Lucene search
Janette88D1AC9817-825D-49CE-B514-1D5B12B6BDAAHistoryAug 17, 2022 - 12:03 a.m.
Use After Free in function find_var_also_in_script
2022-08-1700:03:52
janette88
www.huntr.dev
8
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.4 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:M/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
21.8%
Description
Use After Free in function find_var_also_in_script at vim/src/evalvars.c:3174
vim version
git log
commit 887748742deae3d6de7aa0fdbb042afe1ccf5e7a (grafted, HEAD -> master, tag: v9.0.0222, origin/master, origin/HEAD)
Proof of Concept
./vim -u NONE -X -Z -e -s -S /home/fuzz/test/poc3_huaf.dat -c :qa!
=================================================================
==101656==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000000cc2 at pc 0x7f97f6872927 bp 0x7ffde62cf5c0 sp 0x7ffde62ced68
READ of size 1 at 0x611000000cc2 thread T0
#0 0x7f97f6872926 in __interceptor_strncmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:460
#1 0x563585be6150 in find_var_also_in_script /home/fuzz/vim/src/evalvars.c:3174
#2 0x563585b87e5d in deref_function_name /home/fuzz/vim/src/eval.c:647
#3 0x563585b9d753 in eval_method /home/fuzz/vim/src/eval.c:4358
#4 0x563585ba73c0 in handle_subscript /home/fuzz/vim/src/eval.c:6417
#5 0x563585b9bf31 in eval9 /home/fuzz/vim/src/eval.c:4063
#6 0x563585b99ecc in eval8 /home/fuzz/vim/src/eval.c:3602
#7 0x563585b98e67 in eval7 /home/fuzz/vim/src/eval.c:3394
#8 0x563585b97867 in eval6 /home/fuzz/vim/src/eval.c:3157
#9 0x563585b96e58 in eval5 /home/fuzz/vim/src/eval.c:3046
#10 0x563585b96027 in eval4 /home/fuzz/vim/src/eval.c:2897
#11 0x563585b9542e in eval3 /home/fuzz/vim/src/eval.c:2758
#12 0x563585b9489f in eval2 /home/fuzz/vim/src/eval.c:2632
#13 0x563585b93724 in eval1 /home/fuzz/vim/src/eval.c:2478
#14 0x563585b9cfbe in eval_lambda /home/fuzz/vim/src/eval.c:4267
#15 0x563585ba7395 in handle_subscript /home/fuzz/vim/src/eval.c:6414
#16 0x563585b9bf31 in eval9 /home/fuzz/vim/src/eval.c:4063
#17 0x563585b99ecc in eval8 /home/fuzz/vim/src/eval.c:3602
#18 0x563585b98e67 in eval7 /home/fuzz/vim/src/eval.c:3394
#19 0x563585b97867 in eval6 /home/fuzz/vim/src/eval.c:3157
#20 0x563585b96e58 in eval5 /home/fuzz/vim/src/eval.c:3046
#21 0x563585b96027 in eval4 /home/fuzz/vim/src/eval.c:2897
#22 0x563585b9542e in eval3 /home/fuzz/vim/src/eval.c:2758
#23 0x563585b9489f in eval2 /home/fuzz/vim/src/eval.c:2632
#24 0x563585b93724 in eval1 /home/fuzz/vim/src/eval.c:2478
#25 0x563585b92fa0 in eval0_retarg /home/fuzz/vim/src/eval.c:2389
#26 0x563585b92da2 in eval0 /home/fuzz/vim/src/eval.c:2364
#27 0x563585c4b021 in ex_eval /home/fuzz/vim/src/ex_eval.c:951
#28 0x563585c1e453 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2570
#29 0x563585c156f6 in do_cmdline /home/fuzz/vim/src/ex_docmd.c:992
#30 0x563585f3887b in do_source_ext /home/fuzz/vim/src/scriptfile.c:1674
#31 0x563585f399ad in do_source /home/fuzz/vim/src/scriptfile.c:1803
#32 0x563585f36515 in cmd_source /home/fuzz/vim/src/scriptfile.c:1174
#33 0x563585f3657a in ex_source /home/fuzz/vim/src/scriptfile.c:1200
#34 0x563585c1e453 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2570
#35 0x563585c156f6 in do_cmdline /home/fuzz/vim/src/ex_docmd.c:992
#36 0x563585c13a90 in do_cmdline_cmd /home/fuzz/vim/src/ex_docmd.c:586
#37 0x563586210005 in exe_commands /home/fuzz/vim/src/main.c:3133
#38 0x563586209173 in vim_main2 /home/fuzz/vim/src/main.c:780
#39 0x563586208a2b in main /home/fuzz/vim/src/main.c:432
#40 0x7f97f6411082 in __libc_start_main ../csu/libc-start.c:308
#41 0x563585a94e4d in _start (/home/fuzz/vim/src/vim+0x139e4d)
0x611000000cc2 is located 2 bytes inside of 250-byte region [0x611000000cc0,0x611000000dba)
freed by thread T0 here:
#0 0x7f97f68a840f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122
#1 0x563585a9553a in vim_free /home/fuzz/vim/src/alloc.c:625
#2 0x563585b928b0 in eval_next_line /home/fuzz/vim/src/eval.c:2277
#3 0x563585ba66bb in handle_subscript /home/fuzz/vim/src/eval.c:6317
#4 0x563585b9bf31 in eval9 /home/fuzz/vim/src/eval.c:4063
#5 0x563585b87e40 in deref_function_name /home/fuzz/vim/src/eval.c:642
#6 0x563585b9d753 in eval_method /home/fuzz/vim/src/eval.c:4358
#7 0x563585ba73c0 in handle_subscript /home/fuzz/vim/src/eval.c:6417
#8 0x563585b9bf31 in eval9 /home/fuzz/vim/src/eval.c:4063
#9 0x563585b99ecc in eval8 /home/fuzz/vim/src/eval.c:3602
#10 0x563585b98e67 in eval7 /home/fuzz/vim/src/eval.c:3394
#11 0x563585b97867 in eval6 /home/fuzz/vim/src/eval.c:3157
#12 0x563585b96e58 in eval5 /home/fuzz/vim/src/eval.c:3046
#13 0x563585b96027 in eval4 /home/fuzz/vim/src/eval.c:2897
#14 0x563585b9542e in eval3 /home/fuzz/vim/src/eval.c:2758
#15 0x563585b9489f in eval2 /home/fuzz/vim/src/eval.c:2632
#16 0x563585b93724 in eval1 /home/fuzz/vim/src/eval.c:2478
#17 0x563585b9cfbe in eval_lambda /home/fuzz/vim/src/eval.c:4267
#18 0x563585ba7395 in handle_subscript /home/fuzz/vim/src/eval.c:6414
#19 0x563585b9bf31 in eval9 /home/fuzz/vim/src/eval.c:4063
#20 0x563585b99ecc in eval8 /home/fuzz/vim/src/eval.c:3602
#21 0x563585b98e67 in eval7 /home/fuzz/vim/src/eval.c:3394
#22 0x563585b97867 in eval6 /home/fuzz/vim/src/eval.c:3157
#23 0x563585b96e58 in eval5 /home/fuzz/vim/src/eval.c:3046
#24 0x563585b96027 in eval4 /home/fuzz/vim/src/eval.c:2897
#25 0x563585b9542e in eval3 /home/fuzz/vim/src/eval.c:2758
#26 0x563585b9489f in eval2 /home/fuzz/vim/src/eval.c:2632
#27 0x563585b93724 in eval1 /home/fuzz/vim/src/eval.c:2478
#28 0x563585b92fa0 in eval0_retarg /home/fuzz/vim/src/eval.c:2389
#29 0x563585b92da2 in eval0 /home/fuzz/vim/src/eval.c:2364
previously allocated by thread T0 here:
#0 0x7f97f68a8c3e in __interceptor_realloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:163
#1 0x563585a95cf0 in ga_grow_inner /home/fuzz/vim/src/alloc.c:757
#2 0x563585a95aed in ga_grow /home/fuzz/vim/src/alloc.c:722
#3 0x563585f3a2e7 in get_one_sourceline /home/fuzz/vim/src/scriptfile.c:1958
#4 0x563585f3b197 in getsourceline /home/fuzz/vim/src/scriptfile.c:2128
#5 0x563585c14e84 in do_cmdline /home/fuzz/vim/src/ex_docmd.c:875
#6 0x563585f3887b in do_source_ext /home/fuzz/vim/src/scriptfile.c:1674
#7 0x563585f399ad in do_source /home/fuzz/vim/src/scriptfile.c:1803
#8 0x563585f36515 in cmd_source /home/fuzz/vim/src/scriptfile.c:1174
#9 0x563585f3657a in ex_source /home/fuzz/vim/src/scriptfile.c:1200
#10 0x563585c1e453 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2570
#11 0x563585c156f6 in do_cmdline /home/fuzz/vim/src/ex_docmd.c:992
#12 0x563585c13a90 in do_cmdline_cmd /home/fuzz/vim/src/ex_docmd.c:586
#13 0x563586210005 in exe_commands /home/fuzz/vim/src/main.c:3133
#14 0x563586209173 in vim_main2 /home/fuzz/vim/src/main.c:780
#15 0x563586208a2b in main /home/fuzz/vim/src/main.c:432
#16 0x7f97f6411082 in __libc_start_main ../csu/libc-start.c:308
SUMMARY: AddressSanitizer: heap-use-after-free ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:460 in __interceptor_strncmp
Shadow bytes around the buggy address:
0x0c227fff8140: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c227fff8150: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c227fff8160: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x0c227fff8170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c227fff8180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02
=>0x0c227fff8190: fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd
0x0c227fff81a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c227fff81b0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x0c227fff81c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c227fff81d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02
0x0c227fff81e0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==101656==ABORTING
<p><a href=“https://github.com/Janette88/vim/blob/main/poc3_huaf.dat”>poc3_huaf.dat</a></p>
Related
veracode
veracode
Denial Of Service (DoS)
2022-09-01 12:17:46
ubuntucve
ubuntucve
CVE-2022-2889
2022-08-19 00:00:00
alpinelinux
alpinelinux
CVE-2022-2889
2022-08-19 13:15:00
openvas
openvas
Slackware: Security Advisory (SSA:2022-232-01)
2022-08-22 00:00:00
Mageia: Security Advisory (MGASA-2022-0377)
2022-10-19 00:00:00
Fedora: Security Advisory for vim (FEDORA-2022-3b33d04743)
2022-09-03 00:00:00
cnvd
cnvd
Vim Resource Management Error Vulnerability (CNVD-2022-59203)
2022-08-23 00:00:00
cve
cve
CVE-2022-2889
2022-08-19 13:15:00
cbl_mariner
cbl_mariner
CVE-2022-2889 affecting package vim for versions less than 9.0.0325-1
2022-09-16 06:05:42
CVE-2022-2889 affecting package vim 9.0.0181-1
2022-09-17 05:56:39
redhatcve
redhatcve
CVE-2022-2889
2022-08-19 17:39:04
debiancve
debiancve
CVE-2022-2889
2022-08-19 13:15:00
nessus
nessus
Slackware Linux 15.0 / current vim Vulnerability (SSA:2022-232-01)
2022-08-22 00:00:00
Ubuntu 18.04 ESM / 20.04 LTS / 22.04 LTS : Vim vulnerabilities (USN-6302-1)
2023-08-21 00:00:00
Amazon Linux 2 : vim (ALAS-2022-1868)
2022-10-21 00:00:00
prion
prion
Design/Logic Flaw
2022-08-19 13:15:00
slackware
slackware
[slackware-security] vim
2022-08-20 20:09:46
mageia
mageia
Updated golang packages fix security vulnerability
2022-10-19 02:14:56
Updated vim packages fix security vulnerability
2022-11-19 01:50:51
fedora
fedora
[SECURITY] Fedora 35 Update: vim-9.0.246-1.fc35
2022-09-01 09:56:13
cloudfoundry
cloudfoundry
USN-6302-1: Vim vulnerabilities | Cloud Foundry
2023-10-05 00:00:00
ubuntu
ubuntu
Vim vulnerabilities
2023-08-21 00:00:00
osv
osv
vim vulnerabilities
2023-08-21 05:45:06
amazon
amazon
Low: vim
2022-10-17 21:46:00
suse
suse
Security update for vim (important)
2022-09-09 00:00:00
photon
photon
Critical Photon OS Security Update - PHSA-2023-4.0-0380
2023-04-25 00:00:00
Critical Photon OS Security Update - PHSA-2023-3.0-0568
2023-04-19 00:00:00
gentoo
gentoo
Vim, gVim: Multiple Vulnerabilities
2023-05-03 00:00:00
avleonov
avleonov
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.4 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:M/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
21.8%
Related for D1AC9817-825D-49CE-B514-1D5B12B6BDAA