Vim Modeline Sandbox Bypass Vulnerability Allowing Arbitrary OS Command Execution

A modeline sandbox bypass vulnerability has been identified in Vim, allowing arbitrary execution of OS commands. This issue affects Vim versions prior to 9.2.0276. The vulnerability arises because the 'complete', 'guitabtooltip', and 'printheader' options do not include the 'P_MLE' flag, which is necessary to prevent modeline execution. As a result, crafted files can trigger the execution of arbitrary commands. Additionally, the 'mapset()' function can be exploited from sandboxed expressions, further facilitating command execution.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the victim's system, with the same privileges as the user running Vim.

Reproduction

The vulnerability can be reproduced by opening a file with a crafted modeline that includes options such as 'complete', 'guitabtooltip', or 'printheader'. These options can be set to execute arbitrary commands, which will be carried out as soon as the file is opened in Vim. This can be automated with a Vim script that writes the necessary modeline into a file and then opens it, bypassing the modeline security checks.

Remediation

Users can upgrade to Vim version 9.2.0276 or later, where this vulnerability has been fixed.