In text editors ΠΈ found () that allows arbitrary code to be executed when a specially crafted file is opened. The problem manifests itself when the default modeline (":set modeline") mode is active, which allows you to define editing options in the processed file. Vulnerability fixed in releases
ΠΈ .
Only a limited number of options can be set through modeline. If an expression is specified as an option value, then it is executed in sandbox mode, which allows only the simplest safe operations to be used. At the same time, the β: sourceβ command is among the valid ones, in which you can use the β!β modifier. to run arbitrary commands from the specified file. Thus, to execute the code, it is enough to specify a construction like "set foldexpr=execute('\:source! some_file'):" in the modeline line. Neovim does not allow the execute call, but you can use assert_fails instead.
For example, to run the "uname -a" command, simply open a file in Vim or Neovim whose first or last line says:
:!uname -a||" vi:fen:fdm=expr:fde=assert_fails("source\!\ \%"):fdl=0:fdt="
The "source! %" will read the commands from the current file and execute ":!uname -a" accordingly. The cat utility can use escape sequences to hide a given string from output. For example, in this when opening a file in vim, a network connection is created with shell access to the victim's system, but this file will not arouse suspicion when output to the terminal with the cat utility.
You can check if the modeline mode is active with the ":set modeline?" command. To disable it, you can add the line "set nomodeline" to vimrc. In distributions, the problem is fixed in , , , , , ΠΈ . The vulnerability remains unpatched (in Debian, modeline is disabled by default, so the vulnerability does not manifest itself in the default state).
Source: opennet.ru