Loading ...
Sorry, an error occurred while loading the content.

Re: vim 6.3.82 (possibly others) DoS (and perhaps potential exploit) report

Expand Messages
  • Bram Moolenaar
    ... I can t do much without such a .swp file. To be able to reproduce the problem I would need both the original file and the .swp file that has the problem.
    Message 1 of 5 , Nov 4, 2007
    • 0 Attachment
      Chris Drake wrote:

      > It's possible to craft a malformed .swp file that causes vim to crash
      > in a way that completely locks up a terminal.

      I can't do much without such a .swp file. To be able to reproduce the
      problem I would need both the original file and the .swp file that has
      the problem.

      Your text suggests that you know how to make a .swp file that causes the
      problem. Please share that with me. Don't send to the list if you
      think this may help malicious people to misuse the info.

      6.3.82 is quite old, it's very well possible that the problem got fixed
      in the mean time. Can you reproduce the problem with Vim 7.1? The swap
      file should be compatible.

      > Vim: Caught deadly signal ABRT
      >
      > (at this point - the terminal is completely locked up - ^C etc all
      > have no effect. kill also has no effect. kill-9 from another session
      > ended it OK)

      You may need to reset the terminal (in xterm that's done by pressing
      CTRL and the middle mouse button, select "Do Full reset"). Sometimes
      typing "reset<CR>reset<CR>" works. Vim switches off echo, so you may
      not see what you type.

      > ------------------------
      > Here's some version info
      > ------------------------
      >
      > I think vim is used for lots of things, including at least editing
      > crontab files (after copy stuff to /tmp) - thus - a malicious local
      > user could place crafted .swp files in /tmp (or elsewhere that they
      > might have access to) to "crash" (DoS) anyone elses future VIM
      > sessions. Depending on the error - it might be possible to exploit
      > this to run arbitrary code elevated to the vim users permissions (the
      > error reports as *either* "double free" (hard to exploit) or
      > "corruption" (probably a buffer overflow - easy to exploit))

      I think that would be really hard to do, but it can't be ruled out.

      --
      hundred-and-one symptoms of being an internet addict:
      88. Every single time you press the 'Get mail' button...it does get new mail.

      /// Bram Moolenaar -- Bram@... -- http://www.Moolenaar.net \\\
      /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
      \\\ download, build and distribute -- http://www.A-A-P.org ///
      \\\ help me help AIDS victims -- http://ICCF-Holland.org ///

      --~--~---------~--~----~------------~-------~--~----~
      You received this message from the "vim_dev" maillist.
      For more information, visit http://www.vim.org/maillist.php
      -~----------~----~----~----~------~----~------~--~---
    Your message has been successfully submitted and would be delivered to recipients shortly.