Arbitrary code execution in Netrw version 127, Vim 7.2b

1. Summary

Product  : Vim -- Vi IMproved, Netrw
Version  : Tested with Vim 7.2b, Netrw 127
Impact   : Arbitrary code execution
Wherefrom: Local, possibly remote
Original : http://www.rdancer.org/vulnerablevim-netrw.v5.html
	   http://www.rdancer.org/vulnerablevim-netrw.v5.tar.bz2

Lack of sanitization throughout Netrw can lead to arbitrary code execution upon
opening a directory with a crafted name.


2. Overview

``Netrw makes reading, writing, and browsing over a network connection easy!
[...] Netrw supports "transparent" editing of files on other machines using
urls [...]''

	-- Netrw Reference Manual (pi_netrw.txt)

For the new Vim version, the Netrw plugin has been updated with the new
fnameescape() and shellescape() functions.  However, not all of the vulnerable
statements have been sanitized, and Netrw is still vulnerable to arbitrary code
execution.

The latest version of the archive with code that we're using can be found at:
	``http://www.rdancer.org/vulnerablevim-latest.tar.bz2''.


Best results are achieved by running ``make test'' in the root directory of the
abovementioned archive (this advisory details the ``netrw.v5'' test case):

        -------------------------------------------
        -------- Test results below ---------------
        -------------------------------------------
        Vim version 7.2b
        zip.vim version: v21
        netrw.vim version: v127
        -------------------------------------------
        filetype.vim
          strong  : EXPLOIT FAILED
          weak    : EXPLOIT FAILED
        tarplugin : EXPLOIT FAILED
        tarplugin.updated: EXPLOIT FAILED
        zipplugin : EXPLOIT FAILED
        zipplugin.v2: EXPLOIT FAILED
        xpm.vim
          xpm     : EXPLOIT FAILED
          xpm2    : EXPLOIT FAILED
          remote  : EXPLOIT FAILED
        gzip_vim  : EXPLOIT FAILED
        netrw     : EXPLOIT FAILED
        netrw.v2  : EXPLOIT FAILED
        netrw.v3  : VULNERABLE
        netrw.v4  : EXPLOIT FAILED
    --> netrw.v5  : VULNERABLE


3. Vulnerability

Few unsanitized statements still remain in ``netrw.vim'':

	$ grep -n exe ~/.vim/autoload/netrw.vim|grep -v -e escape -e Decho -e executable | wc -l
	239

We will exploit the part of code where upon opening a directory, a string of
keyboard mappings is loaded, using the ``execute'' command, with no
sanitization of the ``b:netrw_curdir'' variable, which holds the current
directory name:

        1709    if s:didstarstar || !mapcheck("<s-up>","n")
        1710     nnoremap <buffer> <silent> <s-up>   :Pexplore<cr>
        1711    endif
        1712    if g:netrw_mousemaps == 1
        1713     nnoremap <buffer> <silent> <leftmouse>   <leftmouse>:call <SID>NetrwLeftmouse(1)<cr>
        1714     nnoremap <buffer> <silent> <middlemouse> <leftmouse>:call <SID>NetrwPrevWinOpen(1)<cr>
        1715     nnoremap <buffer> <silent> <s-leftmouse> <leftmouse>:call <SID>NetrwMarkFile(1,<SID>NetrwGetWord())<cr>
   -->  1716     exe 'nnoremap <buffer> <silent> <rightmouse>  <leftmouse>:call <SID>NetrwLocalRm("'.b:netrw_curdir.'")<cr>'
   -->  1717     exe 'vnoremap <buffer> <silent> <rightmouse>  <leftmouse>:call <SID>NetrwLocalRm("'.b:netrw_curdir.'")<cr>'
        1718    endif
   -->  1719    exe 'nnoremap <buffer> <silent> <del>        :call <SID>NetrwLocalRm("'.b:netrw_curdir.'")<cr>'
   -->  1720    exe 'vnoremap <buffer> <silent> <del>        :call <SID>NetrwLocalRm("'.b:netrw_curdir.'")<cr>'
   -->  1721    exe 'nnoremap <buffer> <silent> D            :call <SID>NetrwLocalRm("'.b:netrw_curdir.'")<cr>'
   -->  1722    exe 'vnoremap <buffer> <silent> D            :call <SID>NetrwLocalRm("'.b:netrw_curdir.'")<cr>'
   -->  1723    exe 'nnoremap <buffer> <silent> R            :call <SID>NetrwLocalRename("'.b:netrw_curdir.'")<cr>'
   -->  1724    exe 'vnoremap <buffer> <silent> R            :call <SID>NetrwLocalRename("'.b:netrw_curdir.'")<cr>'
   -->  1725    exe 'nnoremap <buffer> <silent> <Leader>m    :call <SID>NetrwMakeDir("")<cr>'
        1726    nnoremap <buffer> <F1>               :he netrw-quickhelp<cr>


4. Exploit
	
Run ``make test''.  See ``netrw.v5/Makefile'' for details.  If Vim is
vulnerable, number of times the payload has been run is printed.  Current
version of Vim will run the payload six times.


5. Mitigation

Do not use Vim to open untrusted directories or files whose path contains
untrusted directories.
