Alarm bells have started ringing for Linux users!

Yes, if you are one of the Linux users, do not try to view the content of a file using Vim or Neovim if you haven’t lately updated your Linux operating system, particularly the command-line text editor utility.

Security researcher Armin Razmjou just revealed a high-severity arbitrary OS command implementation weakness (CVE-2019-12735) in Vim and Neovim—two most popular and influential command-line text editing applications that come pre-installed with most Linux-based operating systems.

On Linux systems, Vim editor lets users create, view or edit any file, including text, programming scripts, and documents.

Neovim is just a protracted pronged version of Vim, with improved user experience, plugins and GUIs, so the code implementation weakness also resides in it.

Razmjou revealed a defect in the way Vim editor deals with “modelines,” a feature that’s enabled-by-default to mechanically find and apply a set of custom preferences mentioned by the creator of a file near the starting and ending lines in the document.

While the editor only lets a subset of options in modelines (for security reasons) and uses sandbox defense if it comprises an insecure expression, Razmjou discovered that using “:source!” command (with a bang [!] modifier) can be used to bypass the sandbox.

Consequently, just opening an innocent looking especially crafted file using Vim or Neovim could let attackers clandestinely perform commands on your Linux system and take remote control over it.

The researcher has also issues two proof-of-concept exploits to the public, one of which reveals a real-life attack situation where a remote attacker gains access to a reverse shell from the victim’s system as soon as he/she opens a file on it.

The maintainers of Vim (patch 8.1.1365) and Neovim (released in v0.3.6) have released updates for both utilities to address the issue, which users should install as soon as possible.

Leave a Reply

Your email address will not be published. Required fields are marked *