For those unaware, Vim and Neovim are two most popular and powerful command-line text editing applications that come pre-installed in most of the Linux distros. Vim is a text editor that allows users to create, view or edit any file, including text, documents, and programming scripts. On the other hand, Neovim is a fork of Vim that aims to improve user experience, plugins, and GUIs (graphical user interfaces). As a result, the code execution vulnerability is also present in Neovim. “Vim before 8.1.1365 and Neovim before 0.3.6 are vulnerable to arbitrary code execution via modelines by opening a specially crafted text file.” reads the security advisory published by the expert. Razmjou discovered the vulnerability in the way Vim editor handles the “modelines” option. The modeline feature allows to specify custom editor options near the start or end of a file. This feature is enabled by default and applied to all file types, including plain .txt. Only a subset of options is allowed in modelines for security reasons, and if an expression is included in the option value, it is executed in a sandbox. However, Razmjou discovered that the: source! command (with the bang [!] modifier) can be used to bypass the sandbox. It reads and executes commands from a given file as if typed manually, running them after the sandbox has been left. In other words, it is possible to develop a modeline that can execute the code outside the sandbox. The expert demonstrated that it is possible for attackers to exploit the CVE-2019-12735 vulnerability, which allows them to hack the victim’s systems by tricking them into opening an innocent looking specially crafted file in Vim or Neovim Editor. Razmjou released two proof-of-concept exploits to the public, one of which demonstrates a real-life attack scenario wherein a remote attacker gains access to a reverse shell. “This PoC outlines a real-life attack approach in which a reverse shell is launched once the user opens the file. To conceal the attack, the file will be immediately rewritten when opened,” continues the post. “Also, the PoC uses terminal escape sequences to hide the modeline when the content is printed with cat. (cat -v reveals the actual content.)” The development teams of Vim (patch 8.1.1365) and Neovim (released in v0.3.6) have already released security updates on both utilities to address the vulnerability. Besides the patching, the security researcher also suggests users to:
disable modelines feature in the vimrc (set nomodeline) use “securemodelines plugin,” a secure alternative to Vim modelines disable “modelineexpr” to disallow expressions in modelines