A security researcher has discovered a critical vulnerability in Vim and Neovim command-line text editing applications in Linux.
The flaw is an arbitrary OS command execution vulnerability can be exploited by tricking users into opening a specially crafted text file Vim and Neovim editor.
“Vim before 8.1.1365 and Neovim before 0.3.6 are vulnerable to arbitrary code execution via modelines by opening a specially crafted text file.”
The vulnerability exists due to the way Vim editor handles the modeline options. This feature allows to specify custom editor options near the start or end of a file and is enabled by default and applies to all file types.
Due to security reasons, only a subset of options is permitted in modelines, and if the option value contains an expression, it is executed in the sandbox.
“However, the :source! command (with the bang [!] modifier) can be used to bypass the sandbox. It reads and executes commands from a given file as if typed manually, running them after the sandbox has been left.” said in the security advisory.
By tricking users to open a specially crafted text file on Vim and Neovim editor hackers can secretly execute commands on the users Linux system and remotely take control over it.
Razmjou also released two proofs-of-concept exploit to the public and also shared demo video PoC of the attack.
Razmjou also recommended users to
- Disable modelines in the vimrc
- Use the securemodelines plugin
- Disable modelineexpr to disallow expressions in modelines
You may be interested in reading: New GandCrab Ransomware Campaign Targets MySQL Servers on Windows