Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20171103120109.sjaunqwdpfnkfymn@jwilk.net>
Date: Fri, 3 Nov 2017 13:01:10 +0100
From: Jakub Wilk <jwilk@...lk.net>
To: oss-security@...ts.openwall.com
Subject: Re: Security risk of server side text editing in
 general and vim.tiny specifically

* Fiedler Roman <Roman.Fiedler@....ac.at>, 2017-11-03, 11:07:
>POC for vim.tiny on Ubuntu Xenial to overwrite arbitrary files as user 
>root when editing file in directory owned by other user is available on 
>request, disclosure after one week or if list discussion indicates 
>other timing.

By default[1], when vim wants to overwrite the file "foo", it does:

   rename("foo", "foo~")                   = 0
   open("foo", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0600) = 3

There's a race window between the two syscalls when the attacker could 
re-create "foo", and then vim would happily write to it.

Is this the attack you meant?

NB, vim disables this behavior for files in /tmp (but not /var/tmp)[2].


[1] http://vimdoc.sourceforge.net/htmldoc/options.html#%27writebackup%27
[2] http://vimdoc.sourceforge.net/htmldoc/options.html#%27backupskip%27

-- 
Jakub Wilk

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.