FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

vim -- vulnerabilities in modeline handling: glob, expand

Affected packages
6.3 <= vim < 6.3.82
6.3 <= vim+ruby < 6.3.82
6.3 <= vim-lite < 6.3.82

Details

VuXML ID 81f127a8-0038-11da-86bc-000e0c2e438a
Discovery 2005-07-25
Entry 2005-07-31

Georgi Guninski discovered a way to construct Vim modelines that execute arbitrary shell commands. The vulnerability can be exploited by including shell commands in modelines that call the glob() or expand() functions. An attacker could trick an user to read or edit a trojaned file with modelines enabled, after which the attacker is able to execute arbitrary commands with the privileges of the user.

Note: It is generally recommended that VIM users use set nomodeline in ~/.vimrc to avoid the possibility of trojaned text files.

References

Bugtraq ID 14374
CVE Name CVE-2005-2368
URL http://www.guninski.com/where_do_you_want_billg_to_go_today_5.html