Security expert Armin Razmjou has recently found a high-severity vulnerability (CVE-2019-12735) in Vim and Neovim command-line text editing applications.
The vulnerability, tracked as CVE-2019-12735, is classified as an arbitrary OS command execution vulnerability. Both Vim and Neovim editing applications are pre-installed in Linux distros.
“Vim before 8.1.1365 and Neovim before 0.3.6 are vulnerable to arbitrary code execution via
Vim is a highly configurable text editor for efficiently creating and changing any kind of text, including documents and scripts.
With 30% less source-code than Vim, the vision of Neovim is to enable new applications without compromising Vim’s traditional roles and enhancing the user experience
The vulnerability affects the way the Vim editor handles the “modelines” option. The modeline feature allows users to specify custom editor options near the start or end of a file (i.e. /* vim: set textwidth=80 tabstop=8: */). The feature is enabled by default and it is applied to all file types.
Only a subset of options is allowed in modelines, if an expression is included in the option value, it is executed in a sandbox.
Razmjou explained that it is possible to craft construct a modeline that execute the code outside the sandbox.
“However, the :source! command (with the bang [!] modifier) can be used to bypass the sandbox. It reads and executes commands from a given file as if typed manually, running them after the sandbox has been left.” continues the expert.
The expert demonstrated that by tricking a victim into opening a specially crafted file using Vim or Neovim it is possible to secretly execute commands on its Linux system and remotely take over it.
Razmjou published two proof-of-concept exploits to the public, one of which allows a remote attacker to gain access to a reverse shell.
Below the video
The expert also sugge
Below the timeline of the flaw: