Linux users, beware!
If you haven’t recently updated your Linux operating system, especially the command-line text editor utility, do not even try to view the content of a file using Vim or Neovim.
Security researcher Armin Razmjou recently discovered a high-severity arbitrary OS command execution vulnerability (CVE-2019-12735) in Vim and Neovim—two most popular and powerful command-line text editing applications that come pre-installed with most Linux-based operating systems.
On Linux systems, Vim editor allows users to create, view or edit any file, including text, programming scripts, and documents.
Since Neovim is just an extended forked version of Vim, with better user experience, plugins and GUIs, the code execution vulnerability also resides in it.
Code Execution Flaw in Vim and Neovim
Razmjou discovered a flaw in the way Vim editor handles “modelines,” a feature that’s enabled-by-default to automatically find and apply a set of custom preferences mentioned by the creator of a file near the starting and ending lines in the document.
Though the editor only allows a subset of options in modelines (for security reasons) and uses sandbox protection if it contains an unsafe expression, Razmjou revealed that using “:source!” command (with a bang [!] modifier) can be used to bypass the sandbox.
Therefore, just opening an innocent looking specially crafted file using Vim or Neovim could allow attackers to secretly execute commands on your Linux system and take remote control over it.
The researcher has also released two proof-of-concept exploits to the public, one of which demonstrates a real-life attack scenario wherein a remote attacker gains access to a reverse shell from the victim’s system as soon as he/she opens a file on it.
The maintainers of Vim (patch 8.1.1365) and Neovim (released in v0.3.6) have released updates for both utilities to address the issue, which users should install as soon as possible.
Besides this, the researcher has also recommended users to:
- disable modelines feature,
- disable “modelineexpr” to disallow expressions in modelines,
- use “securemodelines plugin,” a secure alternative to Vim modelines.