Vim Uncontrolled Search Path Vulnerability on Windows Allowing Remote Code Execution

A vulnerability in Vim for Windows prior to version 9.1.1947 allows for uncontrolled search path exploitation, enabling the execution of malicious executables located in the current working directory of the file being edited. This issue arises because Vim, when using cmd.exe as the shell, prioritizes the current directory over system paths when resolving external commands. As a result, tools like findstr for :grep, external commands via :!, or compiler commands through :make can inadvertently execute a harmful executable, such as one disguised as findstr.exe, if the user has navigated to that directory or opened a file from it.

Impact

This vulnerability allows arbitrary code execution with the same user privileges as the person running Vim, without the need for elevated rights. The issue can be triggered by any action that executes an external command, such as using :grep with findstr, running commands with :!, using :make, or other features that call external utilities.

Reproduction

To reproduce this vulnerability, create a malicious executable in the current working directory of the file being edited in Vim. This executable should have a name that will be used by Vim when searching for external commands, such as 'findstr.exe'. Once the executable is in place, open Vim and navigate to the directory containing the malicious executable using the :cd, :lcd, or :tcd commands. Then, execute a command that triggers the vulnerability, such as :grep using findstr, or any other command that invokes an external utility. Vim will execute the malicious executable instead of the intended system command.

Remediation

Users can update to Vim version 9.1.1947 or later, where this vulnerability has been fixed.