Format string vulnerability in the helptags_one function in src/ex_cmds.c in Vim 6.4 and earlier, and 7.x up to 7.1, allows user-assisted remote attackers to execute arbitrary code via format string specifiers in a help-tags tag in a help file, related to the helptags command.

The remote VMware ESX host is missing a security-related patch. It is, therefore, is affected by multiple vulnerabilities :

  - A format string flaw exists in the Vim help tag     processor in the helptags_one() function that allows a     remote attacker to execute arbitrary code by tricking a     user into executing the 'helptags' command on malicious     help files. (CVE-2007-2953)

  - Multiple flaws exist in the Vim system functions due to     a failure to sanitize user-supplied input. An attacker     can exploit these to execute arbitrary code by tricking     a user into opening a crafted file. (CVE-2008-2712)

  - A heap-based buffer overflow condition exists in the Vim     mch_expand_wildcards() function. An attacker can exploit     this, via shell metacharacters in a crafted file name,     to execute arbitrary code. (CVE-2008-3432)

  - Multiple flaws exist in Vim keyword and tag handling due     to improper handling of escape characters. An attacker     can exploit this, via a crafted document, to execute     arbitrary shell commands or Ex commands. (CVE-2008-4101)

  - A security bypass vulnerability exists in OpenSSL due to     a failure to properly check the return value from the     EVP_VerifyFinal() function. A remote attacker can     exploit this, via a malformed SSL/TLS signature for DSA     and ECDSA keys, to bypass the validation of the     certificate chain. (CVE-2008-5077)

  - A security bypass vulnerability exists in BIND due to a     failure to properly check the return value from the     OpenSSL DSA_verify() function. A remote attacker can     exploit this, via a malformed SSL/TLS signature, to     bypass the validation of the certificate chain on those     systems using DNSSEC. (CVE-2009-0025)

From Red Hat Security Advisory 2008:0617 :

Updated vim packages that fix various security issues are now available for Red Hat Enterprise Linux 3 and 4.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

Vim (Visual editor IMproved) is an updated and improved version of the vi editor.

Several input sanitization flaws were found in Vim's keyword and tag handling. If Vim looked up a document's maliciously crafted tag or keyword, it was possible to execute arbitrary code as the user running Vim. (CVE-2008-4101)

A heap-based overflow flaw was discovered in Vim's expansion of file name patterns with shell wildcards. An attacker could create a specially crafted file or directory name that, when opened by Vim, caused the application to crash or, possibly, execute arbitrary code.
(CVE-2008-3432)

Several input sanitization flaws were found in various Vim system functions. If a user opened a specially crafted file, it was possible to execute arbitrary code as the user running Vim. (CVE-2008-2712)

Ulf Harnhammar, of Secunia Research, discovered a format string flaw in Vim's help tag processor. If a user was tricked into executing the 'helptags' command on malicious data, arbitrary code could be executed with the permissions of the user running Vim. (CVE-2007-2953)

All Vim users are advised to upgrade to these updated packages, which contain backported patches to correct these issues.

The remote Oracle Linux 5 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2008-0580 advisory.

    - fixes CVE-2008-3074 (tar plugin)
    - fixes CVE-2008-3075 (zip plugin)
    - fixes CVE-2008-3076 (netrw plugin)
    - fixes CVE-2008-4101 (keyword and tag lookup)
    - fix some issues with netrw and remote file editing caused by       the CVE-2008-2712 patch
    - more fixes for CVE-2008-2712
    - update netrw files for CVE-2008-2712

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Several input sanitization flaws were found in Vim's keyword and tag handling. If Vim looked up a document's maliciously crafted tag or keyword, it was possible to execute arbitrary code as the user running Vim. (CVE-2008-4101)

SL3 and SL4 Only: A heap-based overflow flaw was discovered in Vim's expansion of file name patterns with shell wildcards. An attacker could create a specially crafted file or directory name that, when opened by Vim, caused the application to crash or, possibly, execute arbitrary code. (CVE-2008-3432)

SL5 Only: Multiple security flaws were found in netrw.vim, the Vim plug-in providing file reading and writing over the network. If a user opened a specially crafted file or directory with the netrw plug-in, it could result in arbitrary code execution as the user running Vim.
(CVE-2008-3076)

SL5 Only: A security flaw was found in zip.vim, the Vim plug-in that handles ZIP archive browsing. If a user opened a ZIP archive using the zip.vim plug-in, it could result in arbitrary code execution as the user running Vim. (CVE-2008-3075)

SL5 Only: A security flaw was found in tar.vim, the Vim plug-in which handles TAR archive browsing. If a user opened a TAR archive using the tar.vim plug-in, it could result in arbitrary code execution as the user runnin Vim. (CVE-2008-3074)

Several input sanitization flaws were found in various Vim system functions. If a user opened a specially crafted file, it was possible to execute arbitrary code as the user running Vim. (CVE-2008-2712)

Ulf H&auml;rnhammar, of Secunia Research, discovered a format string flaw in Vim's help tag processor. If a user was tricked into executing the 'helptags' command on malicious data, arbitrary code could be executed with the permissions of the user running Vim. (CVE-2007-2953)

Updated vim packages that fix security issues are now available for Red Hat Enterprise Linux 5.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

Vim (Visual editor IMproved) is an updated and improved version of the vi editor.

Several input sanitization flaws were found in Vim's keyword and tag handling. If Vim looked up a document's maliciously crafted tag or keyword, it was possible to execute arbitrary code as the user running Vim. (CVE-2008-4101)

Multiple security flaws were found in netrw.vim, the Vim plug-in providing file reading and writing over the network. If a user opened a specially crafted file or directory with the netrw plug-in, it could result in arbitrary code execution as the user running Vim.
(CVE-2008-3076)

A security flaw was found in zip.vim, the Vim plug-in that handles ZIP archive browsing. If a user opened a ZIP archive using the zip.vim plug-in, it could result in arbitrary code execution as the user running Vim. (CVE-2008-3075)

A security flaw was found in tar.vim, the Vim plug-in which handles TAR archive browsing. If a user opened a TAR archive using the tar.vim plug-in, it could result in arbitrary code execution as the user runnin Vim. (CVE-2008-3074)

Several input sanitization flaws were found in various Vim system functions. If a user opened a specially crafted file, it was possible to execute arbitrary code as the user running Vim. (CVE-2008-2712)

Ulf Harnhammar, of Secunia Research, discovered a format string flaw in Vim's help tag processor. If a user was tricked into executing the 'helptags' command on malicious data, arbitrary code could be executed with the permissions of the user running Vim. (CVE-2007-2953)

All Vim users are advised to upgrade to these updated packages, which contain backported patches to correct these issues.

This update of Vim addresses a format-string bug in 'helptags'. This bug can be exploited to execute code with the privileges of the user running Vim. (CVE-2007-2953)

a. Updated OpenSSL package for the Service Console fixes a    security issue.

   OpenSSL 0.9.7a-33.24 and earlier does not properly check the return    value from the EVP_VerifyFinal function, which could allow a remote    attacker to bypass validation of the certificate chain via a    malformed SSL/TLS signature for DSA and ECDSA keys.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the name CVE-2008-5077 to this issue.

b. Update bind package for the Service Console fixes a security issue.

   A flaw was discovered in the way Berkeley Internet Name Domain    (BIND) checked the return value of the OpenSSL DSA_do_verify    function. On systems using DNSSEC, a malicious zone could present    a malformed DSA certificate and bypass proper certificate    validation, allowing spoofing attacks.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the name CVE-2009-0025 to this issue.

c. Updated vim package for the Service Console addresses several    security issues.

   Several input flaws were found in Visual editor IMproved's (Vim)    keyword and tag handling. If Vim looked up a document's maliciously    crafted tag or keyword, it was possible to execute arbitrary code as    the user running Vim.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the name CVE-2008-4101 to this issue.

   A heap-based overflow flaw was discovered in Vim's expansion of file    name patterns with shell wildcards. An attacker could create a    specially crafted file or directory name, when opened by Vim causes    the application to stop responding or execute arbitrary code.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the name CVE-2008-3432 to this issue.

   Several input flaws were found in various Vim system functions. If a    user opened a specially crafted file, it was possible to execute    arbitrary code as the user running Vim.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the name CVE-2008-2712 to this issue.

   A format string flaw was discovered in Vim's help tag processor. If    a user was tricked into executing the 'helptags' command on    malicious data, arbitrary code could be executed with the    permissions of the user running VIM.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the name CVE-2007-2953 to this issue.

Updated vim packages that fix various security issues are now available for Red Hat Enterprise Linux 3 and 4.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

Vim (Visual editor IMproved) is an updated and improved version of the vi editor.

Several input sanitization flaws were found in Vim's keyword and tag handling. If Vim looked up a document's maliciously crafted tag or keyword, it was possible to execute arbitrary code as the user running Vim. (CVE-2008-4101)

A heap-based overflow flaw was discovered in Vim's expansion of file name patterns with shell wildcards. An attacker could create a specially crafted file or directory name that, when opened by Vim, caused the application to crash or, possibly, execute arbitrary code.
(CVE-2008-3432)

Several input sanitization flaws were found in various Vim system functions. If a user opened a specially crafted file, it was possible to execute arbitrary code as the user running Vim. (CVE-2008-2712)

Ulf Harnhammar, of Secunia Research, discovered a format string flaw in Vim's help tag processor. If a user was tricked into executing the 'helptags' command on malicious data, arbitrary code could be executed with the permissions of the user running Vim. (CVE-2007-2953)

All Vim users are advised to upgrade to these updated packages, which contain backported patches to correct these issues.

Several vulnerabilities were found in the vim editor :

A number of input sanitization flaws were found in various vim system functions. If a user were to open a specially crafted file, it would be possible to execute arbitrary code as the user running vim (CVE-2008-2712).

Ulf H&Atilde;&curren;rnhammar of Secunia Research found a format string flaw in vim's help tags processor. If a user were tricked into executing the helptags command on malicious data, it could result in the execution of arbitrary code as the user running vim (CVE-2008-2953).

A flaw was found in how tar.vim handled TAR archive browsing. If a user were to open a special TAR archive using the plugin, it could result in the execution of arbitrary code as the user running vim (CVE-2008-3074).

A flaw was found in how zip.vim handled ZIP archive browsing. If a user were to open a special ZIP archive using the plugin, it could result in the execution of arbitrary code as the user running vim (CVE-2008-3075).

A number of security flaws were found in netrw.vim, the vim plugin that provides the ability to read and write files over the network. If a user opened a specially crafted file or directory with the netrw plugin, it could result in the execution of arbitrary code as the user running vim (CVE-2008-3076).

A number of input validation flaws were found in vim's keyword and tag handling. If vim looked up a document's maliciously crafted tag or keyword, it was possible to execute arbitary code as the user running vim (CVE-2008-4101).

A vulnerability was found in certain versions of netrw.vim where it would send FTP credentials stored for an FTP session to subsequent FTP sessions to servers on different hosts, exposing FTP credentials to remote hosts (CVE-2008-4677).

This update provides vim 7.2 (patchlevel 65) which corrects all of these issues and introduces a number of new features and bug fixes.

Update :

The previous vim update incorrectly introduced a requirement on libruby and also conflicted with a file from the git-core package (in contribs). These issues have been corrected with these updated packages.

The remote Redhat Enterprise Linux 5 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2008:0580 advisory.

  - vim format string flaw (CVE-2007-2953)

  - vim: command execution via scripts not sanitizing inputs to execute and system (CVE-2008-2712)

  - Vim tar.vim plugin: improper Implementation of shellescape() (arbitrary code execution) (CVE-2008-3074)

  - Vim zip.vim plugin: improper Implementation of shellescape() (arbitrary code execution) (CVE-2008-3075)

  - vim: arbitrary code execution in commands: K, Control-], g] (CVE-2008-4101)

  - Vim netrw.vim plugin: lack of sanitization throughout netrw.vim can lead to arbitrary code execution     (CVE-2008-6235)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Ulf Harnhammar discovered that vim does not properly sanitise the 'helptags_one()' function when running the 'helptags' command. By tricking a user into running a crafted help file, a remote attacker could execute arbitrary code with the user's privileges.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in the vim editor. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2007-2953     Ulf Harnhammar discovered that a format string flaw in     helptags_one() from src/ex_cmds.c (triggered through the     'helptags' command) can lead to the execution of     arbitrary code.

  - CVE-2007-2438     Editors often provide a way to embed editor     configuration commands (aka modelines) which are     executed once a file is opened. Harmful commands are     filtered by a sandbox mechanism. It was discovered that     function calls to writefile(), feedkeys() and system()     were not filtered, allowing shell command execution with     a carefully crafted file opened in vim.

This updated advisory repairs issues with missing files in the packages for the oldstable distribution (sarge) for the alpha, mips, and mipsel architectures.

A format string vulnerability in the helptags support in vim allows user-assisted remote attackers to execute arbitrary code via format string specifiers in a help-tags tag in a help file.

Updated packages have been patched to prevent this issue.

A Secunia Advisory reports :

A format string error in the 'helptags_one()' function in src/ex_cmds.c when running the 'helptags' command can be exploited to execute arbitrary code via specially crafted help files.

ID	Name	Product	Family	Severity
89112	VMware ESX Multiple Vulnerabilities (VMSA-2009-0004) (remote check)	Nessus	Misc.	high
67732	Oracle Linux 3 / 4 : vim (ELSA-2008-0617)	Nessus	Oracle Linux Local Security Checks	high
67722	Oracle Linux 5 : vim (ELSA-2008-0580)	Nessus	Oracle Linux Local Security Checks	critical
60500	Scientific Linux Security Update : vim on SL3.x, SL4.x, SL5.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	high
43697	CentOS 5 : vim (CESA-2008:0580)	Nessus	CentOS Local Security Checks	high
41148	SuSE9 Security Update : vim and gvim (YOU Patch Number 11722)	Nessus	SuSE Local Security Checks	medium
40389	VMSA-2009-0004 : ESX Service Console updates for openssl, bind, and vim	Nessus	VMware ESX Local Security Checks	high
37794	CentOS 3 / 4 : vim (CESA-2008:0617)	Nessus	CentOS Local Security Checks	high
36821	Mandriva Linux Security Advisory : vim (MDVSA-2008:236-1)	Nessus	Mandriva Local Security Checks	high
34954	RHEL 3 / 4 : vim (RHSA-2008:0617)	Nessus	Red Hat Local Security Checks	high
34953	RHEL 5 : vim (RHSA-2008:0580)	Nessus	Red Hat Local Security Checks	critical
29456	SuSE 10 Security Update : vim and gvim (ZYPP Patch Number 4095)	Nessus	SuSE Local Security Checks	medium
28109	Ubuntu 6.06 LTS / 6.10 / 7.04 : vim vulnerability (USN-505-1)	Nessus	Ubuntu Local Security Checks	medium
27258	openSUSE 10 Security Update : gvim (gvim-4092)	Nessus	SuSE Local Security Checks	medium
25964	Debian DSA-1364-2 : vim - several vulnerabilities	Nessus	Debian Local Security Checks	high
25945	Mandrake Linux Security Advisory : vim (MDKSA-2007:168)	Nessus	Mandriva Local Security Checks	medium
25802	FreeBSD : vim -- Command Format String Vulnerability (1ed03222-3c65-11dc-b3d3-0016179b2dd5)	Nessus	FreeBSD Local Security Checks	medium

Detections

Analytics

CVE-2007-2953

high

Tenable Plugins

high

high

critical

high

high

medium

high

high

high

high

critical

medium

medium

medium

high

medium

medium