Technical Advisory: Shell Injection in MacVim mvim URI Handler

Vendor: macvim-dev
Vendor URL: http://macvim.org
Versions affected: snapshot-110
Author: Daniel Crowley <daniel.crowley[at]nccgroup[dot]trust>
Bug discovery credit: Anonymous
Advisory URL / CVE Identifier: TBD
Risk: Critical

Summary

MacVim is a Mac OS port of Vim.

MacVim is vulnerable to shell injection in mvim:// URIs through the column parameter, allowing attacks through a variety of means, including through malicious web pages.

Impact

Attackers can execute arbitrary shell commands as the logged-in user when that user visits an attacker-controlled web page or clicks an attacker-provided link.

Location

MMAppController.m

Details

MacVim is vulnerable to a shell injection attack in its handling of ‘mvim’ URLs. Shell injection is a class of vulnerability where an attacker can change the nature of executed shell commands through malformed input.

Recommendation

As no patch is available, discontinue use of MacVim or disable the mvim:// URI scheme using RCDefaultApp until a patch is made available.

Vendor Communication

2016-10-06 - Emailed MacVim asking for security contact address
   using email listed on github repo
2016-11-02 - Emailed MacVim asking for security contact address
   using email addresses for owner accounts listed on github
   repo
2016-12-08 - Sent final notice of public disclosure including
   full advisory details and proof of concept exploit, providing
   a planned disclosure date of December 15th, 2016.
2016-12-08 - Response from MacVim received acknowledging the
   email and promising to look into the bug
2017-01-16 - Asked for update from MacVim
2017-02-15 - Moved to accelerated disclosure due to unresponsive
   contact

About NCC Group

NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate & respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.

Published date:  24 February 2017

comments powered by Disqus

Filter By Service

Filter By Type