Headline
CVE-2022-2000: Out-of-bounds write in function append_command in vim
Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.
Description
Out-of-bounds write in function append_command at ex_docmd.c:3447
vim version
git log
commit bfaa24f95343af9c058696644375d04e660f1b00 (HEAD -> master, tag: v8.2.5052, origin/master, origin/HEAD)
POC
./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc_obw6_s.dat -c :qa!
=================================================================
==3497672==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000000e81 at pc 0x0000004848d9 bp 0x7fffffff5910 sp 0x7fffffff50b0
WRITE of size 3 at 0x619000000e81 thread T0
#0 0x4848d8 in strcat (/home/fuzz/fuzz-vim/vim/src/vim+0x4848d8)
#1 0x816a2d in append_command /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:3447:5
#2 0x7de9e5 in do_one_cmd /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:2619:6
#3 0x7ca815 in do_cmdline /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:992:17
#4 0x7c6699 in do_exmode /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:517:6
#5 0xb5502a in nv_exmode /home/fuzz/fuzz/vim/vim/src/normal.c:3155:2
#6 0xb2220f in normal_cmd /home/fuzz/fuzz/vim/vim/src/normal.c:941:5
#7 0x81591e in exec_normal /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:8792:6
#8 0x815148 in exec_normal_cmd /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:8755:5
#9 0x814cf9 in ex_normal /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:8673:6
#10 0x7ddaa9 in do_one_cmd /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:2568:2
#11 0x7ca815 in do_cmdline /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:992:17
#12 0xe5aadc in do_source_ext /home/fuzz/fuzz/vim/vim/src/scriptfile.c:1674:5
#13 0xe57536 in do_source /home/fuzz/fuzz/vim/vim/src/scriptfile.c:1801:12
#14 0xe56e6c in cmd_source /home/fuzz/fuzz/vim/vim/src/scriptfile.c:1174:14
#15 0xe5654e in ex_source /home/fuzz/fuzz/vim/vim/src/scriptfile.c:1200:2
#16 0x7ddaa9 in do_one_cmd /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:2568:2
#17 0x7ca815 in do_cmdline /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:992:17
#18 0x7cf4b1 in do_cmdline_cmd /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:586:12
#19 0x1426b42 in exe_commands /home/fuzz/fuzz/vim/vim/src/main.c:3106:2
#20 0x1422cdb in vim_main2 /home/fuzz/fuzz/vim/vim/src/main.c:780:2
#21 0x14183d5 in main /home/fuzz/fuzz/vim/vim/src/main.c:432:12
#22 0x7ffff7bec082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#23 0x41ea6d in _start (/home/fuzz/fuzz-vim/vim/src/vim+0x41ea6d)
0x619000000e81 is located 0 bytes to the right of 1025-byte region [0x619000000a80,0x619000000e81)
allocated by thread T0 here:
#0 0x499ccd in malloc (/home/fuzz/fuzz-vim/vim/src/vim+0x499ccd)
#1 0x4cb3aa in lalloc /home/fuzz/fuzz/vim/vim/src/alloc.c:246:11
#2 0x4cb28a in alloc /home/fuzz/fuzz/vim/vim/src/alloc.c:151:12
#3 0x141843a in common_init /home/fuzz/fuzz/vim/vim/src/main.c:914:19
#4 0x1417924 in main /home/fuzz/fuzz/vim/vim/src/main.c:185:5
#5 0x7ffff7bec082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/fuzz/fuzz-vim/vim/src/vim+0x4848d8) in strcat
Shadow bytes around the buggy address:
0x0c327fff8180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff81a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff81b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff81c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c327fff81d0:[01]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff81e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff81f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c327fff8200: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c327fff8210: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c327fff8220: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3497672==ABORTING
poc_obw6_s.dat
Impact
This may result in corruption of sensitive information, a crash, or code execution among other things.
Related news
Ubuntu Security Notice 6557-1 - It was discovered that Vim could be made to dereference invalid memory. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. It was discovered that Vim could be made to recurse infinitely. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS.
Gentoo Linux Security Advisory 202305-16 - Multiple vulnerabilities have been found in Vim, the worst of which could result in denial of service. Versions less than 9.0.1157 are affected.
Hello everyone! Great news for my open source Scanvus project! You can now perform vulnerability checks on Linux hosts and docker images not only using the Vulners.com API, but also with the Vulns.io VM API. It’s especially nice that all the code to support the new API was written and contributed by colleagues from Vulns.io. […]
A memory corruption issue existed in the processing of ICC profiles. This issue was addressed with improved input validation. This issue is fixed in macOS Ventura 13. Processing a maliciously crafted image may lead to arbitrary code execution.
Gentoo Linux Security Advisory 202208-32 - Multiple vulnerabilities have been discovered in Vim, the worst of which could result in denial of service. Versions less than 9.0.0060 are affected.
Ubuntu Security Notice 5516-1 - It was discovered that Vim incorrectly handled memory access. An attacker could potentially use this issue to cause the corruption of sensitive information, a crash, or arbitrary code execution.