Lucene search
GreatergoodestFAA74175-5317-4B71-A363-DFC39094ECBBHistoryMay 16, 2022 - 12:53 p.m.
Infinite recursive function calls result in stack overflow
2022-05-1612:53:39
greatergoodest
www.huntr.dev
15
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
20.1%
Description
When providing certain input, the program will enter an infinite loop where it continually calls:
get_expr_register ->
cmdline_handle_backslash_key ->
getcmdline ->
getcmdline_int ->
cmdline_handle_backslash_key ->
get_expr_register ->
etc.
GDB
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
0x00005555556284c5 in getcmdline_int (firstc=61, count=0, indent=0, clear_ccline=1) at ex_getln.c:1618
1618 save_cmdline(&save_ccline);
#0 0x00005555556284c5 in getcmdline_int (firstc=61, count=0, indent=0, clear_ccline=1) at ex_getln.c:1618
#1 0x000055555562842d in getcmdline (firstc=61, count=0, indent=0, do_concat=GETLINE_NONE) at ex_getln.c:1574
#2 0x000055555572ef97 in get_expr_register () at register.c:104
#3 0x00005555556270cc in cmdline_handle_backslash_key (c=101, gotesc=0x7fffff7ff408) at ex_getln.c:850
#4 0x0000555555628c8f in getcmdline_int (firstc=61, count=0, indent=0, clear_ccline=1) at ex_getln.c:1925
#5 0x000055555562842d in getcmdline (firstc=61, count=0, indent=0, do_concat=GETLINE_NONE) at ex_getln.c:1574
#6 0x000055555572ef97 in get_expr_register () at register.c:104
#7 0x00005555556270cc in cmdline_handle_backslash_key (c=101, gotesc=0x7fffff7ff688) at ex_getln.c:850
#8 0x0000555555628c8f in getcmdline_int (firstc=61, count=0, indent=0, clear_ccline=1) at ex_getln.c:1925
#9 0x000055555562842d in getcmdline (firstc=61, count=0, indent=0, do_concat=GETLINE_NONE) at ex_getln.c:1574
#10 0x000055555572ef97 in get_expr_register () at register.c:104
…
#2052 0x000055555572ef97 in get_expr_register () at register.c:104
#2053 0x00005555556270cc in cmdline_handle_backslash_key (c=101, gotesc=0x7fffff84f138) at ex_getln.c:850
#2054 0x0000555555628c8f in getcmdline_int (firstc=61, count=0, indent=0, clear_ccline=1) at ex_getln.c:1925
#2055 0x000055555562842d in getcmdline (firstc=61, count=0, indent=0, do_concat=GETLINE_NONE) at ex_getln.c:1574
#2056 0x000055555572ef97 in get_expr_register () at register.c:104
#2057 0x00005555556270cc in cmdline_handle_backslash_key (c=101, gotesc=0x7fffff84f3b8) at ex_getln.c:850
#2058 0x0000555555628c8f in getcmdline_int (firstc=61, count=0, indent=0, clear_ccline=1) at ex_getln.c:1925
#2059 0x000055555562842d in getcmdline (firstc=61, count=0, indent=0, do_concat=GETLINE_NONE) at ex_getln.c:1574
#2060 0x000055555572ef97 in get_expr_register () at register.c:104
#2061 0x00005555556270cc in cmdline_handle_backslash_key (c=101, gotesc=0x7fffff84f638) at ex_getln.c:850
#2062 0x0000555555628c8f in getcmdline_int (firstc=61, count=0, indent=0, clear_ccline=1) at ex_getln.c:1925
#2063 0x000055555562842d in getcmdline (firstc=61, count=0, indent=0, do_concat=GETLINE_NONE) at ex_getln.c:1574
#2064 0x000055555572ef97 in get_expr_register () at register.c:104
#2065 0x00005555556270cc in cmdline_handle_backslash_key (c=101, gotesc=0x7fffff84f8b8) at ex_getln.c:850
#2066 0x0000555555628c8f in getcmdline_int (firstc=61, count=0, indent=0, clear_ccline=1) at ex_getln.c:1925
#2067 0x000055555562842d in getcmdline (firstc=61, count=0, indent=0, do_concat=GETLINE_NONE) at ex_getln.c:1574
#2068 0x000055555572ef97 in get_expr_register () at register.c:104
#2069 0x00005555556270cc in cmdline_handle_backslash_key (c=101, gotesc=0x7fffff84fb38) at ex_getln.c:850
#2070 0x0000555555628c8f in getcmdline_int (firstc=61, count=0, indent=0, clear_ccline=1) at ex_getln.c:1925
#2071 0x000055555562842d in getcmdline (firstc=61, count=0, indent=0, do_concat=GETLINE_NONE) at ex_getln.c:1574
#2072 0x000055555572ef97 in get_expr_register () at register.c:104
Valgrind
==99366== Memcheck, a memory error detector
==99366== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==99366== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info
==99366== Command: ./vim -u NONE -X -Z -e -s -S id:000000,sig:11,src:013242+022204,time:17320933,execs:2959795,op:splice,rep:2 -c :qa!
==99366==
==99366== Stack overflow in thread #1: can't grow stack to 0x1ffe801000
==99366==
==99366== Process terminating with default action of signal 11 (SIGSEGV)
==99366== at 0x4E31A97: kill (syscall-template.S:78)
==99366== by 0x28B7C9: may_core_dump (os_unix.c:3529)
==99366== by 0x28B781: mch_exit (os_unix.c:3495)
==99366== by 0x3FADEC: getout (main.c:1726)
==99366== by 0x24F54D: preserve_exit (misc1.c:2217)
==99366== by 0x289482: deathtrap (os_unix.c:1175)
==99366== by 0x4E3183F: ??? (in /usr/lib/x86_64-linux-gnu/libc-2.28.so)
==99366== by 0x483573D: malloc (vg_replace_malloc.c:299)
Proof of Concept
./vim -u NONE -e -s -S crash_input
Segmentation fault
https://github.com/GreaterGoodest/vim-pocs/blob/master/crash_input
Related
alpinelinux
alpinelinux
CVE-2022-1771
2022-05-18 20:15:00
cve
cve
CVE-2022-1771
2022-05-18 20:15:00
redhatcve
redhatcve
CVE-2022-1771
2022-05-19 04:48:23
ubuntucve
ubuntucve
CVE-2022-1771
2022-05-18 00:00:00
prion
prion
Information disclosure
2022-05-18 20:15:00
veracode
veracode
Denial Of Service (DoS)
2022-08-09 13:46:46
cbl_mariner
cbl_mariner
CVE-2022-1771 affecting package vim for versions less than 8.2.5064-1
2022-06-26 03:29:39
CVE-2022-1771 affecting package vim 8.2.4774-1
2022-06-15 17:03:10
nessus
nessus
CBL Mariner 2.0 Security Update: vim (CVE-2022-1771)
2023-03-28 00:00:00
EulerOS 2.0 SP10 : vim (EulerOS-SA-2022-2263)
2022-08-17 00:00:00
EulerOS 2.0 SP10 : vim (EulerOS-SA-2022-2250)
2022-08-17 00:00:00
debiancve
debiancve
CVE-2022-1771
2022-05-18 20:15:00
photon
photon
Important Photon OS Security Update - PHSA-2022-0208
2022-07-10 00:00:00
Important Photon OS Security Update - PHSA-2022-4.0-0208
2022-07-10 00:00:00
Important Photon OS Security Update - PHSA-2022-0404
2022-06-12 00:00:00
openvas
openvas
Huawei EulerOS: Security Advisory for vim (EulerOS-SA-2022-2263)
2022-08-18 00:00:00
Huawei EulerOS: Security Advisory for vim (EulerOS-SA-2022-2250)
2022-08-18 00:00:00
Ubuntu: Security Advisory (USN-6557-1)
2023-12-15 00:00:00
redos
redos
ROS-20220525-01
2022-05-25 00:00:00
osv
osv
vim vulnerabilities
2023-12-14 17:31:12
cloudfoundry
cloudfoundry
USN-6557-1: Vim vulnerabilities | Cloud Foundry
2024-04-04 00:00:00
ubuntu
ubuntu
Vim vulnerabilities
2023-12-14 00:00:00
amazon
amazon
Medium: vim
2022-07-28 20:41:00
Medium: vim
2022-07-19 01:26:00
suse
suse
Security update for vim (important)
2022-06-16 00:00:00
hp
hp
HP ThinPro 8.1 SP 2 Security Updates
2024-04-12 00:00:00
gentoo
gentoo
Vim, gVim: Multiple Vulnerabilities
2023-05-03 00:00:00
Vim, gVim: Multiple Vulnerabilities
2022-08-21 00:00:00
avleonov
avleonov
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
20.1%
Related for FAA74175-5317-4B71-A363-DFC39094ECBB