Description

Opening files from an untrusted directory can lead to execution of arbitrary commands on Windows systems, this is possible by having a malicious file with the same name as a trusted executable, Windows gives priority to the current directory when searching for executables.

Several built-in plugins execute commands when opening files, for example, the Perl plugin (runtime/ftplugin/perl.vim) executes the perl command when opening a Perl file.

Proof of Concept

• Create a perl.bat file (perl or perl.exe works too) with the command you want to execute, for example:

@echo off
echo hacked! > pwned.txt

• Enable filetype detection, you can add this in your .vimrc:

filetype plugin on

• Open any Perl file from the same directory as the perl.bat file.

vim test.pl

• The command from the perl.bat file will be executed, creating a pwned.txt file in the current directory.

Additional information

This vulnerability can be exploited by other plugins, like zip.vim (runtime/ftplugin/zip.vim) which executes the unzip command when opening a zip file.

This vulnerability is similar to CVE-2021-3013 and CVE-2022-41953. Note that this affects all plugins that execute commands (make calls to system()) on Windows systems.

I was able to reproduce this on Windows 10 with GVim, Vim on Powershell and Vim on the normal CMD.

Possible fixes

• Use absolute paths when executing commands.
• Set the NeedCurrentDirectoryForExePath environment variable when executing commands on Windows systems (maybe make it an opt-in option?).
• Maybe there is an option to avoid this behavior in CreateProcessW?
• Prevent plugins from executing commands from untrusted directories by default (similar to VSCode).
• Others?

Impact

An attacker can trick a user into downloading the malicious files, and by opening or creating some files in this directory can lead to the attacker to execute arbitrary commands.