Vulnerabilities > CVE-2008-3075 - Code Injection vulnerability in VIM and Zipplugin.Vim

047910
CVSS 9.3 - CRITICAL
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
vim
CWE-94
critical
nessus

Summary

The shellescape function in Vim 7.0 through 7.2, including 7.2a.10, allows user-assisted attackers to execute arbitrary code via the "!" (exclamation point) shell metacharacter in (1) the filename of a ZIP archive and possibly (2) the filename of the first file in a ZIP archive, which is not properly handled by zip.vim in the VIM ZIP plugin (zipPlugin.vim) v.11 through v.21, as demonstrated by the zipplugin and zipplugin.v2 test cases. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2008-2712. NOTE: this issue has the same root cause as CVE-2008-3074. NOTE: due to the complexity of the associated disclosures and the incomplete information related to them, there may be inaccuracies in this CVE description and in external mappings to this identifier.

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Leverage Executable Code in Non-Executable Files
    An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
  • Manipulating User-Controlled Variables
    This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An attacker can override environment variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the attacker can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.

Nessus

  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20081125_VIM_ON_SL3_X.NASL
    descriptionSeveral input sanitization flaws were found in Vim
    last seen2020-06-01
    modified2020-06-02
    plugin id60500
    published2012-08-01
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/60500
    titleScientific Linux Security Update : vim on SL3.x, SL4.x, SL5.x i386/x86_64
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text is (C) Scientific Linux.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(60500);
      script_version("1.6");
      script_cvs_date("Date: 2019/10/25 13:36:18");
    
      script_cve_id("CVE-2007-2953", "CVE-2008-2712", "CVE-2008-3074", "CVE-2008-3075", "CVE-2008-3076", "CVE-2008-3432", "CVE-2008-4101");
    
      script_name(english:"Scientific Linux Security Update : vim on SL3.x, SL4.x, SL5.x i386/x86_64");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Scientific Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Several input sanitization flaws were found in Vim's keyword and tag
    handling. If Vim looked up a document's maliciously crafted tag or
    keyword, it was possible to execute arbitrary code as the user running
    Vim. (CVE-2008-4101)
    
    SL3 and SL4 Only: A heap-based overflow flaw was discovered in Vim's
    expansion of file name patterns with shell wildcards. An attacker
    could create a specially crafted file or directory name that, when
    opened by Vim, caused the application to crash or, possibly, execute
    arbitrary code. (CVE-2008-3432)
    
    SL5 Only: Multiple security flaws were found in netrw.vim, the Vim
    plug-in providing file reading and writing over the network. If a user
    opened a specially crafted file or directory with the netrw plug-in,
    it could result in arbitrary code execution as the user running Vim.
    (CVE-2008-3076)
    
    SL5 Only: A security flaw was found in zip.vim, the Vim plug-in that
    handles ZIP archive browsing. If a user opened a ZIP archive using the
    zip.vim plug-in, it could result in arbitrary code execution as the
    user running Vim. (CVE-2008-3075)
    
    SL5 Only: A security flaw was found in tar.vim, the Vim plug-in which
    handles TAR archive browsing. If a user opened a TAR archive using the
    tar.vim plug-in, it could result in arbitrary code execution as the
    user runnin Vim. (CVE-2008-3074)
    
    Several input sanitization flaws were found in various Vim system
    functions. If a user opened a specially crafted file, it was possible
    to execute arbitrary code as the user running Vim. (CVE-2008-2712)
    
    Ulf Härnhammar, of Secunia Research, discovered a format string
    flaw in Vim's help tag processor. If a user was tricked into executing
    the 'helptags' command on malicious data, arbitrary code could be
    executed with the permissions of the user running Vim. (CVE-2007-2953)"
      );
      # https://listserv.fnal.gov/scripts/wa.exe?A2=ind0811&L=scientific-linux-errata&T=0&P=1936
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?7ee91c3b"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_cwe_id(20, 78, 94, 119);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2008/11/25");
      script_set_attribute(attribute:"plugin_publication_date", value:"2012/08/01");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Scientific Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux");
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"SL3", reference:"vim-X11-6.3.046-0.30E.11")) flag++;
    if (rpm_check(release:"SL3", reference:"vim-common-6.3.046-0.30E.11")) flag++;
    if (rpm_check(release:"SL3", reference:"vim-enhanced-6.3.046-0.30E.11")) flag++;
    if (rpm_check(release:"SL3", reference:"vim-minimal-6.3.046-0.30E.11")) flag++;
    
    if (rpm_check(release:"SL4", reference:"vim-X11-6.3.046-1.el4_7.5z")) flag++;
    if (rpm_check(release:"SL4", reference:"vim-common-6.3.046-1.el4_7.5z")) flag++;
    if (rpm_check(release:"SL4", reference:"vim-enhanced-6.3.046-1.el4_7.5z")) flag++;
    if (rpm_check(release:"SL4", reference:"vim-minimal-6.3.046-1.el4_7.5z")) flag++;
    
    if (rpm_check(release:"SL5", reference:"vim-X11-7.0.109-4.el5_2.4z")) flag++;
    if (rpm_check(release:"SL5", reference:"vim-common-7.0.109-4.el5_2.4z")) flag++;
    if (rpm_check(release:"SL5", reference:"vim-enhanced-7.0.109-4.el5_2.4z")) flag++;
    if (rpm_check(release:"SL5", reference:"vim-minimal-7.0.109-4.el5_2.4z")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2008-236.NASL
    descriptionSeveral vulnerabilities were found in the vim editor : A number of input sanitization flaws were found in various vim system functions. If a user were to open a specially crafted file, it would be possible to execute arbitrary code as the user running vim (CVE-2008-2712). Ulf H&Atilde;&curren;rnhammar of Secunia Research found a format string flaw in vim
    last seen2020-06-01
    modified2020-06-02
    plugin id36821
    published2009-04-23
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/36821
    titleMandriva Linux Security Advisory : vim (MDVSA-2008:236-1)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Mandriva Linux Security Advisory MDVSA-2008:236. 
    # The text itself is copyright (C) Mandriva S.A.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(36821);
      script_version ("1.15");
      script_cvs_date("Date: 2019/08/02 13:32:50");
    
      script_cve_id("CVE-2007-2953", "CVE-2008-2712", "CVE-2008-2953", "CVE-2008-3074", "CVE-2008-3075", "CVE-2008-3076", "CVE-2008-4101", "CVE-2008-4677");
      script_bugtraq_id(25095);
      script_xref(name:"MDVSA", value:"2008:236-1");
    
      script_name(english:"Mandriva Linux Security Advisory : vim (MDVSA-2008:236-1)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Mandriva Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Several vulnerabilities were found in the vim editor :
    
    A number of input sanitization flaws were found in various vim system
    functions. If a user were to open a specially crafted file, it would
    be possible to execute arbitrary code as the user running vim
    (CVE-2008-2712).
    
    Ulf H&Atilde;&curren;rnhammar of Secunia Research found a format
    string flaw in vim's help tags processor. If a user were tricked into
    executing the helptags command on malicious data, it could result in
    the execution of arbitrary code as the user running vim
    (CVE-2008-2953).
    
    A flaw was found in how tar.vim handled TAR archive browsing. If a
    user were to open a special TAR archive using the plugin, it could
    result in the execution of arbitrary code as the user running vim
    (CVE-2008-3074).
    
    A flaw was found in how zip.vim handled ZIP archive browsing. If a
    user were to open a special ZIP archive using the plugin, it could
    result in the execution of arbitrary code as the user running vim
    (CVE-2008-3075).
    
    A number of security flaws were found in netrw.vim, the vim plugin
    that provides the ability to read and write files over the network. If
    a user opened a specially crafted file or directory with the netrw
    plugin, it could result in the execution of arbitrary code as the user
    running vim (CVE-2008-3076).
    
    A number of input validation flaws were found in vim's keyword and tag
    handling. If vim looked up a document's maliciously crafted tag or
    keyword, it was possible to execute arbitary code as the user running
    vim (CVE-2008-4101).
    
    A vulnerability was found in certain versions of netrw.vim where it
    would send FTP credentials stored for an FTP session to subsequent FTP
    sessions to servers on different hosts, exposing FTP credentials to
    remote hosts (CVE-2008-4677).
    
    This update provides vim 7.2 (patchlevel 65) which corrects all of
    these issues and introduces a number of new features and bug fixes.
    
    Update :
    
    The previous vim update incorrectly introduced a requirement on
    libruby and also conflicted with a file from the git-core package (in
    contribs). These issues have been corrected with these updated
    packages."
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
      script_cwe_id(20, 78, 94, 255);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:vim-X11");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:vim-common");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:vim-enhanced");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:vim-minimal");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2008.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2008.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2009.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2008/12/08");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/04/23");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc.");
      script_family(english:"Mandriva Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
    if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"MDK2008.0", reference:"vim-X11-7.2.065-9.3mdv2008.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.0", reference:"vim-common-7.2.065-9.3mdv2008.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.0", reference:"vim-enhanced-7.2.065-9.3mdv2008.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.0", reference:"vim-minimal-7.2.065-9.3mdv2008.0", yank:"mdv")) flag++;
    
    if (rpm_check(release:"MDK2008.1", reference:"vim-X11-7.2.065-9.3mdv2008.1", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.1", reference:"vim-common-7.2.065-9.3mdv2008.1", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.1", reference:"vim-enhanced-7.2.065-9.3mdv2008.1", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.1", reference:"vim-minimal-7.2.065-9.3mdv2008.1", yank:"mdv")) flag++;
    
    if (rpm_check(release:"MDK2009.0", reference:"vim-X11-7.2.065-9.3mdv2009.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2009.0", reference:"vim-common-7.2.065-9.3mdv2009.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2009.0", reference:"vim-enhanced-7.2.065-9.3mdv2009.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2009.0", reference:"vim-minimal-7.2.065-9.3mdv2009.0", yank:"mdv")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_0_GVIM-090225.NASL
    descriptionThe VI Improved editor (vim) was updated to version 7.2.108 to fix various security problems and other bugs. CVE-2008-4677: The netrw plugin sent credentials to all servers. CVE-2009-0316: The python support used a search path including the current directory, allowing code injection when python code was used. CVE-2008-2712: Arbitrary code execution in vim helper plugins filetype.vim, zipplugin, xpm.vim, gzip_vim, and netrw were fixed. CVE-2008-3074: tarplugin code injection CVE-2008-3075: zipplugin code injection CVE-2008-3076: several netrw bugs, code injection CVE-2008-6235: code injection in the netrw plugin CVE-2008-4677: credential disclosure by netrw plugin
    last seen2020-06-01
    modified2020-06-02
    plugin id39980
    published2009-07-21
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/39980
    titleopenSUSE Security Update : gvim (gvim-561)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update gvim-561.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(39980);
      script_version("1.12");
      script_cvs_date("Date: 2019/10/25 13:36:34");
    
      script_cve_id("CVE-2008-2712", "CVE-2008-3074", "CVE-2008-3075", "CVE-2008-3076", "CVE-2008-4677", "CVE-2008-6235", "CVE-2009-0316");
    
      script_name(english:"openSUSE Security Update : gvim (gvim-561)");
      script_summary(english:"Check for the gvim-561 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The VI Improved editor (vim) was updated to version 7.2.108 to fix
    various security problems and other bugs.
    
    CVE-2008-4677: The netrw plugin sent credentials to all servers.
    CVE-2009-0316: The python support used a search path including the
    current directory, allowing code injection when python code was used.
    CVE-2008-2712: Arbitrary code execution in vim helper plugins
    filetype.vim, zipplugin, xpm.vim, gzip_vim, and netrw were fixed.
    CVE-2008-3074: tarplugin code injection CVE-2008-3075: zipplugin code
    injection CVE-2008-3076: several netrw bugs, code injection
    CVE-2008-6235: code injection in the netrw plugin CVE-2008-4677:
    credential disclosure by netrw plugin"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=406693"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=436755"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=439148"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=457098"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=465255"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=470100"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected gvim packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_cwe_id(20, 78, 94, 255);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:gvim");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:vim");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:vim-base");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:vim-data");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:vim-enhanced");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:11.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2009/02/25");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/07/21");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE11\.0)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "11.0", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE11.0", reference:"gvim-7.2-9.1") ) flag++;
    if ( rpm_check(release:"SUSE11.0", reference:"vim-7.2-9.1") ) flag++;
    if ( rpm_check(release:"SUSE11.0", reference:"vim-base-7.2-9.1") ) flag++;
    if ( rpm_check(release:"SUSE11.0", reference:"vim-data-7.2-9.1") ) flag++;
    if ( rpm_check(release:"SUSE11.0", reference:"vim-enhanced-7.2-9.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "vim");
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2008-0580.NASL
    descriptionUpdated vim packages that fix security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Vim (Visual editor IMproved) is an updated and improved version of the vi editor. Several input sanitization flaws were found in Vim
    last seen2020-06-01
    modified2020-06-02
    plugin id34953
    published2008-11-25
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/34953
    titleRHEL 5 : vim (RHSA-2008:0580)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2008:0580. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(34953);
      script_version ("1.28");
      script_cvs_date("Date: 2019/10/25 13:36:13");
    
      script_cve_id("CVE-2007-2953", "CVE-2008-2712", "CVE-2008-3074", "CVE-2008-3075", "CVE-2008-3076", "CVE-2008-4101", "CVE-2008-6235");
      script_bugtraq_id(25095);
      script_xref(name:"RHSA", value:"2008:0580");
    
      script_name(english:"RHEL 5 : vim (RHSA-2008:0580)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated vim packages that fix security issues are now available for
    Red Hat Enterprise Linux 5.
    
    This update has been rated as having moderate security impact by the
    Red Hat Security Response Team.
    
    Vim (Visual editor IMproved) is an updated and improved version of the
    vi editor.
    
    Several input sanitization flaws were found in Vim's keyword and tag
    handling. If Vim looked up a document's maliciously crafted tag or
    keyword, it was possible to execute arbitrary code as the user running
    Vim. (CVE-2008-4101)
    
    Multiple security flaws were found in netrw.vim, the Vim plug-in
    providing file reading and writing over the network. If a user opened
    a specially crafted file or directory with the netrw plug-in, it could
    result in arbitrary code execution as the user running Vim.
    (CVE-2008-3076)
    
    A security flaw was found in zip.vim, the Vim plug-in that handles ZIP
    archive browsing. If a user opened a ZIP archive using the zip.vim
    plug-in, it could result in arbitrary code execution as the user
    running Vim. (CVE-2008-3075)
    
    A security flaw was found in tar.vim, the Vim plug-in which handles
    TAR archive browsing. If a user opened a TAR archive using the tar.vim
    plug-in, it could result in arbitrary code execution as the user
    runnin Vim. (CVE-2008-3074)
    
    Several input sanitization flaws were found in various Vim system
    functions. If a user opened a specially crafted file, it was possible
    to execute arbitrary code as the user running Vim. (CVE-2008-2712)
    
    Ulf Harnhammar, of Secunia Research, discovered a format string flaw
    in Vim's help tag processor. If a user was tricked into executing the
    'helptags' command on malicious data, arbitrary code could be executed
    with the permissions of the user running Vim. (CVE-2007-2953)
    
    All Vim users are advised to upgrade to these updated packages, which
    contain backported patches to correct these issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2007-2953"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2008-2712"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2008-3074"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2008-3075"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2008-4101"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2008-6235"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2008:0580"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_cwe_id(20, 78, 94);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:vim-X11");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:vim-common");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:vim-enhanced");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:vim-minimal");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5.2");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2007/07/31");
      script_set_attribute(attribute:"patch_publication_date", value:"2008/11/25");
      script_set_attribute(attribute:"plugin_publication_date", value:"2008/11/25");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^5([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 5.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2008:0580";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL5", cpu:"i386", reference:"vim-X11-7.0.109-4.el5_2.4z")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"vim-X11-7.0.109-4.el5_2.4z")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"vim-X11-7.0.109-4.el5_2.4z")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"i386", reference:"vim-common-7.0.109-4.el5_2.4z")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"vim-common-7.0.109-4.el5_2.4z")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"vim-common-7.0.109-4.el5_2.4z")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"i386", reference:"vim-enhanced-7.0.109-4.el5_2.4z")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"vim-enhanced-7.0.109-4.el5_2.4z")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"vim-enhanced-7.0.109-4.el5_2.4z")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"i386", reference:"vim-minimal-7.0.109-4.el5_2.4z")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"vim-minimal-7.0.109-4.el5_2.4z")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"vim-minimal-7.0.109-4.el5_2.4z")) flag++;
    
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "vim-X11 / vim-common / vim-enhanced / vim-minimal");
      }
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_GVIM-6023.NASL
    descriptionThe VI Improved editor (vim) was updated to version 7.2.108 to fix various security problems and other bugs. CVE-2008-4677: The netrw plugin sent credentials to all servers. CVE-2009-0316: The python support used a search path including the current directory, allowing code injection when python code was used. CVE-2008-2712: Arbitrary code execution in vim helper plugins filetype.vim, zipplugin, xpm.vim, gzip_vim, and netrw were fixed. CVE-2008-3074: tarplugin code injection CVE-2008-3075: zipplugin code injection CVE-2008-3076: several netrw bugs, code injection CVE-2008-6235: code injection in the netrw plugin CVE-2008-4677: credential disclosure by netrw plugin
    last seen2020-06-01
    modified2020-06-02
    plugin id35921
    published2009-03-13
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/35921
    titleopenSUSE 10 Security Update : gvim (gvim-6023)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update gvim-6023.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(35921);
      script_version ("1.10");
      script_cvs_date("Date: 2019/10/25 13:36:36");
    
      script_cve_id("CVE-2008-2712", "CVE-2008-3074", "CVE-2008-3075", "CVE-2008-3076", "CVE-2008-4677", "CVE-2008-6235", "CVE-2009-0316");
    
      script_name(english:"openSUSE 10 Security Update : gvim (gvim-6023)");
      script_summary(english:"Check for the gvim-6023 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The VI Improved editor (vim) was updated to version 7.2.108 to fix
    various security problems and other bugs.
    
    CVE-2008-4677: The netrw plugin sent credentials to all servers.
    CVE-2009-0316: The python support used a search path including the
    current directory, allowing code injection when python code was used.
    CVE-2008-2712: Arbitrary code execution in vim helper plugins
    filetype.vim, zipplugin, xpm.vim, gzip_vim, and netrw were fixed.
    CVE-2008-3074: tarplugin code injection CVE-2008-3075: zipplugin code
    injection CVE-2008-3076: several netrw bugs, code injection
    CVE-2008-6235: code injection in the netrw plugin CVE-2008-4677:
    credential disclosure by netrw plugin"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected gvim packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_cwe_id(20, 78, 94, 255);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:gvim");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:vim");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:vim-base");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:vim-data");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:vim-enhanced");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:10.3");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2009/02/25");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/03/13");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE10\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "10.3", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE10.3", reference:"gvim-7.2-9.1") ) flag++;
    if ( rpm_check(release:"SUSE10.3", reference:"vim-7.2-9.1") ) flag++;
    if ( rpm_check(release:"SUSE10.3", reference:"vim-base-7.2-9.1") ) flag++;
    if ( rpm_check(release:"SUSE10.3", reference:"vim-data-7.2-9.1") ) flag++;
    if ( rpm_check(release:"SUSE10.3", reference:"vim-enhanced-7.2-9.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "vim");
    }
    
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2008-0580.NASL
    descriptionUpdated vim packages that fix security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Vim (Visual editor IMproved) is an updated and improved version of the vi editor. Several input sanitization flaws were found in Vim
    last seen2020-06-01
    modified2020-06-02
    plugin id43697
    published2010-01-06
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/43697
    titleCentOS 5 : vim (CESA-2008:0580)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2008:0580 and 
    # CentOS Errata and Security Advisory 2008:0580 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(43697);
      script_version("1.17");
      script_cvs_date("Date: 2019/10/25 13:36:04");
    
      script_cve_id("CVE-2007-2953", "CVE-2008-2712", "CVE-2008-3074", "CVE-2008-3075", "CVE-2008-3076", "CVE-2008-4101", "CVE-2008-6235");
      script_bugtraq_id(25095);
      script_xref(name:"RHSA", value:"2008:0580");
    
      script_name(english:"CentOS 5 : vim (CESA-2008:0580)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote CentOS host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated vim packages that fix security issues are now available for
    Red Hat Enterprise Linux 5.
    
    This update has been rated as having moderate security impact by the
    Red Hat Security Response Team.
    
    Vim (Visual editor IMproved) is an updated and improved version of the
    vi editor.
    
    Several input sanitization flaws were found in Vim's keyword and tag
    handling. If Vim looked up a document's maliciously crafted tag or
    keyword, it was possible to execute arbitrary code as the user running
    Vim. (CVE-2008-4101)
    
    Multiple security flaws were found in netrw.vim, the Vim plug-in
    providing file reading and writing over the network. If a user opened
    a specially crafted file or directory with the netrw plug-in, it could
    result in arbitrary code execution as the user running Vim.
    (CVE-2008-3076)
    
    A security flaw was found in zip.vim, the Vim plug-in that handles ZIP
    archive browsing. If a user opened a ZIP archive using the zip.vim
    plug-in, it could result in arbitrary code execution as the user
    running Vim. (CVE-2008-3075)
    
    A security flaw was found in tar.vim, the Vim plug-in which handles
    TAR archive browsing. If a user opened a TAR archive using the tar.vim
    plug-in, it could result in arbitrary code execution as the user
    runnin Vim. (CVE-2008-3074)
    
    Several input sanitization flaws were found in various Vim system
    functions. If a user opened a specially crafted file, it was possible
    to execute arbitrary code as the user running Vim. (CVE-2008-2712)
    
    Ulf Harnhammar, of Secunia Research, discovered a format string flaw
    in Vim's help tag processor. If a user was tricked into executing the
    'helptags' command on malicious data, arbitrary code could be executed
    with the permissions of the user running Vim. (CVE-2007-2953)
    
    All Vim users are advised to upgrade to these updated packages, which
    contain backported patches to correct these issues."
      );
      # https://lists.centos.org/pipermail/centos-announce/2008-November/015453.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?ab334c2c"
      );
      # https://lists.centos.org/pipermail/centos-announce/2008-November/015454.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?928c4900"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected vim packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_cwe_id(20, 78, 94);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:vim-X11");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:vim-common");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:vim-enhanced");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:vim-minimal");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:5");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2007/07/31");
      script_set_attribute(attribute:"patch_publication_date", value:"2008/11/26");
      script_set_attribute(attribute:"plugin_publication_date", value:"2010/01/06");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"CentOS Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/CentOS/release");
    if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS");
    os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS");
    os_ver = os_ver[1];
    if (! preg(pattern:"^5([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 5.x", "CentOS " + os_ver);
    
    if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"CentOS-5", reference:"vim-X11-7.0.109-4.el5_2.4z")) flag++;
    if (rpm_check(release:"CentOS-5", reference:"vim-common-7.0.109-4.el5_2.4z")) flag++;
    if (rpm_check(release:"CentOS-5", reference:"vim-enhanced-7.0.109-4.el5_2.4z")) flag++;
    if (rpm_check(release:"CentOS-5", reference:"vim-minimal-7.0.109-4.el5_2.4z")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "vim-X11 / vim-common / vim-enhanced / vim-minimal");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1733.NASL
    descriptionSeveral vulnerabilities have been found in vim, an enhanced vi editor. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2008-2712 Jan Minar discovered that vim did not properly sanitise inputs before invoking the execute or system functions inside vim scripts. This could lead to the execution of arbitrary code. - CVE-2008-3074 Jan Minar discovered that the tar plugin of vim did not properly sanitise the filenames in the tar archive or the name of the archive file itself, making it prone to arbitrary code execution. - CVE-2008-3075 Jan Minar discovered that the zip plugin of vim did not properly sanitise the filenames in the zip archive or the name of the archive file itself, making it prone to arbitrary code execution. - CVE-2008-3076 Jan Minar discovered that the netrw plugin of vim did not properly sanitise the filenames or directory names it is given. This could lead to the execution of arbitrary code. - CVE-2008-4101 Ben Schmidt discovered that vim did not properly escape characters when performing keyword or tag lookups. This could lead to the execution of arbitrary code.
    last seen2020-06-01
    modified2020-06-02
    plugin id35764
    published2009-03-04
    reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/35764
    titleDebian DSA-1733-1 : vim - several vulnerabilities
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-1733. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(35764);
      script_version("1.13");
      script_cvs_date("Date: 2019/08/02 13:32:21");
    
      script_cve_id("CVE-2008-2712", "CVE-2008-3074", "CVE-2008-3075", "CVE-2008-3076", "CVE-2008-4101");
      script_xref(name:"DSA", value:"1733");
    
      script_name(english:"Debian DSA-1733-1 : vim - several vulnerabilities");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Several vulnerabilities have been found in vim, an enhanced vi editor.
    The Common Vulnerabilities and Exposures project identifies the
    following problems :
    
      - CVE-2008-2712
        Jan Minar discovered that vim did not properly sanitise
        inputs before invoking the execute or system functions
        inside vim scripts. This could lead to the execution of
        arbitrary code.
    
      - CVE-2008-3074
        Jan Minar discovered that the tar plugin of vim did not
        properly sanitise the filenames in the tar archive or
        the name of the archive file itself, making it prone to
        arbitrary code execution.
    
      - CVE-2008-3075
        Jan Minar discovered that the zip plugin of vim did not
        properly sanitise the filenames in the zip archive or
        the name of the archive file itself, making it prone to
        arbitrary code execution.
    
      - CVE-2008-3076
        Jan Minar discovered that the netrw plugin of vim did
        not properly sanitise the filenames or directory names
        it is given. This could lead to the execution of
        arbitrary code.
    
      - CVE-2008-4101
        Ben Schmidt discovered that vim did not properly escape
        characters when performing keyword or tag lookups. This
        could lead to the execution of arbitrary code."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=486502"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=506919"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2008-2712"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2008-3074"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2008-3075"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2008-3076"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2008-4101"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.debian.org/security/2009/dsa-1733"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "For the oldstable distribution (etch), these problems have been fixed
    in version 1:7.0-122+1etch5.
    
    For the stable distribution (lenny), these problems have been fixed in
    version 1:7.1.314-3+lenny1, which was already included in the lenny
    release."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_cwe_id(20, 78, 94);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:vim");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:4.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:5.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2009/03/03");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/03/04");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"4.0", prefix:"vim", reference:"1:7.0-122+1etch5")) flag++;
    if (deb_check(release:"4.0", prefix:"vim-common", reference:"1:7.0-122+1etch5")) flag++;
    if (deb_check(release:"4.0", prefix:"vim-doc", reference:"1:7.0-122+1etch5")) flag++;
    if (deb_check(release:"4.0", prefix:"vim-full", reference:"1:7.0-122+1etch5")) flag++;
    if (deb_check(release:"4.0", prefix:"vim-gnome", reference:"1:7.0-122+1etch5")) flag++;
    if (deb_check(release:"4.0", prefix:"vim-gtk", reference:"1:7.0-122+1etch5")) flag++;
    if (deb_check(release:"4.0", prefix:"vim-gui-common", reference:"1:7.0-122+1etch5")) flag++;
    if (deb_check(release:"4.0", prefix:"vim-lesstif", reference:"1:7.0-122+1etch5")) flag++;
    if (deb_check(release:"4.0", prefix:"vim-perl", reference:"1:7.0-122+1etch5")) flag++;
    if (deb_check(release:"4.0", prefix:"vim-python", reference:"1:7.0-122+1etch5")) flag++;
    if (deb_check(release:"4.0", prefix:"vim-ruby", reference:"1:7.0-122+1etch5")) flag++;
    if (deb_check(release:"4.0", prefix:"vim-runtime", reference:"1:7.0-122+1etch5")) flag++;
    if (deb_check(release:"4.0", prefix:"vim-tcl", reference:"1:7.0-122+1etch5")) flag++;
    if (deb_check(release:"4.0", prefix:"vim-tiny", reference:"1:7.0-122+1etch5")) flag++;
    if (deb_check(release:"5.0", prefix:"vim", reference:"1:7.1.314-3+lenny1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_1_GVIM-090225.NASL
    descriptionThe VI Improved editor (vim) was updated to version 7.2.108 to fix various security problems and other bugs. CVE-2008-4677: The netrw plugin sent credentials to all servers. CVE-2009-0316: The python support used a search path including the current directory, allowing code injection when python code was used. CVE-2008-2712: Arbitrary code execution in vim helper plugins filetype.vim, zipplugin, xpm.vim, gzip_vim, and netrw were fixed. CVE-2008-3074: tarplugin code injection CVE-2008-3075: zipplugin code injection CVE-2008-3076: several netrw bugs, code injection CVE-2008-6235: code injection in the netrw plugin CVE-2008-4677: credential disclosure by netrw plugin
    last seen2020-06-01
    modified2020-06-02
    plugin id40230
    published2009-07-21
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/40230
    titleopenSUSE Security Update : gvim (gvim-561)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update gvim-561.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(40230);
      script_version("1.12");
      script_cvs_date("Date: 2019/10/25 13:36:34");
    
      script_cve_id("CVE-2008-2712", "CVE-2008-3074", "CVE-2008-3075", "CVE-2008-3076", "CVE-2008-4677", "CVE-2008-6235", "CVE-2009-0316");
    
      script_name(english:"openSUSE Security Update : gvim (gvim-561)");
      script_summary(english:"Check for the gvim-561 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The VI Improved editor (vim) was updated to version 7.2.108 to fix
    various security problems and other bugs.
    
    CVE-2008-4677: The netrw plugin sent credentials to all servers.
    CVE-2009-0316: The python support used a search path including the
    current directory, allowing code injection when python code was used.
    CVE-2008-2712: Arbitrary code execution in vim helper plugins
    filetype.vim, zipplugin, xpm.vim, gzip_vim, and netrw were fixed.
    CVE-2008-3074: tarplugin code injection CVE-2008-3075: zipplugin code
    injection CVE-2008-3076: several netrw bugs, code injection
    CVE-2008-6235: code injection in the netrw plugin CVE-2008-4677:
    credential disclosure by netrw plugin"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=406693"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=436755"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=439148"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=457098"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=465255"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=470100"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected gvim packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_cwe_id(20, 78, 94, 255);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:gvim");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:vim");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:vim-base");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:vim-data");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:vim-enhanced");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:11.1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2009/02/25");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/07/21");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE11\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "11.1", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE11.1", reference:"gvim-7.2-7.4.1") ) flag++;
    if ( rpm_check(release:"SUSE11.1", reference:"vim-7.2-7.4.1") ) flag++;
    if ( rpm_check(release:"SUSE11.1", reference:"vim-base-7.2-7.4.1") ) flag++;
    if ( rpm_check(release:"SUSE11.1", reference:"vim-data-7.2-7.4.1") ) flag++;
    if ( rpm_check(release:"SUSE11.1", reference:"vim-enhanced-7.2-7.4.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "vim");
    }
    
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2008-0580.NASL
    descriptionFrom Red Hat Security Advisory 2008:0580 : Updated vim packages that fix security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Vim (Visual editor IMproved) is an updated and improved version of the vi editor. Several input sanitization flaws were found in Vim
    last seen2020-06-01
    modified2020-06-02
    plugin id67722
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/67722
    titleOracle Linux 5 : vim (ELSA-2008-0580)

Oval

accepted2013-04-29T04:03:57.332-04:00
classvulnerability
contributors
  • nameAharon Chernin
    organizationSCAP.com, LLC
  • nameDragos Prisaca
    organizationG2, Inc.
definition_extensions
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 5
    ovaloval:org.mitre.oval:def:11414
  • commentThe operating system installed on the system is CentOS Linux 5.x
    ovaloval:org.mitre.oval:def:15802
  • commentOracle Linux 5.x
    ovaloval:org.mitre.oval:def:15459
description and in external mappings to this identifier.
familyunix
idoval:org.mitre.oval:def:10246
statusaccepted
submitted2010-07-09T03:56:16-04:00
title and in external mappings to this identifier.
version18

Redhat

advisories
rhsa
idRHSA-2008:0580
rpms
  • vim-X11-2:7.0.109-4.el5_2.4z
  • vim-common-2:7.0.109-4.el5_2.4z
  • vim-debuginfo-2:7.0.109-4.el5_2.4z
  • vim-enhanced-2:7.0.109-4.el5_2.4z
  • vim-minimal-2:7.0.109-4.el5_2.4z