This is a heap-based buffer overflow in Vim’s tag-listing functionality. When a user is editing a repository on GitHub and presses the :Tag command, Vim will parse the commit message, construct a tree of changes, and display the commit message and list of files on the screen. This is pretty boring stuff, but it can be exploited to cause a heap-based buffer overflow. The tag-listing functionality can be invoked by specifying a file: line number, e.g.: :!vim /path/to/repo.git The parsing of the commit message results in some dynamic security checks. As long as the user has write access to a GitHub repository and has the right permissions, this will cause the tag-listing functionality to be invoked. In order to exploit this issue, an attacker needs to have write access to the repository. This can be achieved by tricking the user into granting write access to the attacker’s account. This can be done via phishing, social engineering, or through the use of a malicious extension.
CVE-2022-0715
This vulnerability is a vulnerability in the Vim text editing program. It will not allow users to enter commands for a specific file or path without entering the correct command. The vulnerability exists because the software does not verify that the input matches what it expects from a user before executing it. This allows an attacker to create malicious files by creating a file and linking it to an existing file. The exploit occurs when an attacker creates a new file, names it with one of these patterns:
VIM Plugin
- %H
This is a buffer overflow in Vim’s tag-listing functionality. The tag-listing functionality can be invoked by specifying a file: line number, e.g.: :!vim /path/to/repo.git The parsing of the commit message results in some dynamic security checks. As long as the user has write access to a GitHub repository and has the right permissions, this will cause the tag-listing functionality to be invoked. In order to exploit this issue, an attacker needs to have write access to the repository. This can be achieved by tricking the user into granting write access to the attacker’s account. This can be done via phishing, social engineering, or through the use of a malicious extension.
Timeline
Published on: 02/22/2022 20:15:00 UTC
Last modified on: 08/26/2022 17:32:00 UTC
References
- https://github.com/vim/vim/commit/4e889f98e95ac05d7c8bd3ee933ab4d47820fdfa
- https://huntr.dev/bounties/db70e8db-f309-4f3c-986c-e69d2415c3b3
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HBUYQBZ6GWAWJRWP7AODJ4KHW5BCKDVP/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7ZLEHVP4LNAGER4ZDGUDS5V5YVQD6INF/
- https://lists.debian.org/debian-lts-announce/2022/03/msg00018.html
- https://security.gentoo.org/glsa/202208-32
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0714