Loading ...
Sorry, an error occurred while loading the content.

Re: vim 6.3.82 (possibly others) DoS (and perhaps potential exploit) report

Expand Messages
  • Tony Mechelynck
    ... I seem to semember that something like that was fixed long ago, but my memory is hazy. Could you reproduce it with some decently recent version? You
    Message 1 of 5 , Nov 3, 2007
    • 0 Attachment
      Chris Drake wrote:
      > Hi,
      >
      > It's possible to craft a malformed .swp file that causes vim to crash
      > in a way that completely locks up a terminal.
      >
      > Here's what was on my screen when it occurred:
      >
      >
      > E325: ATTENTION
      > Found a swap file by the name ".Accounting.pm.swp"
      > owned by: root dated: Sat Nov 3 04:36:39 2007
      > file name: /usr/local/bin/Accounting.pm
      > modified: no
      > user name: root host name: ***
      > process ID: 5936
      > While opening file "Accounting.pm"
      > dated: Sat Nov 3 03:57:44 2007
      >
      > (1) Another program may be editing the same file.
      > If this is the case, be careful not to end up with two
      > different instances of the same file when making changes.
      > Quit, or continue with caution.
      >
      > (2) An edit session for this file crashed.
      > If this is the case, use ":recover" or "vim -r Accounting.pm"
      > to recover the changes (see ":help recovery").
      > If you did this already, delete the swap file ".Accounting.pm.swp"
      > to avoid this message.
      >
      > Swap file ".Accounting.pm.swp" already exists!
      > [O]pen Read-Only, (E)dit anyway, (R)ecover, (Q)uit, (A)bort, (D)elete it:
      >
      > "Accounting.pm" 2059L, 113828C
      > Using swap file ".Accounting.pm.swp"
      > Original file "/usr/local/bin/src/Accounting/lib/Accounting.pm"
      > *** glibc detected *** double free or corruption (!prev): 0x0926fd60 ***
      > Recovery completed. You should check if everything is OK.
      > (You might want to write out this file under another name
      > and run diff with the original file to check for changes)
      > Delete the .swp file afterwards.
      >
      > Vim: Caught deadly signal ABRT
      >
      > (at this point - the terminal is completely locked up - ^C etc all
      > have no effect. kill also has no effect. kill-9 from another session
      > ended it OK)
      >
      > ------------------------
      > Here's some version info
      > ------------------------
      >
      > VIM - Vi IMproved
      >
      > version 6.3.82
      > by Bram Moolenaar et al.
      > Modified by <bugzilla@...>
      > Vim is open source and freely distributable
      >
      > Help poor children in Uganda!
      > type :help iccf<Enter> for information
      >
      > type :q<Enter> to exit
      > type :help<Enter> or <F1> for on-line help
      > type :help version6<Enter> for version info
      >
      > ------------------------
      > Here's some version info
      > ------------------------
      >
      > I think vim is used for lots of things, including at least editing
      > crontab files (after copy stuff to /tmp) - thus - a malicious local
      > user could place crafted .swp files in /tmp (or elsewhere that they
      > might have access to) to "crash" (DoS) anyone elses future VIM
      > sessions. Depending on the error - it might be possible to exploit
      > this to run arbitrary code elevated to the vim users permissions (the
      > error reports as *either* "double free" (hard to exploit) or
      > "corruption" (probably a buffer overflow - easy to exploit))
      >
      > Kind Regards,
      > Chris Drake

      I seem to semember that something like that was fixed long ago, but my memory
      is hazy. Could you reproduce it with some "decently recent" version?

      You might want to peruse the lists of patches:

      http://ftp.vim.org/pub/vim/patches/6.3/README
      http://ftp.vim.org/pub/vim/patches/6.4/README
      http://ftp.vim.org/pub/vim/patches/7.0/README
      http://ftp.vim.org/pub/vim/patches/7.1/README

      FYI, 6.3.082 dates from 5 June 2005. Lots of water went under the bridge since
      then. The current version is 7.1.147.


      Best regards,
      Tony.
      --
      Impartial, adj.:
      Unable to perceive any promise of personal advantage from
      espousing either side of a controversy or adopting either of two
      conflicting opinions.
      -- Ambrose Bierce, "The Devil's Dictionary"


      --~--~---------~--~----~------------~-------~--~----~
      You received this message from the "vim_dev" maillist.
      For more information, visit http://www.vim.org/maillist.php
      -~----------~----~----~----~------~----~------~--~---
    • Chris Drake
      Hi Tony, Sorry - busy - if I get a free moment, I might have a try. I did save the files concerned. If it helps any - I managed to recover my file by
      Message 2 of 5 , Nov 3, 2007
      • 0 Attachment
        Hi Tony,

        Sorry - busy - if I get a free moment, I might have a try. I did save
        the files concerned.

        If it helps any - I managed to recover my file by transferring the
        file + .swp to an older server, which worked fine. version 6.3.81 is on
        the oldie.

        Kind Regards,
        Chris Drake


        Sunday, November 4, 2007, 1:34:01 AM, you wrote:


        TM> Chris Drake wrote:
        >> Hi,
        >>
        >> It's possible to craft a malformed .swp file that causes vim to crash
        >> in a way that completely locks up a terminal.
        >>
        >> Here's what was on my screen when it occurred:
        >>
        >>
        >> E325: ATTENTION
        >> Found a swap file by the name ".Accounting.pm.swp"
        >> owned by: root dated: Sat Nov 3 04:36:39 2007
        >> file name: /usr/local/bin/Accounting.pm
        >> modified: no
        >> user name: root host name: ***
        >> process ID: 5936
        >> While opening file "Accounting.pm"
        >> dated: Sat Nov 3 03:57:44 2007
        >>
        >> (1) Another program may be editing the same file.
        >> If this is the case, be careful not to end up with two
        >> different instances of the same file when making changes.
        >> Quit, or continue with caution.
        >>
        >> (2) An edit session for this file crashed.
        >> If this is the case, use ":recover" or "vim -r Accounting.pm"
        >> to recover the changes (see ":help recovery").
        >> If you did this already, delete the swap file ".Accounting.pm.swp"
        >> to avoid this message.
        >>
        >> Swap file ".Accounting.pm.swp" already exists!
        >> [O]pen Read-Only, (E)dit anyway, (R)ecover, (Q)uit, (A)bort, (D)elete it:
        >>
        >> "Accounting.pm" 2059L, 113828C
        >> Using swap file ".Accounting.pm.swp"
        >> Original file "/usr/local/bin/src/Accounting/lib/Accounting.pm"
        >> *** glibc detected *** double free or corruption (!prev): 0x0926fd60 ***
        >>
        >> Recovery completed. You should check if everything is OK.
        >> (You might want to write out this file under another name
        >> and run diff with the original file to check for changes)
        >> Delete the .swp file afterwards.
        >>
        >> Vim: Caught deadly signal ABRT
        >>
        >> (at this point - the terminal is completely locked up - ^C etc all
        >> have no effect. kill also has no effect. kill-9 from another session
        >> ended it OK)
        >>
        >> ------------------------
        >> Here's some version info
        >> ------------------------
        >>
        >> VIM - Vi IMproved
        >>
        >> version 6.3.82
        >> by Bram Moolenaar et al.
        >> Modified by <bugzilla@...>
        >> Vim is open source and freely distributable
        >>
        >> Help poor children in Uganda!
        >> type :help iccf<Enter> for information
        >>
        >> type :q<Enter> to exit
        >> type :help<Enter> or <F1> for on-line help
        >> type :help version6<Enter> for version info
        >>
        >> ------------------------
        >> Here's some version info
        >> ------------------------
        >>
        >> I think vim is used for lots of things, including at least editing
        >> crontab files (after copy stuff to /tmp) - thus - a malicious local
        >> user could place crafted .swp files in /tmp (or elsewhere that they
        >> might have access to) to "crash" (DoS) anyone elses future VIM
        >> sessions. Depending on the error - it might be possible to exploit
        >> this to run arbitrary code elevated to the vim users permissions (the
        >> error reports as *either* "double free" (hard to exploit) or
        >> "corruption" (probably a buffer overflow - easy to exploit))
        >>
        >> Kind Regards,
        >> Chris Drake

        TM> I seem to semember that something like that was fixed long ago, but my memory
        TM> is hazy. Could you reproduce it with some "decently recent" version?

        TM> You might want to peruse the lists of patches:

        TM> http://ftp.vim.org/pub/vim/patches/6.3/README
        TM> http://ftp.vim.org/pub/vim/patches/6.4/README
        TM> http://ftp.vim.org/pub/vim/patches/7.0/README
        TM> http://ftp.vim.org/pub/vim/patches/7.1/README

        TM> FYI, 6.3.082 dates from 5 June 2005. Lots of water went under the bridge since
        TM> then. The current version is 7.1.147.


        TM> Best regards,
        TM> Tony.




        --~--~---------~--~----~------------~-------~--~----~
        You received this message from the "vim_dev" maillist.
        For more information, visit http://www.vim.org/maillist.php
        -~----------~----~----~----~------~----~------~--~---
      • Dominique Pelle
        Hi Chris Vim-6.3.81 in which you reported the bug is quite old. My guess is that the bug is likely to have been fixed in a more recent version of vim, with all
        Message 3 of 5 , Nov 3, 2007
        • 0 Attachment
          Hi Chris

          Vim-6.3.81 in which you reported the bug is quite old. My guess is that
          the bug is likely to have been fixed in a more recent version of vim, with
          all latest patches. However, if you still have the offending .swp file (and
          if it's ok to share it), it might be interesting to send it, to double
          check that
          the bug does not happen in latest vim.

          -- Dominique

          On 11/4/07, Chris Drake <christopher@...> wrote:
          >
          > Hi Tony,
          >
          > Sorry - busy - if I get a free moment, I might have a try. I did save
          > the files concerned.
          >
          > If it helps any - I managed to recover my file by transferring the
          > file + .swp to an older server, which worked fine. version 6.3.81 is on
          > the oldie.
          >
          > Kind Regards,
          > Chris Drake
          >
          >
          > Sunday, November 4, 2007, 1:34:01 AM, you wrote:
          >
          >
          > TM> Chris Drake wrote:
          > >> Hi,
          > >>
          > >> It's possible to craft a malformed .swp file that causes vim to crash
          > >> in a way that completely locks up a terminal.
          > >>
          > >> Here's what was on my screen when it occurred:

          --~--~---------~--~----~------------~-------~--~----~
          You received this message from the "vim_dev" maillist.
          For more information, visit http://www.vim.org/maillist.php
          -~----------~----~----~----~------~----~------~--~---
        • Bram Moolenaar
          ... I can t do much without such a .swp file. To be able to reproduce the problem I would need both the original file and the .swp file that has the problem.
          Message 4 of 5 , Nov 4, 2007
          • 0 Attachment
            Chris Drake wrote:

            > It's possible to craft a malformed .swp file that causes vim to crash
            > in a way that completely locks up a terminal.

            I can't do much without such a .swp file. To be able to reproduce the
            problem I would need both the original file and the .swp file that has
            the problem.

            Your text suggests that you know how to make a .swp file that causes the
            problem. Please share that with me. Don't send to the list if you
            think this may help malicious people to misuse the info.

            6.3.82 is quite old, it's very well possible that the problem got fixed
            in the mean time. Can you reproduce the problem with Vim 7.1? The swap
            file should be compatible.

            > Vim: Caught deadly signal ABRT
            >
            > (at this point - the terminal is completely locked up - ^C etc all
            > have no effect. kill also has no effect. kill-9 from another session
            > ended it OK)

            You may need to reset the terminal (in xterm that's done by pressing
            CTRL and the middle mouse button, select "Do Full reset"). Sometimes
            typing "reset<CR>reset<CR>" works. Vim switches off echo, so you may
            not see what you type.

            > ------------------------
            > Here's some version info
            > ------------------------
            >
            > I think vim is used for lots of things, including at least editing
            > crontab files (after copy stuff to /tmp) - thus - a malicious local
            > user could place crafted .swp files in /tmp (or elsewhere that they
            > might have access to) to "crash" (DoS) anyone elses future VIM
            > sessions. Depending on the error - it might be possible to exploit
            > this to run arbitrary code elevated to the vim users permissions (the
            > error reports as *either* "double free" (hard to exploit) or
            > "corruption" (probably a buffer overflow - easy to exploit))

            I think that would be really hard to do, but it can't be ruled out.

            --
            hundred-and-one symptoms of being an internet addict:
            88. Every single time you press the 'Get mail' button...it does get new mail.

            /// Bram Moolenaar -- Bram@... -- http://www.Moolenaar.net \\\
            /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
            \\\ download, build and distribute -- http://www.A-A-P.org ///
            \\\ help me help AIDS victims -- http://ICCF-Holland.org ///

            --~--~---------~--~----~------------~-------~--~----~
            You received this message from the "vim_dev" maillist.
            For more information, visit http://www.vim.org/maillist.php
            -~----------~----~----~----~------~----~------~--~---
          Your message has been successfully submitted and would be delivered to recipients shortly.