Security researcher Armin Razmjou has discovered a serious vulnerability in famous text editors present in most Linux distributions: Vim and Neovim.
The vulnerability CVE-2019-12735 has a high score because it allows an attacker to execute commands in the operating system remotely and take control of it. In fact, using a command it is possible to skip the protection of the Vim sandbox.
Vim is legendary as an editor that is used from the command line and a favorite of programmers. Neovim is a fork that basically seeks to offer a hypertextensible option that solves many of the problems that some have with the classic Vim. Both are exposed to this vulnerability because they handle the 'modelines' in the same way.
Modelines
If an attacker creates a special file using Vim or Neovim, it would be enough just to open it in any of the editors so that it can hack your Linux distribution executing arbitrary commands remotely.
This failure in the execution of Vim code has to do specifically in the way in which Vim manages the 'modelines', a function that is active by default and that offer the user a way to establish specific variables for a file, including a simple .txt.
With a 'modeline' you can apply a set of personalized preferences near the beginning and end of the lines of a document. And although Vim uses a sandbox to isolate the editor and prevent it from executing a 'modeline' with insecure expressions, it has been discovered that using the command ": source!" You can skip the sandbox.
This allows to read and execute the commands of a given file as if it were written manually, executing them after the sandbox is left.
It is recommended to apply the patches for Vim in version 8.1.1365, and for Neovim in version v0.3.6. In addition to this, it is recommended to disable the 'models' in vimrc, use the plugin securemodelines, or disable modelineexpr to not allow expressions in the 'modelines'.
Posted using Partiko Android