Arbitrary command execution on Windows in vim/vim
Reported on
Jul 10th 2023
Description
Opening files from an untrusted directory can lead to execution of arbitrary commands on Windows systems, this is possible by having a malicious file with the same name as a trusted executable, Windows gives priority to the current directory when searching for executables.
Several built-in plugins execute commands when opening files,
for example, the Perl plugin (runtime/ftplugin/perl.vim
)
executes the perl
command when opening a Perl file.
Proof of Concept
- Create a perl.bat file (perl or perl.exe works too) with the command you want to execute, for example:
@echo off
echo hacked! > pwned.txt
- Enable filetype detection, you can add this in your .vimrc:
filetype plugin on
- Open any Perl file from the same directory as the perl.bat file.
vim test.pl
- The command from the perl.bat file will be executed, creating a pwned.txt file in the current directory.
Additional information
This vulnerability can be exploited by other plugins,
like zip.vim (runtime/ftplugin/zip.vim
) which executes the unzip
command
when opening a zip file.
This vulnerability is similar to CVE-2021-3013 and CVE-2022-41953.
Note that this affects all plugins that execute commands (make calls to system()
) on Windows systems.
I was able to reproduce this on Windows 10 with GVim, Vim on Powershell and Vim on the normal CMD.
Possible fixes
- Use absolute paths when executing commands.
- Set the
NeedCurrentDirectoryForExePath
environment variable when executing commands on Windows systems (maybe make it an opt-in option?). - Maybe there is an option to avoid this behavior in
CreateProcessW
? - Prevent plugins from executing commands from untrusted directories by default (similar to VSCode).
- Others?
Impact
An attacker can trick a user into downloading the malicious files, and by opening or creating some files in this directory can lead to the attacker to execute arbitrary commands.
Occurrences
perl.vim L57-L62
- Create a perl.bat file
- Open any perl file with vim
vim file.pl
sorry, I did not get a notification for this issue here. I have pushed the patch https://github.com/vim/vim/releases/tag/v9.0.1833 which should fix the issue.
@chrisbra thanks for the quick fix! Any chances this could be fixed from the root?
https://github.com/vim/vim/blob/816fbcc262687b81fc46f82f7bbeb1453addfe0c/src/os_win32.c#L4673
Otherwise, lots of other plugins that execute commands will need to implement a similar check. Maybe document this problem on Windows, so plugin authors are aware of it.
Maybe document this problem on Windows, so plugin authors are aware of it.
Edit: Maybe document that this problem happens on Windows, so plugin authors are aware of it.