Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-46059: Untrusted Pointer Dereference in vim

A Pointer Dereference vulnerability exists in Vim 8.2.3883 via the vim_regexec_multi function at regexp.c, which causes a denial of service.

CVE
Open in Source
#vulnerability#google#dos

Description

Untrusted Pointer Dereference leading to a segmentation fault Segmentation fault in vim_regexec_multi () at regexp.c:2896

Proof of Concept

./vim -u NONE -X -Z -e -s -S POC1 -c ':qa!

[POC1][https://drive.google.com/file/d/1VOS93VSakO96z2rnvId_WDYRM9KAEIgC/view?usp=sharing]

bt

Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x14 
RBX: 0x7fffffff8520 --> 0x9 ('\t')
RCX: 0x14 
RDX: 0x2 
RSI: 0x10007fff7000 --> 0x0 
RDI: 0x7fffffff87e0 --> 0x0 
RBP: 0x7fffffff87a0 --> 0x7fffffff8b70 --> 0x7fffffffa0d0 --> 0x7fffffffb150 --> 0x7fffffffb980 --> 0x7fffffffb9f0 (--> ...)
RSP: 0x7fffffff8420 --> 0x41b58ab3 
RIP: 0xa54c3b (<vim_regexec_multi+635>: cmp    DWORD PTR [rax],0x0)
R8 : 0x625000002900 --> 0x3e8 
R9 : 0x625000005100 --> 0x9 ('\t')
R10: 0x4 
R11: 0x0 
R12: 0x0 
R13: 0xffffffff0fc --> 0x0 
R14: 0x0 
R15: 0x0
EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0xa54c28 <vim_regexec_multi+616>:    mov    rdi,QWORD PTR [rbx+0x148]
   0xa54c2f <vim_regexec_multi+623>:    call   0x49c430 <__asan_report_load4>
   0xa54c34 <vim_regexec_multi+628>:    mov    rax,QWORD PTR [rbx+0x148]
=> 0xa54c3b <vim_regexec_multi+635>:    cmp    DWORD PTR [rax],0x0
   0xa54c3e <vim_regexec_multi+638>:    je     0xa54c75 <vim_regexec_multi+693>
   0xa54c44 <vim_regexec_multi+644>:    movabs rdi,0x1172840
   0xa54c4e <vim_regexec_multi+654>:    call   0x41d310 <gettext@plt>
   0xa54c53 <vim_regexec_multi+659>:    mov    rdi,rax
[------------------------------------stack-------------------------------------]
0000| 0x7fffffff8420 --> 0x41b58ab3 
0008| 0x7fffffff8428 --> 0x100b3cb ("1 32 160 13 rex_save:2892")
0016| 0x7fffffff8430 --> 0xa549c0 (<vim_regexec_multi>: push   rbp)
0024| 0x7fffffff8438 --> 0x7fffffffb180 --> 0x615000000d00 --> 0xbebebebefbad2488 
0032| 0x7fffffff8440 --> 0x7fffffff8480 --> 0x7fffffff8980 --> 0x7fffffff8b70 --> 0x7fffffffa0d0 --> 0x7fffffffb150 (--> ...)
0040| 0x7fffffff8448 --> 0x4c5d0e (<lalloc+174>:    mov    QWORD PTR [rbp-0x20],rax)
0048| 0x7fffffff8450 --> 0x614000000840 --> 0x619024800004 --> 0x0 
0056| 0x7fffffff8458 --> 0xfffffc4300000001 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000000000a54c3b in vim_regexec_multi (rmp=0x7fffffff87e0, win=0x625000002900, buf=0x625000005100, lnum=0x4, col=0x0, tm=0x0, timed_out=0x0) at regexp.c:2896
2896        if (rmp->regprog->re_in_use)
gdb-peda$ bt
#0  0x0000000000a54c3b in vim_regexec_multi (rmp=0x7fffffff87e0, win=0x625000002900, buf=0x625000005100, lnum=0x4, col=0x0, tm=0x0, timed_out=0x0) at regexp.c:2896
#1  0x00000000006b45ab in ex_global (eap=0x7fffffff8bc0) at ex_cmds.c:4976
#2  0x00000000006cdd66 in do_one_cmd (cmdlinep=0x7fffffffa100, flags=0x7, cstack=0x7fffffffa120, fgetline=0xb26990 <getsourceline>, cookie=0x7fffffffb180) at ex_docmd.c:2572
#3  0x00000000006c0a9d in do_cmdline (cmdline=0x611000000680 "", fgetline=0xb26990 <getsourceline>, cookie=0x7fffffffb180, flags=0x7) at ex_docmd.c:994
#4  0x0000000000b25523 in do_source (fname=0x60b000000ca3 "../../../CVE_testing/result/vim/afl-out-d1/crashes/id:000003,sig:11,src:004713+005102,op:splice,rep:2", check_other=0x0, 
    is_vimrc=0x0, ret_sid=0x0) at scriptfile.c:1420
#5  0x0000000000b228eb in cmd_source (fname=0x60b000000ca3 "../../../CVE_testing/result/vim/afl-out-d1/crashes/id:000003,sig:11,src:004713+005102,op:splice,rep:2", eap=0x7fffffffba60)
    at scriptfile.c:985
#6  0x0000000000b22641 in ex_source (eap=0x7fffffffba60) at scriptfile.c:1011
#7  0x00000000006cdd66 in do_one_cmd (cmdlinep=0x7fffffffcfa0, flags=0xb, cstack=0x7fffffffcfc0, fgetline=0x0, cookie=0x0) at ex_docmd.c:2572
#8  0x00000000006c0a9d in do_cmdline (cmdline=0x60b000000a90 "so ../../../CVE_testing/result/vim/afl-out-d1/crashes/id:000003,sig:11,src:004713+005102,op:splice,rep:2", fgetline=0x0, 
    cookie=0x0, flags=0xb) at ex_docmd.c:994
#9  0x00000000006c40b4 in do_cmdline_cmd (cmd=0x60b000000a90 "so ../../../CVE_testing/result/vim/afl-out-d1/crashes/id:000003,sig:11,src:004713+005102,op:splice,rep:2")
    at ex_docmd.c:588
#10 0x0000000000f39719 in exe_commands (parmp=0x1a99e80 <params>) at main.c:3080
#11 0x0000000000f36873 in vim_main2 () at main.c:774
#12 0x0000000000f2f64d in main (argc=0xb, argv=0x7fffffffe2d8) at main.c:426
#13 0x00007ffff7be10b3 in __libc_start_main (main=0xf2ee20 <main>, argc=0xb, argv=0x7fffffffe2d8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, 
    stack_end=0x7fffffffe2c8) at ../csu/libc-start.c:308
#14 0x000000000041da9e in _start ()

Impact

This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE