Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-4733: Heap-use-after-free in function buflist_altfpos in vim in vim

Use After Free in GitHub repository vim/vim prior to 9.0.1840.

CVE
#vulnerability#git

Description

Heap-use-after-free in function buflist_altfpos at buffer.c:3703

Proof of Concept

./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc_huaf -c :qa!

==1404==ERROR: AddressSanitizer: heap-use-after-free on address 0x625000011940 at pc 0x0000004a4dbe bp 0x7ffc6204d090 sp 0x7ffc6204d080
READ of size 4 at 0x625000011940 thread T0
    #0 0x4a4dbd in buflist_altfpos /home/fuzz/asan_program/vim/src/buffer.c:3703
    #1 0x78a8b7 in do_ecmd /home/fuzz/asan_program/vim/src/ex_cmds.c:2694
    #2 0x457614 in do_argfile /home/fuzz/asan_program/vim/src/arglist.c:738
    #3 0x457614 in ex_rewind /home/fuzz/asan_program/vim/src/arglist.c:649
    #4 0x8047e5 in do_one_cmd /home/fuzz/asan_program/vim/src/ex_docmd.c:2582
    #5 0x80d399 in do_cmdline /home/fuzz/asan_program/vim/src/ex_docmd.c:994
    #6 0xf03484 in do_source_ext /home/fuzz/asan_program/vim/src/scriptfile.c:1760
    #7 0xf21643 in do_source /home/fuzz/asan_program/vim/src/scriptfile.c:1906
    #8 0xf21643 in cmd_source /home/fuzz/asan_program/vim/src/scriptfile.c:1251
    #9 0xf21643 in ex_source /home/fuzz/asan_program/vim/src/scriptfile.c:1277
    #10 0x8047e5 in do_one_cmd /home/fuzz/asan_program/vim/src/ex_docmd.c:2582
    #11 0x80d399 in do_cmdline /home/fuzz/asan_program/vim/src/ex_docmd.c:994
    #12 0x15ec5af in exe_commands /home/fuzz/asan_program/vim/src/main.c:3173
    #13 0x15ec5af in vim_main2 /home/fuzz/asan_program/vim/src/main.c:790
    #14 0x442afa in main /home/fuzz/asan_program/vim/src/main.c:441
    #15 0x7fee94545554 in __libc_start_main (/lib64/libc.so.6+0x22554)
    #16 0x446fde  (/home/fuzz/bug_finder/bug_validate/vimtest1/vim_asan+0x446fde)

0x625000011940 is located 64 bytes inside of 9176-byte region [0x625000011900,0x625000013cd8)
freed by thread T0 here:
    #0 0x7fee9555c23f in free (/lib64/libasan.so.5+0x10c23f)
    #1 0x47886c in apply_autocmds_group /home/fuzz/asan_program/vim/src/autocmd.c:2385
    #2 0x481acf in apply_autocmds /home/fuzz/asan_program/vim/src/autocmd.c:1780
    #3 0xb0cfda in may_trigger_modechanged /home/fuzz/asan_program/vim/src/misc1.c:2806
    #4 0xbcd17e in end_visual_mode_keep_button /home/fuzz/asan_program/vim/src/normal.c:1165
    #5 0xbcd17e in end_visual_mode /home/fuzz/asan_program/vim/src/normal.c:1120
    #6 0xbcd17e in reset_VIsual /home/fuzz/asan_program/vim/src/normal.c:1190
    #7 0xbcd17e in reset_VIsual /home/fuzz/asan_program/vim/src/normal.c:1186
    #8 0x7899d4 in do_ecmd /home/fuzz/asan_program/vim/src/ex_cmds.c:2653
    #9 0x457614 in do_argfile /home/fuzz/asan_program/vim/src/arglist.c:738
    #10 0x457614 in ex_rewind /home/fuzz/asan_program/vim/src/arglist.c:649
    #11 0x8047e5 in do_one_cmd /home/fuzz/asan_program/vim/src/ex_docmd.c:2582
    #12 0x80d399 in do_cmdline /home/fuzz/asan_program/vim/src/ex_docmd.c:994
    #13 0xf03484 in do_source_ext /home/fuzz/asan_program/vim/src/scriptfile.c:1760
    #14 0xf21643 in do_source /home/fuzz/asan_program/vim/src/scriptfile.c:1906
    #15 0xf21643 in cmd_source /home/fuzz/asan_program/vim/src/scriptfile.c:1251
    #16 0xf21643 in ex_source /home/fuzz/asan_program/vim/src/scriptfile.c:1277
    #17 0x8047e5 in do_one_cmd /home/fuzz/asan_program/vim/src/ex_docmd.c:2582
    #18 0x80d399 in do_cmdline /home/fuzz/asan_program/vim/src/ex_docmd.c:994
    #19 0x15ec5af in exe_commands /home/fuzz/asan_program/vim/src/main.c:3173
    #20 0x15ec5af in vim_main2 /home/fuzz/asan_program/vim/src/main.c:790
    #21 0x442afa in main /home/fuzz/asan_program/vim/src/main.c:441
    #22 0x7fee94545554 in __libc_start_main (/lib64/libc.so.6+0x22554)

previously allocated by thread T0 here:
    #0 0x7fee9555c82e in calloc (/lib64/libasan.so.5+0x10c82e)
    #1 0x447ab4 in lalloc /home/fuzz/asan_program/vim/src/alloc.c:246
    #2 0x447ab4 in alloc_clear /home/fuzz/asan_program/vim/src/alloc.c:177
    #3 0x140d552 in win_alloc /home/fuzz/asan_program/vim/src/window.c:5502
    #4 0x1454b36 in win_split_ins /home/fuzz/asan_program/vim/src/window.c:1187
    #5 0x457164 in do_argfile /home/fuzz/asan_program/vim/src/arglist.c:708
    #6 0x457164 in ex_rewind /home/fuzz/asan_program/vim/src/arglist.c:649
    #7 0x8047e5 in do_one_cmd /home/fuzz/asan_program/vim/src/ex_docmd.c:2582
    #8 0x80d399 in do_cmdline /home/fuzz/asan_program/vim/src/ex_docmd.c:994
    #9 0xf03484 in do_source_ext /home/fuzz/asan_program/vim/src/scriptfile.c:1760
    #10 0xf21643 in do_source /home/fuzz/asan_program/vim/src/scriptfile.c:1906
    #11 0xf21643 in cmd_source /home/fuzz/asan_program/vim/src/scriptfile.c:1251
    #12 0xf21643 in ex_source /home/fuzz/asan_program/vim/src/scriptfile.c:1277
    #13 0x8047e5 in do_one_cmd /home/fuzz/asan_program/vim/src/ex_docmd.c:2582
    #14 0x80d399 in do_cmdline /home/fuzz/asan_program/vim/src/ex_docmd.c:994
    #15 0x15ec5af in exe_commands /home/fuzz/asan_program/vim/src/main.c:3173
    #16 0x15ec5af in vim_main2 /home/fuzz/asan_program/vim/src/main.c:790
    #17 0x442afa in main /home/fuzz/asan_program/vim/src/main.c:441
    #18 0x7fee94545554 in __libc_start_main (/lib64/libc.so.6+0x22554)

SUMMARY: AddressSanitizer: heap-use-after-free /home/fuzz/asan_program/vim/src/buffer.c:3703 in buflist_altfpos
Shadow bytes around the buggy address:
  0x0c4a7fffa2d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fffa2e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fffa2f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fffa300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fffa310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c4a7fffa320: fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd
  0x0c4a7fffa330: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fffa340: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fffa350: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fffa360: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fffa370: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1404==ABORTING

here are three different triggering poc : https://github.com/fizz-is-on-the-way/vim/blob/main/poc_huaf1?raw=true https://github.com/fizz-is-on-the-way/vim/blob/main/poc_huaf2?raw=true https://github.com/fizz-is-on-the-way/vim/blob/main/poc_huaf3?raw=true

Impact

This vulnerability is capable of crashing software, modify memory, and possible remote execution.

Related news

Apple Security Advisory 10-25-2023-4

Apple Security Advisory 10-25-2023-4 - macOS Sonoma 14.1 addresses bypass, code execution, spoofing, and use-after-free vulnerabilities.

Ubuntu Security Notice USN-6452-1

Ubuntu Security Notice 6452-1 - It was discovered that Vim could be made to divide by zero. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 23.04. It was discovered that Vim did not properly manage memory. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. It was discovered that Vim contained an arithmetic overflow. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 22.04 LTS, Ubuntu 23.04, and Ubuntu 23.10.

CVE-2023-42861: About the security content of macOS Sonoma 14.1

A logic issue was addressed with improved state management. This issue is fixed in macOS Sonoma 14.1. An attacker with knowledge of a standard user's credentials can unlock another standard user's locked screen on the same Mac.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907