back to article This is grim, Vim and Neovim: Opening this crafty file in your editor may pwn your box. Patch now if not already

Proof-of-concept text files are now available that, when opened in a vulnerable installation of the Vim and Neovim, will execute commands on the underlying machine, or even open a backdoor. Bug-hunter Armin Razmjou this week documented a security hole, designated CVE-2019-12735, in the popular text and source code editors that …

  1. Brian Miller

    Disable "all"

    Disable mode lines, disable JavaScript, disable Bash, disable /bin/sh, disable the whole freakin' computer! and you'll be so completely safe.

    Yeah, and then they'll find security holes with the Hollerith machine. You realize that the Babbage engine is the only safe computer, primarily because it's never been built, right?

    1. bazza Silver badge

      Re: Disable "all"

      The most pedantic of security types would say that having any ability to run any code that the system administrator didn't put there is asking for trouble. For example back in the days of DOS it was possible to use the built in debugger to assemble assembly into a .com executable. Very useful for virus writers apparently! The best thing back then was to delete debug.exe, eliminating a lot of virus threats.

      Arguably having an editor that can, seemingly, execute stuff by design is asking for trouble....

      1. jake Silver badge

        Re: Disable "all"

        Not just virus writers. Redirecting a text file containing simple assembler into debug was an accepted way to produce .com files.

        However, to be fair, ME-DOS wasn't really an OS, it was a program loader with absolutely zero protection against anything even remotely resembling malware. From a security standpoint, MS-DOS was a nightmare right from the git-go all the way through to Win98 (and WinME, not that anybody ever used the kludge).

        1. Allan George Dyer
          Coat

          Re: Disable "all"

          "From a security standpoint, MS-DOS was a nightmare"

          But networking was an add-on, so you only needed to defend against local attacks, not against every criminal on the planet. Lock your door, and you've dealt with most local attackers too.

          Icon: where's my keys?

          1. AndrueC Silver badge
            Joke

            Re: Disable "all"

            Plus, with only 640kB of RAM, just how much trouble could you get into?

        2. LewisRage

          Re: Disable "all"

          "WinME, not that anybody ever used the kludge"

          As a youngling in the back room assembling PC's for a highstreet retailer at that time I can assure you that lots of people were using it. Perhaps not in the office but the home crowd were heavily invested whether they liked it or not.

      2. jake Silver badge

        Re: Disable "all"

        "Arguably having an editor that can, seemingly, execute stuff by design is asking for trouble...."

        Nah. It's off by default in serious distributions. The cognizant user can choose to turn it on when needed, wanted or required. It's not the fault of the editor if the administrator (or distro maintainer) is clueless.

        "A poor workman always blames his tools."

      3. Anonymous Coward
        Anonymous Coward

        Re: Disable "all"

        For example back in the days of DOS it was possible to use the built in debugger to assemble assembly into a .com executable.

        Hah! Real men would use "copy con > runme.com"

        :)

      4. teknopaul

        Re: Disable "all"

        Re: "Exectue stuff by design" modelines are for setting tab width inside vim and generally setting up vim for the specific file being loaded.

        Be nice if my IDE did that!

        Seems to me this is just a bug it the implementation. Its not like embeded VBA in microsoft docs.

      5. Brian Miller

        Re: Disable "all"

        I actually did do 'copy con program.com' as a stunt. And I did a fair amount of debugging using debug, on things with no symbols. Skills very handy these days amongst a generation that can't write C or even get something done without a library to call.

        Modelines are not a bad thing. It's nice to be able to set up indents and such. Should a modeline run a full script? Not without asking.

        1. Fred Flintstone Gold badge

          Re: Disable "all"

          I used it more to quickly riff a batchfile - I hate doing repetitive things if I have the means to automate them :).

    2. phuzz Silver badge
      Stop

      Re: Disable "all"

      "You realize that the Babbage engine is the only safe computer, primarily because it's never been built, right?"

      There's two working Difference Engines, one at the Science Museum in London, and one at the Computer History Museum in California. Both are fully working.

      1. adam 40 Silver badge

        I had a dream

        Where I gave a virus to Ada Lovelace....

        ... or was that Linda Lovelace? I always get mixed up between those two.

        One had a head for numbers....

      2. Mike 16

        Difference Engine

        I am sorry to report that the one from the Computer History Museum is, well, _from_ the Computer History Museum. Its owner has reclaimed it and moved it a ways north.

        Some nit-picks:

        The difference Engines are not computers. More like a Systolic Array (or a stack of adding machines) feeding a "typesetter" (which is not quite that either).

        There are more than 2 Difference Engines in the world, unless you consider the two from the Science Museum to be the only ones that count. For example:

        http://www.meccano.us/difference_engines/index.html

        Which lists several, some made from Lego, some Mecanno, and at least one made (in 1859) of the sort of materials one would expect from a proper Victorian Computer.

  2. Doctor Syntax Silver badge

    "it is still a good idea to update your copy of Vim or Neovim to the latest version"

    Or switch to nvi instead.

    1. jake Silver badge

      Or elvis.

      Or gritter's traditional vi. Or whatever other version floats your boat. Let's face it, for 98.5%[0] of editing tasks, they all work exactly the same.

      [0] Our percentage. STR, win a beer.

      1. Anonymous Coward
        Alert

        Re: Or elvis.

        I always use "vi" - longstanding force of habit. But under the hood it's vim :-(

        Just tried on mac:

        $ brew update

        $ vim --version

        VIM - Vi IMproved 8.0 (2016 Sep 12, compiled Feb 22 2019 18:22:38)

        Included patches: 1-503, 505-680, 682-1283

        Whoops!

        1. AndrueC Silver badge
          Thumb Up

          Re: Or elvis.

          I rarely do anything Unix these days but VI is also my preferred editor on the rare occasions when I need to edit a file. That stems back from my second job in the late 80s when I was developing software for SCO Xenix and Unix. At the time some other people used Emacs but the problem was that we had a variety of terminals in use and they weren't always correctly configured. That meant rendering or keyboard issues.

          The great thing about VI was that it worked on any terminal. And even if somehow you found a terminal that it didn't, you could always drop down to EX.

          The funny thing is that after that job (which only lasted a couple of years) there was a long gap - about 20 years - when I didn't touch anything Unix. It was Windows all the way. Then one day I had to modify a text file on a test server so I launched VI and weirdly knew all the cursor keys and editing commands. I was even able to do a search and replace without thinking about it.

          1. LewisRage

            Re: Or elvis.

            I still have to google how to save and exit

            1. AndrueC Silver badge
              Happy

              Re: Or elvis.

              From memory I can think of:

              [ESC]:x[RETURN]

              [ESC]:wq[RETURN]

              [ESC]ZZ

              and if you don't want to save:

              [ESC]:q![RETURN]

              I also prefer the C-Shell. I've always liked its command history list mechanism. I used to be able to keep track of the last few commands in my head and use search/replace to execute new ones. Occasionally a colleague would borrow my terminal and when I got back to it I'd be annoyed and confused by the unexpected history list.

              Being able to cursor through prior commands is nice but if your terminal doesn't support it then:

              !-3:s^fred^jim

              Is your friend :)

          2. adam 40 Silver badge

            Re: Or elvis.? When I were a lad...

            ... EX? We used ed, on a line terminal, and we thought we was lucky!!!

            1. jake Silver badge

              Re: Or elvis.? When I were a lad...

              We toggled switches on front panels. It worked, but I can't say we liked it.

  3. Kevin McMurtrie Silver badge
    Coat

    Smug

    Ah, 15 minutes where I can feel good about only knowing how to use nano. What, time is up? Hey, I didn't even sit down yet...

    1. jake Silver badge

      Re: Smug

      Isn't that roughly the same as being smug about only knowing how to use a flat-bladed screwdriver?

      Tools are tools ... Shirley it's better to know how and when to instead use a Phillips, a Robertson, a Torx, a Frearson & etc?

      1. STOP_FORTH Silver badge
        Happy

        Re: Smug

        You are being too prescriptivist. If I want to use my chisels as screwdrivers and my screwdrivers as bolsters, that's my look-out!

      2. phuzz Silver badge

        Re: Smug

        If you can use a flat bladed screwdriver then you can use any other kind.

        Plus, in a pinch, a suitably sized flatblade can be jammed into most other types of screws, or you can just get the angle grinder out and cut a new slot. Can't do that with a torx!

        1. Anonymous Coward Silver badge
          Alert

          Re: Smug

          No, but if the only driver you've got is torx, place it on the screw head and apply a suitably large hammer...

          1. Captain Scarlet
            Unhappy

            Re: Smug

            Better be a good tool, or it'll shatter like my cheap Torx screw drivers

          2. Robert Helpmann??
            Coat

            Re: Smug

            ...place it on the screw head and apply a suitably large hammer...

            You almost had it! The proper solution is to simply use the hammer. It will either solve the problem or make moot.

    2. Colin Bull 1
      Joke

      Re: Smug

      I cannot get use to nano. When i hit the J key to cursor down it enters a j instead. What moron programmed that?

    3. NonSSL-Login
      Joke

      Re: Smug

      Doesn't really make up for the 30 minutes wasted trying to quit out of Vim in the past but,,,,I feel ya!

  4. Notas Badoff

    which features should be off by default as released?

    Just for the record, I don't remember a version of Vim release notes that hasn't mentioned that modelines could be a security concern. That's like two decades? Anyway, like Jake's comment above, this is not a new issue, just a new POC. So the argument comes down to: which features should be off by default as released. I guess the top comment has an opinion there.

    1. Mike 16

      Re: which features should be off by default as released?

      -- That's like two decades? --

      Sounds about right. I recall a post on UseNet about abusing the modeline to create a "viral email". This was back when The Cognoscenti were telling all and sundry that such a thing as an "Email Virus: was technically impossible. So, before ILoveYou, early 2000.

      1. jake Silver badge

        Re: which features should be off by default as released?

        "This was back when The Cognoscenti were telling all and sundry that such a thing as an "Email Virus: was technically impossible."

        Eh? Those of us who used delivermail on 4BSD (call it 1980) knew damn day well that email viruses were a possibility, and probably inevitable. Sendmail made the concept almost trivial to implement.

  5. Anonymous South African Coward Bronze badge
    Joke

    Or use EDLIN?

    1. Peter Gathercole Silver badge

      EDLIN

      Don't be stupid. The equivalent *nix editor is ed, which has been around for a lot longer than EDLIN.

      As a UNIX user who first used Bell Labs. Edition 6, which did not have any screen editor, I have always felt that all Unix users should at least know a little about how to use ed, bearing in mind it teaches you a lot about sed and editor regexp syntax (which you have to learn, otherwise you can't really do anything in ed!)

      1. jake Silver badge

        Re: EDLIN

        To be fair, our anonymous South African friend might be using Vim on a 32-bit version of Windows. Unlikely, true, but it's possible. I guess. If you squint.

        I use ed daily, usually in scripts. Kinda handy to keep it in your fingers muscle memory. Every now and then I run across a *nix box that has had all other editors stripped out "to save space".

        1. Reg Reader 1

          Re: EDLIN

          For those us with less experience than many of you here there is Ed Mastery https://mwl.io/nonfiction/tools#ed

          I have no relationship with the author other than appreciating his work.

        2. Peter Gathercole Silver badge

          Re: EDLIN @jake

          I do also use ed in scripts, with here documents. But more often than not, I will used sed, or for more complex operations, awk (never really got in to perl, which I feel is too complex for many things that I do).

          Ed is useful if you don't want the hassle of writing to another files and renaming, but as I am often wanting to keep the old, unmodified file, the extra step of shuffling the files around is not really much of an issue.

  6. Christian Berger

    To be fair

    that feature is disabled by default on most distributions, so it's not much of an issue.

    Still patches are necessary and good, particularly since vim is not the type of software that gets many regressions or missfeatures.

  7. Anonymous Coward Silver badge
    Boffin

    So, dump vi(m)

    I stopped using vi(m) many years ago when I finally learned how to instruct butterflies

    Hang on, does that still work on SSDs???

    1. Korev Silver badge
      Coat

      Re: So, dump vi(m)

      Yes, it's all over in a flash though...

  8. Anonymous Coward
    Holmes

    I knew there was a reason I used nano.

    1. phuzz Silver badge
      Joke

      Yes, because unlike vi/vim/neovim etc. it's possible to quit nano without using the Konami code.

      1. Anonymous Coward
        Anonymous Coward

        The one bit of VI you need to know:

        [escape] q! [enter]

        which quits without saving any changes.

        Sharply followed by:

        echo 'VISUAL=nano' >> ~/.zshrc

        ( or ~/.bashrc )

        1. Anonymous Coward
          Paris Hilton

          Sorry:

          export VISUAL=nano

  9. Anonymous Coward
    Anonymous Coward

    It appears to be a default issue under MacOS

    I haven't run the test, but the vim in MacOS 10.14.5 is dated Sep 12 2016, v8.0, and there's no trace of any init files nor of the helpfiles as far as I can see, the /usr/local/lib/vim/ directory listed in the man page doesn't even exist. There's only a .viminfo in the user homedirectory, generated by vim 7.4.

    Well, there's always nano :).

    1. Mike 16

      Re: It appears to be a default issue under MacOS

      Seeing this is MacOS, it is probably controlled by a bunch of XML stashed in one of the Registry wannabes in folders you will soon be unable to see. And don't think that Search will save you, as you will expire long before it finishes displaying all the uses of "mode", and "line" (with various misspellings) and every string with the digraph 'vi', in every file on your computer and in various clouds.

      Jello Biafra correctly (although probably inadvertently) predicted modern computing:

      "The happiness you have demanded is now mandatory."

      1. jake Silver badge

        Re: It appears to be a default issue under MacOS

        "Message From Our Sponsor" has more meaning today than it did when I first heard it back in '87 or so ... but it has nothing to do with computers.

  10. joeW
    Alien

    "Invader Vim" gave me a chuckle.

  11. MtK
    FAIL

    gVim broke too

    This vulnerability exists in gVim on Windows too. Great.

  12. Booh
    Trollface

    Wait! What?

    Nobody has mentioned emacs yet!

    1. GrumpenKraut
      Trollface

      Re: Wait! What?

      ... neither has sed been mentioned, such a shame!

  13. BinkyTheMagicPaperclip Silver badge

    :g/i/r r!

    Nice Zim reference there..

  14. randon8154

    Saved me again

    https://packages.gentoo.org/useflags/minimal

  15. Uplink

    What took so long?

    I remember reading a very long time ago the article that said Debian disabled mode lines because they could be used to execute arbitrary commands just by opening a file. That annoyed me, because it disabled all the other nice stuff modelines provide: setting the spacing and filetype for syntax highlighting was very useful.

  16. Duncan Macdonald

    TECO

    If you want real fun try using TECO (especially when drunk!!!).

  17. Martipar
    Happy

    Just switch to EMACS

    No worries, it's just the same

  18. Hard8

    Not so fast

    >>The vulnerability is present in Vim versions prior to 8.1.1365

    Tested the POC text in Vim 5.8 (older version still widely used in embedded dev) but I only get an error message:

    "poc.txt" 2L, 76C

    Error detected while processing modelines:

    line 1:

    Unknown option: fen

    Press RETURN or enter command to continue

  19. Anonymous Coward
    Anonymous Coward

    Also worth noting that the "old but working" "securemodelines" plugin stops the PoC.

    It's at https://github.com/ciaranm/securemodelines

    I find some modelines settings useful, and simply disabling them might not be an option for everybody

    ... or upgrading Vim version, either.

    That plugin is a good middle ground IMVHO

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like