Description

Opening files from an untrusted directory can lead to execution of arbitrary commands on Windows systems,
this is possible by having a malicious file with the same name as a trusted executable,
Windows gives priority to the current directory when searching for executables.

Several built-in plugins execute commands when opening files,
for example, the Perl plugin (runtime/ftplugin/perl.vim)
executes the perl command when opening a Perl file.

Proof of Concept

• Create a perl.bat file (perl or perl.exe works too) with the command you want to execute,
  for example:

@echo off
echo hacked! > pwned.txt

• Enable filetype detection, you can add this in your .vimrc:

filetype plugin on

• Open any Perl file from the same directory as the perl.bat file.

vim test.pl

• The command from the perl.bat file will be executed,
  creating a pwned.txt file in the current directory.

Additional information

This vulnerability can be exploited by other plugins,
like zip.vim (runtime/ftplugin/zip.vim) which executes the unzip command
when opening a zip file.

This vulnerability is similar to CVE-2021-3013 and CVE-2022-41953.
Note that this affects all plugins that execute commands (make calls to system()) on Windows systems.

I was able to reproduce this on Windows 10 with GVim, Vim on Powershell and Vim on the normal CMD.

Possible fixes

• Use absolute paths when executing commands.
• Set the NeedCurrentDirectoryForExePath
  environment variable when executing commands on Windows systems (maybe make it an opt-in option?).
• Maybe there is an option to avoid this behavior in CreateProcessW?
• Prevent plugins from executing commands from untrusted directories by default (similar to VSCode).
• Others?