created a proof-of-concept (PoC) attack demonstrating how an adversary can compromise a Linux system via Vim or Neowim. He said Vim versions before 8.1.1365 and Neovim before 0.3.6 are vulnerable to arbitrary code execution...

Vim and Neovim have both released patches for the bug (CVE-2019-12735) that the National Institute of Standards and Technology warns, "allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline."

"Beyond patching, it's recommended to disable modelines in the vimrc (set nomodeline), to use the securemodelinesplugin, or to disable modelineexpr (since patch 8.1.1366, Vim-only) to disallow expressions in modelines," the researcher said.

Clicking in vim?

[habig]

I thought the whole point of vi was to be mouse-free...

Re:

[Anonymous Coward]

vim stands for "vi improved", which apparently means lots of clicki and bunti added.

(Me, I can't stand the thing so I stick to nvi.)

Also, EditorDavid: That's "vim and neovim", not "vim and neo"; neo is something different again. Please for to fixing.

Re:

[MrKaos]

I thought the whole point of vi was to be mouse-free...

Not necessarily. When I combine vim with a mouse I can highlight text and instantly middle button paste it into a cw (change word), a search, or a regex in vim. That means I can also have secondary cut/paste buffers between Neo/Vim and say Firefox when I use ctrl C/V.

So for example if I'm using vim I can set up a regex that looks for Bram with a middle click looks for an occurrence of Moolenaar with a UI paste then replaces it with da man so:

:g/Bram/ s/Moolenaar/da man/gc

It means less keyboard and mous

Clicking on a file

[paulatz]

"exploiting the bug is as easy as tricking a target into clicking on a specially crafted text file"

I've been using vim for more than 20 years, I have never once clicked it on a file, whatever that may mean

Re:

[BorisAmmerlaan]

X-integration? In the command line? What socery is this?

Re:

[TechyImmigrant]

This.
I wasn't even aware that it was possible to use the mouse for anything in vim.

set mouse=a

Re:Clicking on a file

[93 Escort Wagon]

I've been using vim for more than 20 years, I have never once clicked it on a file, whatever that may mean

What it means is - the Threatpost author is a Windows user who conflates “opening” with “clicking”. What the reasearcher actually wrote is:

“Vim before 8.1.1365 and Neovim before 0.3.6 are vulnerable to arbitrary code execution via modelines by opening a specially crafted text file.”

Re:

[dissy]

I've been using vim for more than 20 years, I have never once clicked it on a file, whatever that may mean

[ESC] :%s~click on file~execute vim with argv1 parameter being an existing text file~g [Enter]

That should help

Riculous!yes, you can execute commands from within

[stanbrown]

Yes, you can execute commands from within vim, or any vi like editor. It is part of the basic workflow. Disabling this functionality would disrupt many peopleâ(TM)s basic workflow. Also these commands are all executed as the user.

This is why...

[The Grim Reefer]

This is why emacs is my OS, I mean text editor. ;-)

Re:

[Aighearach]

No. evil-mode is not actually an embedded vim, it is just an emulator with vim key bindings.

http://cachestocaches.com/2016... [cachestocaches.com]

Emacs is better at Vim than Vim is. :)

Re:

[Aighearach]

Good catch. As all slashdot readers know, OSs are things like widows, Linux and so forth. I wouldn't have thought emacs would be considered an OS

Yeah, emacs is not an OS, it merely contains an OS.

But Forth probably is an OS. Just a really small one.

Not fixed in macOS yet!

[pdxtabs]

Be careful, make sure that modeline is turned off!

LOOKS fixed in MacOS 10.12.5

[Anonymous Coward]

This [fandom.com] says

Vim executes a modeline only if all of the following apply:

'modeline' is set to "modeline" (not "nomodeline")
'modelines' is set to a positive integer (not "0")
You are not root.

Captcha: doomed
This [stackoverflow.com] says that as of MacOS 10.12.5 /usr/share/vim/vimrc says

" Configuration file for vim
set modelines=0 " CVE-2007-2438

Ergo, modelines is note a postive integer so it won't work.

If you have a Mac, test it and see what happens.

Works without clicking

[xarragon]

This really IS a working exploit which has NOTHING to do with clicking. Simply paste this line into a text file and open it in vim; it will execute uname -a as your user:

:!uname -a||" vi:fen:fdm=expr:fde=assert_fails("source\!\ \%"):fdl=0:fdt="

Source: https://github.com/numirias/se... [github.com]

You need to add this to your vimrc or upgrade vim to fix it:

set modelines=0
set nomodeline

Fancier versions will replace the vim buffer contents so the exploit code is not visible once opened.

Re:Works without clicking

[Aighearach]

If you want to check if you're vulnerable by default, you can do:
:set modeline?

From inside vim and if it says "nomodeline" then you're safe.

For example, I checked on Fedora 23 and Centos 7.5 and they're not vulnerable unless you take some action to turn on modeline.

Re:

[Anonymous Coward]

"Debian, Ubuntu, Gentoo, OSX, etc. by default disable modelines for security reasons." -- Modeline magic [fandom.com]. Ie, paranoia about possibly abuse-able features sometimes pays off.

Re:

[Aighearach]

That's a feature. Change introduces security bugs. Fixing those bugs requires additional changes.

The later period before EOL, nobody is adding features. They're only fixing bugs.

A distro well-past EOL is old enough that most of the new security problems don't even affect it! There is a big "danger zone" for security problems, and it starts with the very latest code, and it goes down over time.

Also if you broadly engage in security hygiene, you might never be vulnerable to notable exploits. Very few exploits

Ed - someone gotta say it...

[Anonymous Coward]

Fortunately, ed is the standard editor.

Note that Emacs is immune

[SuperKendall]

They tried to craft the same attack in Emacs, but gave up when they realized they could not determine where Emacs ended and the OS began.

Well that and they forgot to enter M-x open-attack-vector-mode

Re:

[Aighearach]

Even more challenging about the emacs source code is the question: Where does LISP end and C begin?

Re:

[zwarte piet]

Emacs is integrated in SystemD now

less -S for unknown files

[Anonymous Coward]

do people really load unknown files in their text editor without looking at them with something like "less -S" first?

Final Straw!

[pi_rules]

That's it! I'm ditching vim for VSCode!

(Actually with the new remote connection tools that let you edit over ssh and the vim plugin VSCode makes a decent Python editor. I -am- actually using it these days here and there. I still find myself in vim a lot though, sometimes even in the terminal session inside VSCode.)

My word...

[Gojira Shipi-Taro]

The vi vs emacs war is getting out of hand...

It needs to be said

[helpfulcorn]

Both vi(m) and emacs suck and there are countless better text editors and IDEs and so on, they can't do the job as well as a good IDE, and no Sublime Text isn't even on my radar despite the weird cultish claims. That doesn't mean they aren't useful, hell, in the last 25 years I've had to use vi countless times to edit things, largely so I can prep a system to install a better text editor before moving on.

Other than that nano/pico, ee, PhpStorm, IntelliJ IDEA, and RubyMine pretty much cover everything very

Re:

[angel'o'sphere]

I usually have a vim-plugin in my Eclipse IDE ... have to check if there is one for IntelliJ.

Nano and pico are as text editors simply to primitiv, but ok for casual users.

Putting IDEs in graphical environments together with console based text editors makes not much sense anyway. I guess if you would configure vim correctly (like x-tags, where x is your language), it would be nearly as powerful as a real IDE. For IDE work, and much more powerful for text work.

Re:

[helpfulcorn]

Honest question: I've heard about people using vim plugins in GUI IDEs, what benefits do you see in general, and is it a way to avoid using the mouse or is it a visual thing? I've never installed one.

Re:

[angel'o'sphere]

It is simply the commands.

Everything is done with a keyboard short cut which you actually can memorize.

f-) ...f means find, I put a ')' so the command jumps to the next closing ) in the same line

The first thing is always "what" you want to do as in find/delete/insert/change
The second part refers to a "movement" or "text snippet" as in word, line or a character.

d means delete
dd deletes a line - simply doubelling the first char always refers to a line

And now comes one of the fine things:
d-f-)

D, for delete. So

Re:

[helpfulcorn]

I'm not an expert on vim, but why isn't find also / or n as it is in vim. Is it just a similar style of commands and control rather than being a sort of vim command overlay for shortcuts?

Re:

[pi_rules]

f finds the next occurrence of the next character you type on the line you're already on.

/ will search from where you are through the rest of the file for a string or regex pattern

Re:

[Anonymous Coward]

The first thing is that the Vim keyboard shortcuts are simple yet modular. When you learn it properly, it's like learning a special language for communicating with your text editor. For instance "ci(" means "change inside ()", which deletes all text within the nearest enclosing parentheses, and places you into input mode. Other examples are "dt)" for "delete till )", "vip" for "visual selection inside paragraph", and "d3j" which means "delete three lines below" . Once you learn the basics, you can accomplis

Re:

[caseih]

Thank goodness most IDEs support plugins that give me VIM keybindings!

I'm not fast or slow using vim. I'm just comfortable. And that makes me more productive. Why do I need to care about your evidence?

When I was first learning vim, I remember watching someone who'd used vi for 30 years edit some code and it was pretty impressive. Especially the speed at which he could cut and paste without using a mouse. Occasionally I'd ask him how he did things and he'd say, you know I'm not sure. And then he'd do it r

Re:

[helpfulcorn]

I didn't provide any evidence at all. But something that did happen in reality is I actually replied to another person in this thread with questions about vim plugins, because I am curious about why people use them, the purpose, the benefits, etc. Sure blog posts out there which are rewrites of other blog posts will provide vague anecdotes, but I have enough of those in my own life. You did provide me with some useful information though.

Re:

[caseih]

I don't think VI-like editing is for everyone. But for some it becomes rather comfortable. I really like having two modes. I love that I can yank words and lines and repaste them so quickly in ViM. I love how commands can be modified in similar ways to repeat them. For example, y6 will yank (copy) 6 lines of text. Knowing that, and knowing that dd deletes a line of text, it's not surprising that d6 will delete 6 lines of text.

I love how when my cursor is in the middle of a line and I want to insert text

Re:

[JustAnotherOldGuy]

Occasionally I'd ask him how he did things and he'd say, you know I'm not sure. And then he'd do it real slow so we could see what was going on.

Lol, okay that gave me a chuckle.

Yeah, I feel the same way with some tools- I'm banging along and someone says, wait, what command did you just use? and I'm like "ummmm, I don't know, let me do it again."

Re:

[johnw]

I had a similar experience the other day.

I do most of my programming on a completely blank keyboard - no legends on any of the keys. I don't look at it, I just use it.

The only thing which trips me up is typing unfamiliar passwords. There's a big tendency to look at the keyboard, and if I do that then I'm lost. If I can remember to type it without looking down then I'm fine.

The other day a question came up in a quiz - "Which key is to the right of Z?" - and I hadn't a clue. I couldn't even tell you where

Emacs is amazing

[SuperKendall]

I remember hearing about the vi vs emacs thing back on Usenet so long ago, and I didn't understand it then, and I especially don't get it now..

I mostly use modern editors as I use Xcode.

But even now I HAVE to switch back to Emacs sometimes because no other editor is as capable. If you want to load very, very large files and look through the contents in hex Emacs is where you go. If you want to edit multiple sections of a document (or maybe across several documents) there is absolutely nothing like the Ema

Re:

[helpfulcorn]

Well I didn't want to start a whole thing and wanted my bias to clearly be hating both, but out of the two, I always did like emacs better, but I could never find a real good use case for it, for myself at least, and as I said I only used vi(m) out of necessity on Unix or Linux.

Re:

[jimbo]

Yes! The EMacs macro recording is a gift from the great FSM, praised be His Noodly Appendages!

I was disappointed to see that the so called programming editor Atom doesn't support macro recording. Well, that was years ago, maybe they've smartened up by now...

Re:

[helpfulcorn]

Some of us have to get things done on remote servers, often under circumstances where our preference for editors is irrelevant.

I pretty much covered that.

I've had to use vi countless times to edit things, largely so I can prep a system to install a better text editor before moving on.

Largely doesn't mean always.

Re:

[gweihir]

You make absolute statements that make no sense. Are you a fanatic? Because you very much sound like one.

To sane people, which editor to use is a personal choice, and decidedly not _your_ choice.

Re:

[helpfulcorn]

Are you a fanatic? Because you very much sound like one.

Yes.

To sane people, which editor to use is a personal choice, and decidedly not _your_ choice.

No shit, I never said it wasn't a personal choice, and nice nonsensical statement claiming that it's not my choice what people use, that's just weak politician-style bullshit jargon speak to always win an argument. it's pretty clear that from what I said and my follow up comments that it's my opinion.

I'm sorry you couldn't understand it, even though other people who replied clearly could, so maybe you should work on that, or should I say "you must work on that" so that your next reply won't read like a

Re:

[gweihir]

You should read your posting again.

That is not a "remote attack"

[gweihir]

This attack requires user assistance to execute the attack code and at that time it is a _local_ attack. This Razmjou guy seems to be pretty incompetent.

Re:

[apoc.famine]

The fact that he wrote "tricking a target into clicking on a specially crafted text file" didn't give it away first?

Re:

[gweihir]

The fact that he wrote "tricking a target into clicking on a specially crafted text file" didn't give it away first?

It did. But it could have been an incompetent submitter, not the original person of limited insight.