The website security expert Armin Razmjou has reported the finding of remote command execution vulnerability in Vim and Neovim, considered a high severity flaw. The compromised tools are the most powerful and used to edit command lines and are pre-installed on most Linux-based operating systems.
On Linux systems, the Vim editor allows users to create, view, or edit any file, including text, programming scripts, and documents, if they so desire. The vulnerability was detected in Vim; however, because Neovim is only an extended version of Vim with some plugin improvements, this vulnerability also resides in it.
In its report, the website security specialist mentions that the vulnerability lies in the way that Vim handles a feature called “modelines”, which is enabled by default to automatically find and apply a set of custom preferences set by the creator of a file.
The expert mentions that, although the editor only allows a subset of operations in “modelines” for security, in addition to using the sandbox environment as a protection, it is possible to use the “:source!” command to omit the sandbox.
Therefore, when you open a specially designed and seemingly harmless Vim or Neovim file, a threat actor could execute arbitrary commands on the compromised Linux system and take control of the computer.
The expert also published two proofs of concept; one of these tests was performed in a real scenario in which a hacker gets remote access to a reverse shell from the victim’s system after the target of the attack opens a Vim file.
Vim developers launched security updates for both versions, so website security specialists from the International Institute of Cyber Security’s (IICS) recommend Linux system administrators to install these corrections as soon as possible.
If it is not possible for administrators to install updates at this time, some security recommendations are:
- Disable the “modelines” function
- Disable “modelineexpr” to not allow expressions in the modelines
- Use “securemodelines plugin”, a safe alternative to this feature