Loading ...
Sorry, an error occurred while loading the content.

vim 6.3.82 (possibly others) DoS (and perhaps potential exploit) report

Expand Messages
  • Chris Drake
    Hi, It s possible to craft a malformed .swp file that causes vim to crash in a way that completely locks up a terminal. Here s what was on my screen when it
    Message 1 of 5 , Nov 2, 2007
    • 0 Attachment
      Hi,

      It's possible to craft a malformed .swp file that causes vim to crash
      in a way that completely locks up a terminal.

      Here's what was on my screen when it occurred:


      E325: ATTENTION
      Found a swap file by the name ".Accounting.pm.swp"
      owned by: root dated: Sat Nov 3 04:36:39 2007
      file name: /usr/local/bin/Accounting.pm
      modified: no
      user name: root host name: ***
      process ID: 5936
      While opening file "Accounting.pm"
      dated: Sat Nov 3 03:57:44 2007

      (1) Another program may be editing the same file.
      If this is the case, be careful not to end up with two
      different instances of the same file when making changes.
      Quit, or continue with caution.

      (2) An edit session for this file crashed.
      If this is the case, use ":recover" or "vim -r Accounting.pm"
      to recover the changes (see ":help recovery").
      If you did this already, delete the swap file ".Accounting.pm.swp"
      to avoid this message.

      Swap file ".Accounting.pm.swp" already exists!
      [O]pen Read-Only, (E)dit anyway, (R)ecover, (Q)uit, (A)bort, (D)elete it:

      "Accounting.pm" 2059L, 113828C
      Using swap file ".Accounting.pm.swp"
      Original file "/usr/local/bin/src/Accounting/lib/Accounting.pm"
      *** glibc detected *** double free or corruption (!prev): 0x0926fd60 ***
      Recovery completed. You should check if everything is OK.
      (You might want to write out this file under another name
      and run diff with the original file to check for changes)
      Delete the .swp file afterwards.

      Vim: Caught deadly signal ABRT

      (at this point - the terminal is completely locked up - ^C etc all
      have no effect. kill also has no effect. kill-9 from another session
      ended it OK)

      ------------------------
      Here's some version info
      ------------------------

      VIM - Vi IMproved

      version 6.3.82
      by Bram Moolenaar et al.
      Modified by <bugzilla@...>
      Vim is open source and freely distributable

      Help poor children in Uganda!
      type :help iccf<Enter> for information

      type :q<Enter> to exit
      type :help<Enter> or <F1> for on-line help
      type :help version6<Enter> for version info

      ------------------------
      Here's some version info
      ------------------------

      I think vim is used for lots of things, including at least editing
      crontab files (after copy stuff to /tmp) - thus - a malicious local
      user could place crafted .swp files in /tmp (or elsewhere that they
      might have access to) to "crash" (DoS) anyone elses future VIM
      sessions. Depending on the error - it might be possible to exploit
      this to run arbitrary code elevated to the vim users permissions (the
      error reports as *either* "double free" (hard to exploit) or
      "corruption" (probably a buffer overflow - easy to exploit))

      Kind Regards,
      Chris Drake



      --~--~---------~--~----~------------~-------~--~----~
      You received this message from the "vim_dev" maillist.
      For more information, visit http://www.vim.org/maillist.php
      -~----------~----~----~----~------~----~------~--~---
    • Tony Mechelynck
      ... I seem to semember that something like that was fixed long ago, but my memory is hazy. Could you reproduce it with some decently recent version? You
      Message 2 of 5 , Nov 3, 2007
      • 0 Attachment
        Chris Drake wrote:
        > Hi,
        >
        > It's possible to craft a malformed .swp file that causes vim to crash
        > in a way that completely locks up a terminal.
        >
        > Here's what was on my screen when it occurred:
        >
        >
        > E325: ATTENTION
        > Found a swap file by the name ".Accounting.pm.swp"
        > owned by: root dated: Sat Nov 3 04:36:39 2007
        > file name: /usr/local/bin/Accounting.pm
        > modified: no
        > user name: root host name: ***
        > process ID: 5936
        > While opening file "Accounting.pm"
        > dated: Sat Nov 3 03:57:44 2007
        >
        > (1) Another program may be editing the same file.
        > If this is the case, be careful not to end up with two
        > different instances of the same file when making changes.
        > Quit, or continue with caution.
        >
        > (2) An edit session for this file crashed.
        > If this is the case, use ":recover" or "vim -r Accounting.pm"
        > to recover the changes (see ":help recovery").
        > If you did this already, delete the swap file ".Accounting.pm.swp"
        > to avoid this message.
        >
        > Swap file ".Accounting.pm.swp" already exists!
        > [O]pen Read-Only, (E)dit anyway, (R)ecover, (Q)uit, (A)bort, (D)elete it:
        >
        > "Accounting.pm" 2059L, 113828C
        > Using swap file ".Accounting.pm.swp"
        > Original file "/usr/local/bin/src/Accounting/lib/Accounting.pm"
        > *** glibc detected *** double free or corruption (!prev): 0x0926fd60 ***
        > Recovery completed. You should check if everything is OK.
        > (You might want to write out this file under another name
        > and run diff with the original file to check for changes)
        > Delete the .swp file afterwards.
        >
        > Vim: Caught deadly signal ABRT
        >
        > (at this point - the terminal is completely locked up - ^C etc all
        > have no effect. kill also has no effect. kill-9 from another session
        > ended it OK)
        >
        > ------------------------
        > Here's some version info
        > ------------------------
        >
        > VIM - Vi IMproved
        >
        > version 6.3.82
        > by Bram Moolenaar et al.
        > Modified by <bugzilla@...>
        > Vim is open source and freely distributable
        >
        > Help poor children in Uganda!
        > type :help iccf<Enter> for information
        >
        > type :q<Enter> to exit
        > type :help<Enter> or <F1> for on-line help
        > type :help version6<Enter> for version info
        >
        > ------------------------
        > Here's some version info
        > ------------------------
        >
        > I think vim is used for lots of things, including at least editing
        > crontab files (after copy stuff to /tmp) - thus - a malicious local
        > user could place crafted .swp files in /tmp (or elsewhere that they
        > might have access to) to "crash" (DoS) anyone elses future VIM
        > sessions. Depending on the error - it might be possible to exploit
        > this to run arbitrary code elevated to the vim users permissions (the
        > error reports as *either* "double free" (hard to exploit) or
        > "corruption" (probably a buffer overflow - easy to exploit))
        >
        > Kind Regards,
        > Chris Drake

        I seem to semember that something like that was fixed long ago, but my memory
        is hazy. Could you reproduce it with some "decently recent" version?

        You might want to peruse the lists of patches:

        http://ftp.vim.org/pub/vim/patches/6.3/README
        http://ftp.vim.org/pub/vim/patches/6.4/README
        http://ftp.vim.org/pub/vim/patches/7.0/README
        http://ftp.vim.org/pub/vim/patches/7.1/README

        FYI, 6.3.082 dates from 5 June 2005. Lots of water went under the bridge since
        then. The current version is 7.1.147.


        Best regards,
        Tony.
        --
        Impartial, adj.:
        Unable to perceive any promise of personal advantage from
        espousing either side of a controversy or adopting either of two
        conflicting opinions.
        -- Ambrose Bierce, "The Devil's Dictionary"


        --~--~---------~--~----~------------~-------~--~----~
        You received this message from the "vim_dev" maillist.
        For more information, visit http://www.vim.org/maillist.php
        -~----------~----~----~----~------~----~------~--~---
      • Chris Drake
        Hi Tony, Sorry - busy - if I get a free moment, I might have a try. I did save the files concerned. If it helps any - I managed to recover my file by
        Message 3 of 5 , Nov 3, 2007
        • 0 Attachment
          Hi Tony,

          Sorry - busy - if I get a free moment, I might have a try. I did save
          the files concerned.

          If it helps any - I managed to recover my file by transferring the
          file + .swp to an older server, which worked fine. version 6.3.81 is on
          the oldie.

          Kind Regards,
          Chris Drake


          Sunday, November 4, 2007, 1:34:01 AM, you wrote:


          TM> Chris Drake wrote:
          >> Hi,
          >>
          >> It's possible to craft a malformed .swp file that causes vim to crash
          >> in a way that completely locks up a terminal.
          >>
          >> Here's what was on my screen when it occurred:
          >>
          >>
          >> E325: ATTENTION
          >> Found a swap file by the name ".Accounting.pm.swp"
          >> owned by: root dated: Sat Nov 3 04:36:39 2007
          >> file name: /usr/local/bin/Accounting.pm
          >> modified: no
          >> user name: root host name: ***
          >> process ID: 5936
          >> While opening file "Accounting.pm"
          >> dated: Sat Nov 3 03:57:44 2007
          >>
          >> (1) Another program may be editing the same file.
          >> If this is the case, be careful not to end up with two
          >> different instances of the same file when making changes.
          >> Quit, or continue with caution.
          >>
          >> (2) An edit session for this file crashed.
          >> If this is the case, use ":recover" or "vim -r Accounting.pm"
          >> to recover the changes (see ":help recovery").
          >> If you did this already, delete the swap file ".Accounting.pm.swp"
          >> to avoid this message.
          >>
          >> Swap file ".Accounting.pm.swp" already exists!
          >> [O]pen Read-Only, (E)dit anyway, (R)ecover, (Q)uit, (A)bort, (D)elete it:
          >>
          >> "Accounting.pm" 2059L, 113828C
          >> Using swap file ".Accounting.pm.swp"
          >> Original file "/usr/local/bin/src/Accounting/lib/Accounting.pm"
          >> *** glibc detected *** double free or corruption (!prev): 0x0926fd60 ***
          >>
          >> Recovery completed. You should check if everything is OK.
          >> (You might want to write out this file under another name
          >> and run diff with the original file to check for changes)
          >> Delete the .swp file afterwards.
          >>
          >> Vim: Caught deadly signal ABRT
          >>
          >> (at this point - the terminal is completely locked up - ^C etc all
          >> have no effect. kill also has no effect. kill-9 from another session
          >> ended it OK)
          >>
          >> ------------------------
          >> Here's some version info
          >> ------------------------
          >>
          >> VIM - Vi IMproved
          >>
          >> version 6.3.82
          >> by Bram Moolenaar et al.
          >> Modified by <bugzilla@...>
          >> Vim is open source and freely distributable
          >>
          >> Help poor children in Uganda!
          >> type :help iccf<Enter> for information
          >>
          >> type :q<Enter> to exit
          >> type :help<Enter> or <F1> for on-line help
          >> type :help version6<Enter> for version info
          >>
          >> ------------------------
          >> Here's some version info
          >> ------------------------
          >>
          >> I think vim is used for lots of things, including at least editing
          >> crontab files (after copy stuff to /tmp) - thus - a malicious local
          >> user could place crafted .swp files in /tmp (or elsewhere that they
          >> might have access to) to "crash" (DoS) anyone elses future VIM
          >> sessions. Depending on the error - it might be possible to exploit
          >> this to run arbitrary code elevated to the vim users permissions (the
          >> error reports as *either* "double free" (hard to exploit) or
          >> "corruption" (probably a buffer overflow - easy to exploit))
          >>
          >> Kind Regards,
          >> Chris Drake

          TM> I seem to semember that something like that was fixed long ago, but my memory
          TM> is hazy. Could you reproduce it with some "decently recent" version?

          TM> You might want to peruse the lists of patches:

          TM> http://ftp.vim.org/pub/vim/patches/6.3/README
          TM> http://ftp.vim.org/pub/vim/patches/6.4/README
          TM> http://ftp.vim.org/pub/vim/patches/7.0/README
          TM> http://ftp.vim.org/pub/vim/patches/7.1/README

          TM> FYI, 6.3.082 dates from 5 June 2005. Lots of water went under the bridge since
          TM> then. The current version is 7.1.147.


          TM> Best regards,
          TM> Tony.




          --~--~---------~--~----~------------~-------~--~----~
          You received this message from the "vim_dev" maillist.
          For more information, visit http://www.vim.org/maillist.php
          -~----------~----~----~----~------~----~------~--~---
        • Dominique Pelle
          Hi Chris Vim-6.3.81 in which you reported the bug is quite old. My guess is that the bug is likely to have been fixed in a more recent version of vim, with all
          Message 4 of 5 , Nov 3, 2007
          • 0 Attachment
            Hi Chris

            Vim-6.3.81 in which you reported the bug is quite old. My guess is that
            the bug is likely to have been fixed in a more recent version of vim, with
            all latest patches. However, if you still have the offending .swp file (and
            if it's ok to share it), it might be interesting to send it, to double
            check that
            the bug does not happen in latest vim.

            -- Dominique

            On 11/4/07, Chris Drake <christopher@...> wrote:
            >
            > Hi Tony,
            >
            > Sorry - busy - if I get a free moment, I might have a try. I did save
            > the files concerned.
            >
            > If it helps any - I managed to recover my file by transferring the
            > file + .swp to an older server, which worked fine. version 6.3.81 is on
            > the oldie.
            >
            > Kind Regards,
            > Chris Drake
            >
            >
            > Sunday, November 4, 2007, 1:34:01 AM, you wrote:
            >
            >
            > TM> Chris Drake wrote:
            > >> Hi,
            > >>
            > >> It's possible to craft a malformed .swp file that causes vim to crash
            > >> in a way that completely locks up a terminal.
            > >>
            > >> Here's what was on my screen when it occurred:

            --~--~---------~--~----~------------~-------~--~----~
            You received this message from the "vim_dev" maillist.
            For more information, visit http://www.vim.org/maillist.php
            -~----------~----~----~----~------~----~------~--~---
          • Bram Moolenaar
            ... I can t do much without such a .swp file. To be able to reproduce the problem I would need both the original file and the .swp file that has the problem.
            Message 5 of 5 , Nov 4, 2007
            • 0 Attachment
              Chris Drake wrote:

              > It's possible to craft a malformed .swp file that causes vim to crash
              > in a way that completely locks up a terminal.

              I can't do much without such a .swp file. To be able to reproduce the
              problem I would need both the original file and the .swp file that has
              the problem.

              Your text suggests that you know how to make a .swp file that causes the
              problem. Please share that with me. Don't send to the list if you
              think this may help malicious people to misuse the info.

              6.3.82 is quite old, it's very well possible that the problem got fixed
              in the mean time. Can you reproduce the problem with Vim 7.1? The swap
              file should be compatible.

              > Vim: Caught deadly signal ABRT
              >
              > (at this point - the terminal is completely locked up - ^C etc all
              > have no effect. kill also has no effect. kill-9 from another session
              > ended it OK)

              You may need to reset the terminal (in xterm that's done by pressing
              CTRL and the middle mouse button, select "Do Full reset"). Sometimes
              typing "reset<CR>reset<CR>" works. Vim switches off echo, so you may
              not see what you type.

              > ------------------------
              > Here's some version info
              > ------------------------
              >
              > I think vim is used for lots of things, including at least editing
              > crontab files (after copy stuff to /tmp) - thus - a malicious local
              > user could place crafted .swp files in /tmp (or elsewhere that they
              > might have access to) to "crash" (DoS) anyone elses future VIM
              > sessions. Depending on the error - it might be possible to exploit
              > this to run arbitrary code elevated to the vim users permissions (the
              > error reports as *either* "double free" (hard to exploit) or
              > "corruption" (probably a buffer overflow - easy to exploit))

              I think that would be really hard to do, but it can't be ruled out.

              --
              hundred-and-one symptoms of being an internet addict:
              88. Every single time you press the 'Get mail' button...it does get new mail.

              /// Bram Moolenaar -- Bram@... -- http://www.Moolenaar.net \\\
              /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
              \\\ download, build and distribute -- http://www.A-A-P.org ///
              \\\ help me help AIDS victims -- http://ICCF-Holland.org ///

              --~--~---------~--~----~------------~-------~--~----~
              You received this message from the "vim_dev" maillist.
              For more information, visit http://www.vim.org/maillist.php
              -~----------~----~----~----~------~----~------~--~---
            Your message has been successfully submitted and would be delivered to recipients shortly.