Which versions of vim are affected by the modeline vulnerability (CVE-2019-12735)?

4 min readJun 5, 2019

A vulnerability (CVE-2019–12735) has been found in 2019/06/04 that could allow arbitrary code execution via modeline when vim opens a specially crafted text file. Vim < 8.1.1365 was listed as an affected product, but when I tried it at own environment, sometimes poc did not work, so I decided to experiment.

The result was that the vim version was not affected if it was too old.

Disclaimer

I strive to provide the correct information at the time of publication. However, please note that I will not be responsible for any loss or damage caused by the information I provide or the link.

Experimental method

Get the old version of vim from github and compile it. Check to see if the vim will execute code when the poc file is opened. I used a poc file that executes the uname command that was published on the Internet.

vim/vim: The official Vim repository
https://github.com/vim/vim

Experimental environment

$ uname -a
Linux ubuntu 4.18.0-20-generic #21~18.04.1-Ubuntu SMP Wed May 8 08:43:37 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

$ cat /etc/os-release
NAME="Ubuntu"
VERSION="18.04.2 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.2 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic$ gcc --version
gcc (Ubuntu 7.4.0-1ubuntu1~18.04) 7.4.0
Copyright (C) 2017 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.$ cat ~/.vimrc

.vimrc is empty.

Experimental command

$ ./configure
$ make
$ src/vim ../poc.txt

Result

The following results are obtained from experiments.

If v8.1.1365 or later, poc does not execute command
If from v7.4.1096 to v8.1.1364, poc executes command
If v7.4.1095 or under, poc does not execute command

All experimental results

version      result
------------------------
8.1.1491     x (E992: Not allowed in a modeline...)
8.1.1400     x (E992: Not allowed in a modeline...)
8.1.1369     x (E992: Not allowed in a modeline...)
8.1.1368     x (E992: Not allowed in a modeline...)
8.1.1367     x (E992: Not allowed in a modeline...)
8.1.1366     x (E992: Not allowed in a modeline...)
8.1.1365     x
8.1.1364     affected
8.1.0000     affected
8.0.1453     affected
8.0.0000     affected
7.4.2367     affected
7.4.1627     affected
7.4.1527     affected
7.4.1427     affected
7.4.1227     affected
7.4.1127     affected
7.4.1097     affected
7.4.1096     affected
7.4.1095     x
7.4.1094     x
7.4.1093     x
7.4.1092     x
7.4.1089     x
7.4.1080     x
7.4.1077     x
7.4.1047     x
7.4.1027     x
7.4.628      x

For version 8.1.1366 and later, you will receive an error message that the modeline settings are not acceptable.

About Strange vim That Doesn’t Execute Code

While experimenting with Ubuntu, I noticed that the vim installed with the apt command did not run poc. Even though it is version 8.0.1453, which is supposed to be vulnerable.

v8.0.1453 installed via apt command

poc does not work (v8.0.1453)

Why?

I understood the cause immediately. This is because poc was run by writing “set modeline” in .vimrc. In other words, it’s set to “set nomodeline” somewhere.

poc execute command (I wrote “set modeline” in .vimrc)

As a result of my investigation, we found that “set nomodeline” is set in the following file “/usr/share/vim/vim80/debian.vim”. By commenting out this setting, we were able to verify that the poc was executed.

This file was found using the scriptnames command in vim.

Thanks.

References

vim — Where is my .vimrc file? — Stack Overflow https://stackoverflow.com/questions/10921441/where-is-my-vimrc-file

Appendix

Revision history between versions with differences

patch 7.4.1096 · vim/vim@a260b87
https://github.com/vim/vim/commit/a260b87d9da17f605666630f18c1ed909c2b8bae

Experimental results of old CentOS

We ran a similar experiment on CentOS with vim version 7.4. 160.
As a result, the poc did not execute the command.

$ uname -a
Linux proxy.infected.local 3.10.0-514.el7.x86_64 #1 SMP Tue Nov 22 16:42:41 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

$ cat /etc/redhat-release 
CentOS Linux release 7.3.1611 (Core)

7.4.160 is an older version than 7.4.1095, which was the affected/unaffected boundary in Ubuntu, and supports the results in Ubuntu.

Measures to mitigate by “nomodeline”

If we put set nomodeline in .vimrc, we have confirmed that poc no longer executes commands in versions 7.4.1096 and 7.4.1097 where poc was executing commands.

Update History

2019/06/05 New.
2019/06/05 I fixed some mistakes.
2019/06/08 Added results for the new versions. Added “ About Strange vim That Doesn’t Execute Code”.
2019/06/13 Add CVE.
2020/03/03 Revised.