Vim or Neovim Editor is vulnerable

CVE-2019-12735: your Linux system can be hacked by opening a specially designed file in Vim or Neovim Editor.

Security specialist Armin Razmjou lately identified a weakness in high-risk arbitrary execution of OS commands in Vim and Neovim (CVE-2019-12735).

Vim and Neovim are two of the most common and strong command-line text editing apps that are pre-installedin most Linux distros for those unaware. Vim is a text editor that enables users to generate, view, or edit any file, including text, records, and scripts for programming. Neovim, on

the other side, is a Vim fork aimed at improving user experience, plugins, and GUIs (graphic user interfaces). As a consequence, the vulnerability to code execution is also present in Neovim.

“Vim before 8.1.1365 and Neovim before 0.3.6 are susceptible by opening a specially designed text file to arbitrary code execution via models.” reads the expert’s safety advice.

Vim or Neovim Editor is vulnerable

In the manner Vim editor handles the “modelines” option, Razmjou found the vulnerability. The modeline function enables custom editor choices to be specified near the beginning or end of a file. By default, this function is allowed and implemented to all kinds of files, including plain.txt.

For safety reasons, only a significant percentage of options is allowed in models, and if an expression is included in value of the option, it is executed in a sandbox.

Also Read:

Razmjou, however, found this: the source! To bypass the sandbox, use the command (with the bang[!] modifier). As if typed manually, it reads and executes commands from a specified file, running them after the sandbox is left. In other words, a model that can perform the code outside the sandbox can be developed.

The specialist has shown that attackers can exploit the vulnerability of CVE-2019-12735, which enables them to hack the victims ‘ systems by tricking them into opening an innocent file in Vim or Neovim Editor that looks specially designed.

Razmjou published to the public two proof-of-concept exploits, one of which shows a real-life situation of assault in which a distant attacker gains access to a reverse shell.

“This PoC outlines a real-life attack approach that starts a reverse shell once the file is opened by the user. The file will be immediately rewritten when opened to hide the attack, “the article remains.

“When the material is printed with cat, the PoC also utilizes terminal escape sequences to conceal the model. (Cat -v shows the real content.) “

Vim (patch 8.1.1365) and Neovim (published in v0.3.6) development teams have already published safety updates to tackle the vulnerability on both utilities.

In addition to patching, the safety investigator also indicates that users:

  • disable modelines feature in the vimrc (set nomodeline)
  • use “securemodelines plugin,” a secure alternative to Vim modelines
  • disable “modelineexpr” to disallow expressions in modelines

Also Read:


Please enter your comment!
Please enter your name here