Arbitrary command execution on Windows in vim/vim

Valid

Reported on

Jul 10th 2023


Description

Opening files from an untrusted directory can lead to execution of arbitrary commands on Windows systems, this is possible by having a malicious file with the same name as a trusted executable, Windows gives priority to the current directory when searching for executables.

Several built-in plugins execute commands when opening files, for example, the Perl plugin (runtime/ftplugin/perl.vim) executes the perl command when opening a Perl file.

Proof of Concept

  • Create a perl.bat file (perl or perl.exe works too) with the command you want to execute, for example:
@echo off
echo hacked! > pwned.txt
  • Enable filetype detection, you can add this in your .vimrc:
filetype plugin on
  • Open any Perl file from the same directory as the perl.bat file.
vim test.pl
  • The command from the perl.bat file will be executed, creating a pwned.txt file in the current directory.

Additional information

This vulnerability can be exploited by other plugins, like zip.vim (runtime/ftplugin/zip.vim) which executes the unzip command when opening a zip file.

This vulnerability is similar to CVE-2021-3013 and CVE-2022-41953. Note that this affects all plugins that execute commands (make calls to system()) on Windows systems.

I was able to reproduce this on Windows 10 with GVim, Vim on Powershell and Vim on the normal CMD.

Possible fixes

  • Use absolute paths when executing commands.
  • Set the NeedCurrentDirectoryForExePath environment variable when executing commands on Windows systems (maybe make it an opt-in option?).
  • Maybe there is an option to avoid this behavior in CreateProcessW?
  • Prevent plugins from executing commands from untrusted directories by default (similar to VSCode).
  • Others?

Impact

An attacker can trick a user into downloading the malicious files, and by opening or creating some files in this directory can lead to the attacker to execute arbitrary commands.

Occurrences

  • Create a perl.bat file
  • Open any perl file with vim
vim file.pl
We are processing your report and will contact the vim team within 24 hours. 2 months ago
We have contacted a member of the vim team and are waiting to hear back 2 months ago
Santos Gallegos modified the report
2 months ago
Christian
21 days ago

Maintainer


sorry, I did not get a notification for this issue here. I have pushed the patch https://github.com/vim/vim/releases/tag/v9.0.1833 which should fix the issue.

Christian Brabandt validated this vulnerability 21 days ago
Santos Gallegos has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Santos Gallegos
21 days ago

Researcher


@chrisbra thanks for the quick fix! Any chances this could be fixed from the root?

https://github.com/vim/vim/blob/816fbcc262687b81fc46f82f7bbeb1453addfe0c/src/os_win32.c#L4673

Otherwise, lots of other plugins that execute commands will need to implement a similar check. Maybe document this problem on Windows, so plugin authors are aware of it.

Santos Gallegos
21 days ago

Researcher


Maybe document this problem on Windows, so plugin authors are aware of it.

Edit: Maybe document that this problem happens on Windows, so plugin authors are aware of it.

Christian Brabandt marked this as fixed in 9.0.1833 with commit 816fbc 19 days ago
Christian Brabandt has been awarded the fix bounty
This vulnerability has been assigned a CVE
Christian Brabandt published this vulnerability 19 days ago
perl.vim#L57-L62 has been validated
to join this conversation