Technical Advisory: Shell Injection in MacVim mvim URI Handler
Vendor: macvim-dev Vendor URL: http://macvim.org Versions affected: snapshot-110 Author: Daniel Crowley <daniel.crowley[at]nccgroup[dot]trust> Bug discovery credit: Anonymous Advisory URL / CVE Identifier: TBD Risk: Critical
MacVim is a Mac OS port of Vim.
MacVim is vulnerable to shell injection in
mvim:// URIs through the
column parameter, allowing attacks through a variety of means, including through malicious web pages.
Attackers can execute arbitrary shell commands as the logged-in user when that user visits an attacker-controlled web page or clicks an attacker-provided link.
MacVim is vulnerable to a shell injection attack in its handling of ‘mvim’ URLs. Shell injection is a class of vulnerability where an attacker can change the nature of executed shell commands through malformed input.
As no patch is available, discontinue use of MacVim or disable the
mvim:// URI scheme using
RCDefaultApp until a patch is made available.
2016-10-06 - Emailed MacVim asking for security contact address using email listed on github repo 2016-11-02 - Emailed MacVim asking for security contact address using email addresses for owner accounts listed on github repo 2016-12-08 - Sent final notice of public disclosure including full advisory details and proof of concept exploit, providing a planned disclosure date of December 15th, 2016. 2016-12-08 - Response from MacVim received acknowledging the email and promising to look into the bug 2017-01-16 - Asked for update from MacVim 2017-02-15 - Moved to accelerated disclosure due to unresponsive contact
About NCC Group
NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate & respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.
Published date:  24 February 2017