Restricted shell escape in RVIM in vim/vim

Valid

Reported on

Apr 29th 2023

Description

A shell escape vulnerability has been discovered in the restricted version of Vim (rvim). This vulnerability allows an attacker to execute arbitrary code with the privileges of the user running Vim.

Proof of Concept

The shell escape vulnerability in the restricted version of Vim (rvim) is due to the lack of input validation and sanitization of the 'shell' variable. By setting the 'shell' variable to an unintended shell and invoking 'diffpatch', an attacker can execute arbitrary code with the privileges of the user running Vim.

:redir! > ~/.vimrc | echo "!python3 -c 'import pty; pty.spawn("/bin/bash")'" | redir END | set shell=/usr/bin/vim | diffpatch

Impact

If successfully exploited, an attacker could execute arbitrary code with the privileges of the user running Vim, and escape the restricted environment. This could lead to a complete compromise of the system or network.

Occurrences

We are processing your report and will contact the vim team within 24 hours. a month ago
mv-00
a month ago

Researcher

Note that the vulnerability was patched on Apr 4, 2023

mv-00 modified the report
a month ago
We have contacted a member of the vim team and are waiting to hear back 25 days ago
Bram Moolenaar validated this vulnerability 6 days ago

Could be reproduced before patch 9.0.1440 However, the documentation for "rvim" clearly states that it only makes executing shell commands more difficult and doesn't make it impossible.

mv-00 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Bram Moolenaar marked this as fixed in 9.0.1440 with commit 23a971 6 days ago
Bram Moolenaar has been awarded the fix bounty
This vulnerability will not receive a CVE
Bram Moolenaar published this vulnerability 6 days ago
diff.c#L1383 has been validated
to join this conversation