Vim netrw Plugin OS Command Injection Vulnerability

A command injection vulnerability has been identified in the netrw standard plugin of Vim, affecting versions prior to 9.2.0073. The issue arises from insufficient validation of hostnames in URLs processed by netrw. This flaw allows an attacker to execute arbitrary shell commands with the privileges of the Vim process by crafting a malicious URL that includes shell metacharacters. The vulnerability is exploited when netrw invokes the shell via the ':r!' command, making it necessary for the user to open the crafted URL.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the host system, executed with the same privileges as the Vim process.

Reproduction

To reproduce this vulnerability, open a crafted URL using the 'scp://' protocol in Vim with a version prior to 9.2.0073. The URL should be designed to include shell metacharacters in the hostname, which will be processed by the netrw plugin. When netrw parses the URL, it will inject the malicious commands into the shell, exploiting the command execution feature of the ':r!' Ex command.

Remediation

Users can upgrade to Vim version 9.2.0073 or later, where this vulnerability has been fixed.