Loading ...
Sorry, an error occurred while loading the content.

Re: Re[2]: vim 6.3.82 (possibly others) DoS (and perhaps potential exploit) report

Expand Messages
  • Dominique Pelle
    Hi Chris Vim-6.3.81 in which you reported the bug is quite old. My guess is that the bug is likely to have been fixed in a more recent version of vim, with all
    Message 1 of 5 , Nov 3, 2007
    • 0 Attachment
      Hi Chris

      Vim-6.3.81 in which you reported the bug is quite old. My guess is that
      the bug is likely to have been fixed in a more recent version of vim, with
      all latest patches. However, if you still have the offending .swp file (and
      if it's ok to share it), it might be interesting to send it, to double
      check that
      the bug does not happen in latest vim.

      -- Dominique

      On 11/4/07, Chris Drake <christopher@...> wrote:
      >
      > Hi Tony,
      >
      > Sorry - busy - if I get a free moment, I might have a try. I did save
      > the files concerned.
      >
      > If it helps any - I managed to recover my file by transferring the
      > file + .swp to an older server, which worked fine. version 6.3.81 is on
      > the oldie.
      >
      > Kind Regards,
      > Chris Drake
      >
      >
      > Sunday, November 4, 2007, 1:34:01 AM, you wrote:
      >
      >
      > TM> Chris Drake wrote:
      > >> Hi,
      > >>
      > >> It's possible to craft a malformed .swp file that causes vim to crash
      > >> in a way that completely locks up a terminal.
      > >>
      > >> Here's what was on my screen when it occurred:

      --~--~---------~--~----~------------~-------~--~----~
      You received this message from the "vim_dev" maillist.
      For more information, visit http://www.vim.org/maillist.php
      -~----------~----~----~----~------~----~------~--~---
    • Bram Moolenaar
      ... I can t do much without such a .swp file. To be able to reproduce the problem I would need both the original file and the .swp file that has the problem.
      Message 2 of 5 , Nov 4, 2007
      • 0 Attachment
        Chris Drake wrote:

        > It's possible to craft a malformed .swp file that causes vim to crash
        > in a way that completely locks up a terminal.

        I can't do much without such a .swp file. To be able to reproduce the
        problem I would need both the original file and the .swp file that has
        the problem.

        Your text suggests that you know how to make a .swp file that causes the
        problem. Please share that with me. Don't send to the list if you
        think this may help malicious people to misuse the info.

        6.3.82 is quite old, it's very well possible that the problem got fixed
        in the mean time. Can you reproduce the problem with Vim 7.1? The swap
        file should be compatible.

        > Vim: Caught deadly signal ABRT
        >
        > (at this point - the terminal is completely locked up - ^C etc all
        > have no effect. kill also has no effect. kill-9 from another session
        > ended it OK)

        You may need to reset the terminal (in xterm that's done by pressing
        CTRL and the middle mouse button, select "Do Full reset"). Sometimes
        typing "reset<CR>reset<CR>" works. Vim switches off echo, so you may
        not see what you type.

        > ------------------------
        > Here's some version info
        > ------------------------
        >
        > I think vim is used for lots of things, including at least editing
        > crontab files (after copy stuff to /tmp) - thus - a malicious local
        > user could place crafted .swp files in /tmp (or elsewhere that they
        > might have access to) to "crash" (DoS) anyone elses future VIM
        > sessions. Depending on the error - it might be possible to exploit
        > this to run arbitrary code elevated to the vim users permissions (the
        > error reports as *either* "double free" (hard to exploit) or
        > "corruption" (probably a buffer overflow - easy to exploit))

        I think that would be really hard to do, but it can't be ruled out.

        --
        hundred-and-one symptoms of being an internet addict:
        88. Every single time you press the 'Get mail' button...it does get new mail.

        /// Bram Moolenaar -- Bram@... -- http://www.Moolenaar.net \\\
        /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
        \\\ download, build and distribute -- http://www.A-A-P.org ///
        \\\ help me help AIDS victims -- http://ICCF-Holland.org ///

        --~--~---------~--~----~------------~-------~--~----~
        You received this message from the "vim_dev" maillist.
        For more information, visit http://www.vim.org/maillist.php
        -~----------~----~----~----~------~----~------~--~---
      Your message has been successfully submitted and would be delivered to recipients shortly.