Which versions of vim are affected by the modeline vulnerability (CVE-2019-12735)?

A vulnerability (CVE-2019–12735) has been found in 2019/06/04 that could allow arbitrary code execution via modeline when vim opens a specially crafted text file. Vim < 8.1.1365 was listed as an affected product, but when I tried it at own environment, sometimes poc did not work, so I decided to experiment.

vim/vim: The official Vim repository

The result was that the vim version was not affected if it was too old.

Disclaimer

I strive to provide the correct information at the time of publication. However, please note that I will not be responsible for any loss or damage caused by the information I provide or the link.

Experimental method

Get the old version of vim from github and compile it. Check to see if the vim will execute code when the poc file is opened. I used a poc file that executes the uname command that was published on the Internet.

• vim/vim: The official Vim repository
  https://github.com/vim/vim

Experimental environment

$ uname -a
Linux ubuntu 4.18.0-20-generic #21~18.04.1-Ubuntu SMP Wed May 8 08:43:37 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

$ cat /etc/os-release
NAME="Ubuntu"
VERSION="18.04.2 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.2 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic
$ gcc --version
gcc (Ubuntu 7.4.0-1ubuntu1~18.04) 7.4.0
Copyright (C) 2017 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
$ cat ~/.vimrc

.vimrc is empty.

Experimental command

$ ./configure
$ make
$ src/vim ../poc.txt

Result

The following results are obtained from experiments.

• If v8.1.1365 or later, poc does not execute command
• If from v7.4.1096 to v8.1.1364, poc executes command
• If v7.4.1095 or under, poc does not execute command

v8.1.1364 and v8.1.1365 or later

from v7.4.1096 to v8.1.1364

v7.4.1095 or under

All experimental results

version      result
------------------------
8.1.1491     x (E992: Not allowed in a modeline...)
8.1.1400     x (E992: Not allowed in a modeline...)
8.1.1369     x (E992: Not allowed in a modeline...)
8.1.1368     x (E992: Not allowed in a modeline...)
8.1.1367     x (E992: Not allowed in a modeline...)
8.1.1366     x (E992: Not allowed in a modeline...)
8.1.1365     x
8.1.1364     affected
8.1.0000     affected
8.0.1453     affected
8.0.0000     affected
7.4.2367     affected
7.4.1627     affected
7.4.1527     affected
7.4.1427     affected
7.4.1227     affected
7.4.1127     affected
7.4.1097     affected
7.4.1096     affected
7.4.1095     x
7.4.1094     x
7.4.1093     x
7.4.1092     x
7.4.1089     x
7.4.1080     x
7.4.1077     x
7.4.1047     x
7.4.1027     x
7.4.628      x

For version 8.1.1366 and later, you will receive an error message that the modeline settings are not acceptable.

an error message (8.1.1366 and later)

About Strange vim That Doesn’t Execute Code

While experimenting with Ubuntu, I noticed that the vim installed with the apt command did not run poc. Even though it is version 8.0.1453, which is supposed to be vulnerable.

v8.0.1453 installed via apt command

poc does not work (v8.0.1453)

Why?

I understood the cause immediately. This is because poc was run by writing “set modeline” in .vimrc. In other words, it’s set to “set nomodeline” somewhere.

poc execute command (I wrote “set modeline” in .vimrc)

As a result of my investigation, we found that “set nomodeline” is set in the following file “/usr/share/vim/vim80/debian.vim”. By commenting out this setting, we were able to verify that the poc was executed.

“set nomodeline” is here

This file was found using the scriptnames command in vim.

scriptnames

Thanks.

References

• vim — Where is my .vimrc file? — Stack Overflow https://stackoverflow.com/questions/10921441/where-is-my-vimrc-file

Appendix

Revision history between versions with differences

• patch 7.4.1096 · vim/vim@a260b87
  https://github.com/vim/vim/commit/a260b87d9da17f605666630f18c1ed909c2b8bae

Experimental results of old CentOS

We ran a similar experiment on CentOS with vim version 7.4. 160.
As a result, the poc did not execute the command.

$ uname -a
Linux proxy.infected.local 3.10.0-514.el7.x86_64 #1 SMP Tue Nov 22 16:42:41 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

$ cat /etc/redhat-release 
CentOS Linux release 7.3.1611 (Core)

7.4.160 is an older version than 7.4.1095, which was the affected/unaffected boundary in Ubuntu, and supports the results in Ubuntu.

Measures to mitigate by “nomodeline”

If we put set nomodeline in .vimrc, we have confirmed that poc no longer executes commands in versions 7.4.1096 and 7.4.1097 where poc was executing commands.

Measures to mitigate by “nomodeline”

Update History

• 2019/06/05 New.
• 2019/06/05 I fixed some mistakes.
• 2019/06/08 Added results for the new versions. Added “ About Strange vim That Doesn’t Execute Code”.
• 2019/06/13 Add CVE.
• 2020/03/03 Revised.