Published on June 11th, 2019 📆 | 7929 Views ⚑0
Vulnerability in Linux allows hacking a system by simply opening a Vim file
The website security expert Armin Razmjou has reported the finding of remote command execution vulnerability in Vim and Neovim, considered a high severity flaw. The compromised tools are the most powerful and used to edit command lines and are pre-installed on most Linux-based operating systems.
On Linux systems, the Vim editor allows users
to create, view, or edit any file, including text, programming scripts, and
documents, if they so desire. The vulnerability was detected in Vim; however,
because Neovim is only an extended version of Vim with some plugin
improvements, this vulnerability also resides in it.
In its report, the website security specialist
mentions that the vulnerability lies in the way that Vim handles a feature called
“modelines”, which is enabled by default to automatically find and
apply a set of custom preferences set by the creator of a file.
The expert mentions that, although the editor
only allows a subset of operations in
“modelines” for security, in addition to using the sandbox
environment as a protection, it is possible to use the “:source!” command
to omit the sandbox.
Therefore, when you open a specially designed
and seemingly harmless Vim or Neovim file, a threat actor could execute
arbitrary commands on the compromised Linux system and take control of the
The expert also published two proofs of concept;
one of these tests was performed in a real scenario in which a hacker gets
remote access to a reverse shell from the victim’s system after the target of
the attack opens a Vim file.
Vim developers launched security updates for
both versions, so website security specialists from the International Institute
of Cyber Security’s (IICS) recommend Linux
system administrators to install these corrections as soon as possible.
If it is not possible for administrators to
install updates at this time, some security recommendations are:
the “modelines” function
“modelineexpr” to not allow expressions in the modelines
“securemodelines plugin”, a safe alternative to this feature
(Visited 5 1 times)