Restricted shell escape in RVIM in vim/vim
Apr 29th 2023
A shell escape vulnerability has been discovered in the restricted version of Vim (rvim). This vulnerability allows an attacker to execute arbitrary code with the privileges of the user running Vim.
Proof of Concept
The shell escape vulnerability in the restricted version of Vim (rvim) is due to the lack of input validation and sanitization of the 'shell' variable. By setting the 'shell' variable to an unintended shell and invoking 'diffpatch', an attacker can execute arbitrary code with the privileges of the user running Vim.
:redir! > ~/.vimrc | echo "!python3 -c 'import pty; pty.spawn("/bin/bash")'" | redir END | set shell=/usr/bin/vim | diffpatch
If successfully exploited, an attacker could execute arbitrary code with the privileges of the user running Vim, and escape the restricted environment. This could lead to a complete compromise of the system or network.
Note that the vulnerability was patched on Apr 4, 2023
Could be reproduced before patch 9.0.1440 However, the documentation for "rvim" clearly states that it only makes executing shell commands more difficult and doesn't make it impossible.