CVE-2005-2368
CVSS9.3
发布时间 :2005-07-26 00:00:00
修订时间 :2010-10-18 00:00:00
NMCOS    

[原文]vim 6.3 before 6.3.082, with modelines enabled, allows external user-assisted attackers to execute arbitrary commands via shell metacharacters in the (1) glob or (2) expand commands of a foldexpr expression for calculating fold levels.


[CNNVD]Vim modelines 任意命令执行漏洞(CNNVD-200507-256)

        vim是一个UNIX高级文本编辑器。
        vim 6.3.082之前的6.3版本存在任意命名执行漏洞。在启用modelines时,可让需要外部用户协助的攻击者通过(1) glob中的shell元数据字符或(2)用于计算折叠层数的foldexpr表达式的扩展命令来执行任意命令。

- CVSS (基础分值)

CVSS分值: 9.3 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: MEDIUM [漏洞利用存在一定的访问条件]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-78 [OS命令中使用的特殊元素转义处理不恰当(OS命令注入)]

- CPE (受影响的平台与产品)

cpe:/a:vim_development_group:vim:6.3.081
cpe:/a:vim_development_group:vim:6.3.030
cpe:/a:vim_development_group:vim:6.3.025
cpe:/a:vim_development_group:vim:6.3.011
cpe:/a:vim_development_group:vim:6.3
cpe:/a:vim_development_group:vim:6.3.044

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:11302vim 6.3 before 6.3.082, with modelines enabled, allows external user-assisted attackers to execute arbitrary commands via shell metacharacte...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2368
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2368
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200507-256
(官方数据源) CNNVD

- 其它链接及资源

http://www.guninski.com/where_do_you_want_billg_to_go_today_5.html
(VENDOR_ADVISORY)  MISC  http://www.guninski.com/where_do_you_want_billg_to_go_today_5.html
http://lists.grok.org.uk/pipermail/full-disclosure/2005-July/035402.html
(VENDOR_ADVISORY)  FULLDISC  20050725 Help poor children in Uganda
http://www.securityfocus.com/bid/14374
(UNKNOWN)  BID  14374
http://www.redhat.com/support/errata/RHSA-2005-745.html
(UNKNOWN)  REDHAT  RHSA-2005:745

- 漏洞信息

Vim modelines 任意命令执行漏洞
高危 输入验证
2005-07-26 00:00:00 2006-08-28 00:00:00
远程  
        vim是一个UNIX高级文本编辑器。
        vim 6.3.082之前的6.3版本存在任意命名执行漏洞。在启用modelines时,可让需要外部用户协助的攻击者通过(1) glob中的shell元数据字符或(2)用于计算折叠层数的foldexpr表达式的扩展命令来执行任意命令。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://vim.sourceforge.net/download.php

- 漏洞信息

18266
Vim Modelines expr:foldexpr Arbitrary Command Execution

- 漏洞描述

Unknown or Incomplete

- 时间线

2005-07-25 Unknow
2005-07-25 Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Vim ModeLines Further Variant Arbitrary Command Execution Vulnerability
Input Validation Error 14374
Yes No
2005-07-25 12:00:00 2009-07-12 04:06:00
Discovery of this issue is credited to Georgi Guninski.

- 受影响的程序版本

VIM Development Group VIM 6.3 .081
VIM Development Group VIM 6.3 .080
VIM Development Group VIM 6.3 .045
VIM Development Group VIM 6.3 .044
+ OpenPKG OpenPKG Current
VIM Development Group VIM 6.3 .030
+ OpenPKG OpenPKG 2.2
VIM Development Group VIM 6.3 .025
+ Ubuntu Ubuntu Linux 4.1 ppc
+ Ubuntu Ubuntu Linux 4.1 ia64
+ Ubuntu Ubuntu Linux 4.1 ia32
VIM Development Group VIM 6.3 .011
+ OpenPKG OpenPKG 2.1
VIM Development Group VIM 6.3
+ Mandriva Linux Mandrake 10.1 x86_64
+ Mandriva Linux Mandrake 10.1
VIM Development Group VIM 6.2
+ MandrakeSoft Corporate Server 3.0 x86_64
+ MandrakeSoft Corporate Server 3.0
+ Mandriva Linux Mandrake 10.0 AMD64
+ Mandriva Linux Mandrake 10.0
+ Red Hat Fedora Core1
+ SCO OpenLinux Server 3.1.1
+ SCO OpenLinux Workstation 3.1.1
VIM Development Group VIM 6.1
+ Conectiva Linux 8.0
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1
+ MandrakeSoft Multi Network Firewall 2.0
+ MandrakeSoft Single Network Firewall 7.2
+ Mandriva Linux Mandrake 9.0
+ Mandriva Linux Mandrake 8.2 ppc
+ Mandriva Linux Mandrake 8.2
+ Mandriva Linux Mandrake 8.1 ia64
+ Mandriva Linux Mandrake 8.1
+ Mandriva Linux Mandrake 8.0 ppc
+ Mandriva Linux Mandrake 8.0
+ Mandriva Linux Mandrake 7.2
+ RedHat Linux 9.0 i386
+ RedHat Linux 8.0
+ RedHat Linux for iSeries 7.1
+ RedHat Linux for pSeries 7.1
+ Sun Cobalt Qube 3
+ Sun Cobalt RaQ 4
+ Sun Cobalt RaQ 550
+ Sun Cobalt RaQ XTR
+ Sun Linux 5.0.6
VIM Development Group VIM 6.0
+ RedHat Linux 7.3 i386
+ RedHat Linux 7.2 ia64
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.1 ia64
+ RedHat Linux 7.1 i386
VIM Development Group VIM 5.8
VIM Development Group VIM 5.7
+ Caldera OpenLinux 2.3
+ Red Hat Linux 6.2
+ RedHat Linux 7.0 sparc
+ RedHat Linux 7.0 i386
+ RedHat Linux 7.0 alpha
+ RedHat Linux 7.0
+ RedHat Linux 6.2 sparc
+ RedHat Linux 6.2 i386
+ RedHat Linux 6.2 alpha
+ RedHat Linux 5.2 sparc
+ RedHat Linux 5.2 i386
+ RedHat Linux 5.2 alpha
+ RedHat Linux 5.2
+ S.u.S.E. Linux 7.1
+ S.u.S.E. Linux 7.0
+ S.u.S.E. Linux 6.4
+ S.u.S.E. Linux 6.3
+ S.u.S.E. Linux 6.2
+ S.u.S.E. Linux 6.1
+ SCO eDesktop 2.4
+ SCO eServer 2.3.1
VIM Development Group VIM 5.6
VIM Development Group VIM 5.5
VIM Development Group VIM 5.4
VIM Development Group VIM 5.3
VIM Development Group VIM 5.2
VIM Development Group VIM 5.1
VIM Development Group VIM 5.0
Ubuntu Ubuntu Linux 5.0 4 powerpc
Ubuntu Ubuntu Linux 5.0 4 i386
Ubuntu Ubuntu Linux 5.0 4 amd64
Ubuntu Ubuntu Linux 4.1 ppc
Ubuntu Ubuntu Linux 4.1 ia64
Ubuntu Ubuntu Linux 4.1 ia32
Trustix Secure Linux 2.2
Trustix Secure Linux 2.1
Trustix Secure Enterprise Linux 2.0
SGI ProPack 3.0 SP6
SCO OpenLinux Workstation 3.1.1
SCO OpenLinux Server 3.1.1
RedHat Enterprise Linux WS 4
RedHat Enterprise Linux WS 3
RedHat Enterprise Linux WS 2.1 IA64
RedHat Enterprise Linux WS 2.1
RedHat Enterprise Linux ES 4
RedHat Enterprise Linux ES 3
RedHat Enterprise Linux ES 2.1 IA64
RedHat Enterprise Linux ES 2.1
RedHat Desktop 4.0
RedHat Desktop 3.0
RedHat Advanced Workstation for the Itanium Processor 2.1 IA64
RedHat Advanced Workstation for the Itanium Processor 2.1
Red Hat Fedora Core4
Red Hat Fedora Core3
Red Hat Enterprise Linux AS 4
Red Hat Enterprise Linux AS 3
Red Hat Enterprise Linux AS 2.1 IA64
Red Hat Enterprise Linux AS 2.1
Mandriva Linux Mandrake 10.2 x86_64
Mandriva Linux Mandrake 10.2
Mandriva Linux Mandrake 10.1 x86_64
Mandriva Linux Mandrake 10.1
Mandriva Linux Mandrake 10.0 AMD64
Mandriva Linux Mandrake 10.0
MandrakeSoft Multi Network Firewall 2.0
MandrakeSoft Corporate Server 3.0 x86_64
MandrakeSoft Corporate Server 3.0
MandrakeSoft Corporate Server 2.1 x86_64
MandrakeSoft Corporate Server 2.1
Conectiva Linux 10.0
Avaya S8710 R2.0.1
Avaya S8710 R2.0.0
Avaya S8700 R2.0.1
Avaya S8700 R2.0.0
Avaya S8500 R2.0.1
Avaya S8500 R2.0.0
Avaya S8300 R2.0.1
Avaya S8300 R2.0.0
Avaya Network Routing
Avaya Modular Messaging (MSS) 2.0
Avaya Modular Messaging (MSS) 1.1
Avaya MN100
Avaya Intuity LX
Avaya Integrated Management 2.1
Avaya Integrated Management
Avaya CVLAN
Avaya Converged Communications Server 2.0
VIM Development Group VIM 6.3 .082

- 不受影响的程序版本

VIM Development Group VIM 6.3 .082

- 漏洞讨论

Vim is susceptible to an arbitrary command execution vulnerability with ModeLines. This issue is due to insufficient sanitization of user-supplied input.

By modifying a text file to include ModeLines containing the 'glob()', or 'expand()' functions with shell metacharacters, attackers may cause arbitrary commands to be executed.

This vulnerability allows an attacker to execute arbitrary commands with the privileges of the vim user. This gives an attacker the ability to gain remote access to computers running the vulnerable software.

This issue is similar to BIDs 6384 and 11941.

- 漏洞利用

An exploit is not required. Examples sufficient to demonstrate this vulnerability are located in the referenced document from Georgi Guninski.

- 解决方案

The vendor has released patches to address this issue. Both patches should be applied to resolve this issue:

Ubuntu advisory USN-154-1 is available to address this issue. Please see the referenced advisory for more information.

Trustix has released advisory TSLSA-2005-0038 to address various issues. Please see the referenced advisory for more information.

Conectiva Linux has released security advisory CLSA-2005:995 addressing this issue. Please see the referenced advisory for details on obtaining and applying the appropriate updates.

RedHat Fedora has released security advisories FEDORA-2005-737 and FEDORA-2005-738 addressing this issue for Fedora Core 3 and Core 4. Please see the referenced advisories for further information.

RedHat Fedora has released security advisory FEDORA-2005-741 addressing this issue for Fedora Core 3. Please see the referenced advisory for further information.

Mandriva has released advisory MDKSA-2005:148, along with fixes to address this issue. Please see the referenced advisory for further information.

Red Hat has released advisory RHSA-2005:745-10 to address this issue. Please see the referenced advisory for more information.

Avaya has released advisory ASA-2005-189 detailing various Avaya products affected by this issue. Please see the referenced advisory for further information.

SGI has released Security Update #46 to address this and other issues for SGI Propack 3 Service Pack 6. Please see the referenced advisory for further information.


SGI ProPack 3.0 SP6

VIM Development Group VIM 5.7

VIM Development Group VIM 6.0

VIM Development Group VIM 6.1

VIM Development Group VIM 6.2

VIM Development Group VIM 6.3 .030

VIM Development Group VIM 6.3 .045

VIM Development Group VIM 6.3

VIM Development Group VIM 6.3 .080

VIM Development Group VIM 6.3 .025

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站