Vim and Neovim Bug Could Allow Trojan Code
A high severity bug affecting two popular command-line text editing applications, Vim and Neovim, allow hackers to execute malicious OS commands. Security researcher Armin Razmjou warned that exploiting the bug is as easy as tricking a victim into clicking on a specially crafted text file in either editor. Razmjou created a proof-of-concept attack demonstrating how a hackjer can compromise a Linux system via Vim or Neowim. He said Vim versions before 8.1.1365 and Neovim before 0.3.6 are vulnerable to arbitrary code execution. A reverse shell is launched once the user opens the file. To conceal the attack, the file will be immediately rewritten when opened. Also, the PoC uses terminal escape sequences to hide the modeline when the content is printed with cat.
Vim is a popular text editor based on the vi editor, a screen oriented text editor originally created for the Unix operating system. A modeline is a configuration line that shares settings data to a display server and communicates display settings data. The PoC is able to bypass modeline mitigations, which execute value expressions in a sandbox to prevent somebody from creating a trojan horse text file in modelines. However, the :source! command can be used to bypass the sandbox. It reads and executes commands from a given file as if typed manually, running them after the sandbox has been left,
Vim and Neovim have both released patches for the bug, CVE-2019-12735 allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline. Besides patching, it's recommended to disable modelines in the vimrc to use the securemodelinesplugin, or to disable modelineexpr to disallow expressions in modelines.