SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Vim Vendors:   Vim.org
(SCO Issues Fix for OpenLinux) Vim Folding Expression Modeline Lets Remote Users Execute Arbitrary Shell Commands on the Target User's System
SecurityTracker Alert ID:  1009640
SecurityTracker URL:  http://securitytracker.com/id/1009640
CVE Reference:   CVE-2002-1377   (Links to External Site)
Date:  Apr 2 2004
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 6.0, 6.1
Description:   A vulnerability was reported in the Vim editor. A remote user can create a text file that, when opened by the target user with vim, will execute arbitrary commands on the target user's system.

In December 2002, Georgi Guninski reported that a remote user can create a text file containing a malicious folding expression modeline that invokes libcall() to execute shell commands.

A demonstration exploit file is provided in the Source Message.

The vendor was reportedly notified on November 25, 2002.

Impact:   A remote user can cause arbitrary shell commands to be executed by the target user when the target user opens a malicious file for editing. The commands will run with the privileges of the target user.
Solution:   SCO has issued the following fixes.

OpenLinux 3.1.1 Server:

Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2004-015.0/RPMS

Packages

2eaf8ff7d07ae09123dff2c16e68df5f vim-6.2-1.i386.rpm
b9872220a38cad8103089dfe600a188d vim-X11-6.2-1.i386.rpm
ec819c86427a02d6c8971ca6567efedd vim-help-6.2-1.i386.rpm
7ff1f641f70fc8fb216e2d683b814400 vim-i18n-6.2-1.i386.rpm

Installation

rpm -Fvh vim-6.2-1.i386.rpm
rpm -Fvh vim-X11-6.2-1.i386.rpm
rpm -Fvh vim-help-6.2-1.i386.rpm
rpm -Fvh vim-i18n-6.2-1.i386.rpm

Source Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2004-015.0/SRPMS

Source Packages

236756ca0c61400c475c8d84622ade61 vim-6.2-1.src.rpm


OpenLinux 3.1.1 Workstation:

Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2004-015.0/RPMS

Packages

2ebcc5f8e7b0d893b058fc241c7844b5 vim-6.2-1.i386.rpm
a75f8d7349cfa8e1cb6ba23a0267a7e1 vim-X11-6.2-1.i386.rpm
f618eaf8d81f2a8ac85ad9c517c28ae5 vim-help-6.2-1.i386.rpm
cc12e062b2f69bbf2a6c861e0da0749b vim-i18n-6.2-1.i386.rpm

Installation

rpm -Fvh vim-6.2-1.i386.rpm
rpm -Fvh vim-X11-6.2-1.i386.rpm
rpm -Fvh vim-help-6.2-1.i386.rpm
rpm -Fvh vim-i18n-6.2-1.i386.rpm

Source Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2004-015.0/SRPMS

Source Packages

85709bfff745aeda4f4aa090cee834e7 vim-6.2-1.src.rpm

Vendor URL:  www.vim.org/ (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Linux (Caldera/SCO)
Underlying OS Comments:  3.1.1

Message History:   This archive entry is a follow-up to the message listed below.
Feb 11 2004 Vim Folding Expression Modeline Lets Remote Users Execute Arbitrary Shell Commands on the Target User's System



 Source Message Contents

Subject:  [Full-Disclosure] OpenLinux: vim arbitrary commands execution through modelines



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


______________________________________________________________________________

			SCO Security Advisory

Subject:		OpenLinux: vim arbitrary commands execution through modelines
Advisory number: 	CSSA-2004-015.0
Issue date: 		2004 March 30
Cross reference:	sr889557 fz528946 erg712560 CAN-2002-1377
______________________________________________________________________________


1. Problem Description

	vim 6.0 and 6.1, and possibly other versions, allows attackers
	to execute arbitrary commands using the libcall feature in
	modelines, which are not sandboxed but may be executed when
	vim is used as an editor for other products such as mutt. 
	
	The Common Vulnerabilities and Exposures project (cve.mitre.org)
	has assigned the name CAN-2002-1377 to this issue.


2. Vulnerable Supported Versions

	System				Package
	----------------------------------------------------------------------
	OpenLinux 3.1.1 Server		prior to vim-6.2-1.i386.rpm
					prior to vim-X11-6.2-1.i386.rpm
					prior to vim-help-6.2-1.i386.rpm
					prior to vim-i18n-6.2-1.i386.rpm

	OpenLinux 3.1.1 Workstation	prior to vim-6.2-1.i386.rpm
					prior to vim-X11-6.2-1.i386.rpm
					prior to vim-help-6.2-1.i386.rpm
					prior to vim-i18n-6.2-1.i386.rpm


3. Solution

	The proper solution is to install the latest packages. Unix
	users with Linux Kernel Personality can use the Caldera System
	Updater, called cupdate (or kcupdate under the KDE environment),
	to update these packages rather than downloading and installing
	them by hand.


4. OpenLinux 3.1.1 Server

	4.1 Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2004-015.0/RPMS

	4.2 Packages

	2eaf8ff7d07ae09123dff2c16e68df5f	vim-6.2-1.i386.rpm
	b9872220a38cad8103089dfe600a188d	vim-X11-6.2-1.i386.rpm
	ec819c86427a02d6c8971ca6567efedd	vim-help-6.2-1.i386.rpm
	7ff1f641f70fc8fb216e2d683b814400	vim-i18n-6.2-1.i386.rpm

	4.3 Installation

	rpm -Fvh vim-6.2-1.i386.rpm
	rpm -Fvh vim-X11-6.2-1.i386.rpm
	rpm -Fvh vim-help-6.2-1.i386.rpm
	rpm -Fvh vim-i18n-6.2-1.i386.rpm

	4.4 Source Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2004-015.0/SRPMS

	4.5 Source Packages

	236756ca0c61400c475c8d84622ade61	vim-6.2-1.src.rpm


5. OpenLinux 3.1.1 Workstation

	5.1 Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2004-015.0/RPMS

	5.2 Packages

	2ebcc5f8e7b0d893b058fc241c7844b5	vim-6.2-1.i386.rpm
	a75f8d7349cfa8e1cb6ba23a0267a7e1	vim-X11-6.2-1.i386.rpm
	f618eaf8d81f2a8ac85ad9c517c28ae5	vim-help-6.2-1.i386.rpm
	cc12e062b2f69bbf2a6c861e0da0749b	vim-i18n-6.2-1.i386.rpm

	5.3 Installation

	rpm -Fvh vim-6.2-1.i386.rpm
	rpm -Fvh vim-X11-6.2-1.i386.rpm
	rpm -Fvh vim-help-6.2-1.i386.rpm
	rpm -Fvh vim-i18n-6.2-1.i386.rpm

	5.4 Source Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2004-015.0/SRPMS

	5.5 Source Packages

	85709bfff745aeda4f4aa090cee834e7	vim-6.2-1.src.rpm


6. References

	Specific references for this advisory:
		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1377
		http://lists.netsys.com/pipermail/full-disclosure/2002-December/003330.html
		http://www.guninski.com/vim1.html

	SCO security resources:
		http://www.sco.com/support/security/index.html

	This security fix closes SCO incidents sr889557 fz528946
	erg712560.


7. Disclaimer

	SCO is not responsible for the misuse of any of the information
	we provide on this website and/or through our security
	advisories. Our advisories are a service to our customers intended
	to promote secure installation and use of SCO products.


8. Acknowledgements

	SCO would like to thank  Georgi Guninski

______________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (SCO/UNIX_SVR5)

iD8DBQFAaicpbluZssSXDTERAtg7AJ9W4yP2cEe57fSBioimvf9bKPUHfQCg0aT+
ggzOutLoHFA0w4++nB9/G4U=
=4eTx
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC