Vulnerabilities > CVE-2004-1138 - Unspecified vulnerability in VIM Development Group VIM

047910
CVSS 7.2 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
local
low complexity
vim-development-group
nessus

Summary

VIM before 6.3 and gVim before 6.3 allow local users to execute arbitrary commands via a file containing a crafted modeline that is executed when the file is viewed using options such as (1) termcap, (2) printdevice, (3) titleold, (4) filetype, (5) syntax, (6) backupext, (7) keymap, (8) patchmode, or (9) langmenu.

Nessus

  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2005-010.NASL
    descriptionUpdated vim packages that fix a modeline vulnerability are now available. VIM (Vi IMproved) is an updated and improved version of the vi screen-based editor. Ciaran McCreesh discovered a modeline vulnerability in VIM. It is possible that a malicious user could create a file containing a specially crafted modeline which could cause arbitrary command execution when viewed by a victim. Please note that this issue only affects users who have modelines and filetype plugins enabled, which is not the default. The Common Vulnerabilities and Exposures project has assigned the name CVE-2004-1138 to this issue. All users of VIM are advised to upgrade to these erratum packages, which contain a backported patch for this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id16109
    published2005-01-06
    reporterThis script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/16109
    titleRHEL 2.1 / 3 : vim (RHSA-2005:010)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2005:010. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(16109);
      script_version ("1.24");
      script_cvs_date("Date: 2019/10/25 13:36:10");
    
      script_cve_id("CVE-2004-1138");
      script_xref(name:"RHSA", value:"2005:010");
    
      script_name(english:"RHEL 2.1 / 3 : vim (RHSA-2005:010)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated vim packages that fix a modeline vulnerability are now
    available.
    
    VIM (Vi IMproved) is an updated and improved version of the vi
    screen-based editor.
    
    Ciaran McCreesh discovered a modeline vulnerability in VIM. It is
    possible that a malicious user could create a file containing a
    specially crafted modeline which could cause arbitrary command
    execution when viewed by a victim. Please note that this issue only
    affects users who have modelines and filetype plugins enabled, which
    is not the default. The Common Vulnerabilities and Exposures project
    has assigned the name CVE-2004-1138 to this issue.
    
    All users of VIM are advised to upgrade to these erratum packages,
    which contain a backported patch for this issue."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2004-1138"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2005:010"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:vim-X11");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:vim-common");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:vim-enhanced");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:vim-minimal");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:2.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:3");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2005/01/10");
      script_set_attribute(attribute:"patch_publication_date", value:"2005/01/05");
      script_set_attribute(attribute:"plugin_publication_date", value:"2005/01/06");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(2\.1|3)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 2.1 / 3.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2005:010";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"vim-X11-6.0-7.19")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"vim-common-6.0-7.19")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"vim-enhanced-6.0-7.19")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"vim-minimal-6.0-7.19")) flag++;
    
      if (rpm_check(release:"RHEL3", reference:"vim-X11-6.3.046-0.30E.1")) flag++;
      if (rpm_check(release:"RHEL3", reference:"vim-common-6.3.046-0.30E.1")) flag++;
      if (rpm_check(release:"RHEL3", reference:"vim-enhanced-6.3.046-0.30E.1")) flag++;
      if (rpm_check(release:"RHEL3", reference:"vim-minimal-6.3.046-0.30E.1")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "vim-X11 / vim-common / vim-enhanced / vim-minimal");
      }
    }
    
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_BD9FC2BF5FFE11D9A11A000A95BC6FAE.NASL
    descriptionCiaran McCreesh discovered news ways in which a VIM modeline can be used to trojan a text file. The patch by Bram Moolenaar reads : Problem: Unusual characters in an option value may cause unexpected behavior, especially for a modeline. (Ciaran McCreesh) Solution: Don
    last seen2020-06-01
    modified2020-06-02
    plugin id19103
    published2005-07-13
    reporterThis script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/19103
    titleFreeBSD : vim -- vulnerabilities in modeline handling (bd9fc2bf-5ffe-11d9-a11a-000a95bc6fae)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-52-1.NASL
    descriptionCiaran McCreesh found several vulnerabilities related to the use of options in Vim modeline commands, such as
    last seen2020-06-01
    modified2020-06-02
    plugin id20670
    published2006-01-15
    reporterUbuntu Security Notice (C) 2004-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/20670
    titleUbuntu 4.10 : vim vulnerability (USN-52-1)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2005-036.NASL
    descriptionUpdated vim packages that fix security vulnerabilities are now available for Red Hat Enterprise Linux 4. This update has been rated as having low security impact by the Red Hat Security Response Team. VIM (Vi IMproved) is an updated and improved version of the vi screen-based editor. Ciaran McCreesh discovered a modeline vulnerability in VIM. An attacker could create a text file containing a specially crafted modeline which could cause arbitrary command execution when viewed by a victim using VIM. The Common Vulnerabilities and Exposures project has assigned the name CVE-2004-1138 to this issue. Please note that this issue only affects users who have modelines and filetype plugins enabled, which is not the default. The Debian Security Audit Project discovered an insecure temporary file usage in VIM. A local user could overwrite or create files as a different user who happens to run one of the the vulnerable utilities. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0069 to this issue. All users of VIM are advised to upgrade to these erratum packages, which contain backported patches for these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id17170
    published2005-02-22
    reporterThis script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/17170
    titleRHEL 4 : vim (RHSA-2005:036)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2005-003.NASL
    descriptionSeveral
    last seen2020-06-01
    modified2020-06-02
    plugin id16116
    published2005-01-07
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/16116
    titleMandrake Linux Security Advisory : vim (MDKSA-2005:003)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200412-10.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200412-10 (Vim, gVim: Vulnerable options in modelines) Gentoo
    last seen2020-06-01
    modified2020-06-02
    plugin id15971
    published2004-12-15
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/15971
    titleGLSA-200412-10 : Vim, gVim: Vulnerable options in modelines

Oval

accepted2013-04-29T04:20:21.620-04:00
classvulnerability
contributors
  • nameAharon Chernin
    organizationSCAP.com, LLC
  • nameDragos Prisaca
    organizationG2, Inc.
definition_extensions
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 3
    ovaloval:org.mitre.oval:def:11782
  • commentCentOS Linux 3.x
    ovaloval:org.mitre.oval:def:16651
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 4
    ovaloval:org.mitre.oval:def:11831
  • commentCentOS Linux 4.x
    ovaloval:org.mitre.oval:def:16636
  • commentOracle Linux 4.x
    ovaloval:org.mitre.oval:def:15990
descriptionVIM before 6.3 and gVim before 6.3 allow local users to execute arbitrary commands via a file containing a crafted modeline that is executed when the file is viewed using options such as (1) termcap, (2) printdevice, (3) titleold, (4) filetype, (5) syntax, (6) backupext, (7) keymap, (8) patchmode, or (9) langmenu.
familyunix
idoval:org.mitre.oval:def:9571
statusaccepted
submitted2010-07-09T03:56:16-04:00
titleVIM before 6.3 and gVim before 6.3 allow local users to execute arbitrary commands via a file containing a crafted modeline that is executed when the file is viewed using options such as (1) termcap, (2) printdevice, (3) titleold, (4) filetype, (5) syntax, (6) backupext, (7) keymap, (8) patchmode, or (9) langmenu.
version26

Redhat

advisories
  • rhsa
    idRHSA-2005:010
  • rhsa
    idRHSA-2005:036
rpms
  • vim-X11-1:6.3.046-0.30E.1
  • vim-common-1:6.3.046-0.30E.1
  • vim-debuginfo-1:6.3.046-0.30E.1
  • vim-enhanced-1:6.3.046-0.30E.1
  • vim-minimal-1:6.3.046-0.30E.1
  • vim-X11-1:6.3.046-0.40E.4
  • vim-common-1:6.3.046-0.40E.4
  • vim-debuginfo-1:6.3.046-0.40E.4
  • vim-enhanced-1:6.3.046-0.40E.4
  • vim-minimal-1:6.3.046-0.40E.4