Bugtraq mailing list archives

vi can run arbitrary commands via 'tags' file


From: Eli the Bearded <*@eli.users.panix.com>
Date: Thu, 18 Sep 2008 16:57:57 -0400 (EDT)

The vi editor can run arbitrary commands via 'tags' file

An advisory from Eli the Bearded

Programs involved:
vi and ex in their many guises, *when descended from the originals*.
None of the clones I have tested (recent vim, nvi) suffer from this.

Problem synopsis:
A number of editors, vi included, support the use of a 'tags' file
which functions as an hypertext index. The user selects a string in
the file, issues a command and the editor will open a file and run
that command. The typical use is to have tags that correspond to
function names, with files and commands to take the user to the
definition of the function. That need not be the case, however.

The tags file format used by vi is not adequately documented. No where
is it made clear that the target command in the tags file can contain
any ex mode command, which is means arbitrary shell code. This is just
like the old modelines vulnerability, but it was never as widely known. 

Example:
Use tabs where <TAB> is noted.

$ echo "This is line 1" > file1
$ echo "file1line1<TAB>file1<TAB>:1|!touch gotcha" > tags
$ ls
file1   tags
$ vi -t file1line1
:q!
$ ls
file1   gotcha   tags
$ 

Workaround:
Do not trust tags files from unknown sources. Inspect them first
or delete and recreate them.

History and notifications:
I discovered this loophole in tags processing in 1997 by studying
vim (version 4.5), which closely followed vi at time.

http://groups.google.com/group/comp.editors/msg/f4db1b5aed7ad225

This has long been fixed in vim.

Then about ten years later I remembered this, tried it again on a Sun
box and submitted a bug. A year or so later they've got a response:

http://sunsolve.sun.com/search/document.do?assetkey=1-66-237987-1

Which essentially boils down to the workaround given above.


Elijah
------
has forgotten more about vi than many people ever knew


Current thread: