The Netrw plugin (netrw.vim) in Vim 7.0 and 7.1 allows user-assisted attackers to execute arbitrary commands via shell metacharacters in a filename used by the (1) "D" (delete) command or (2) b:netrw_curdir variable, as demonstrated using the netrw.v4 and netrw.v5 test cases.
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
| Link | Tags |
|---|---|
| http://lists.opensuse.org/opensuse-security-announce/2009-03/msg00004.html | vendor advisory |
| http://www.rdancer.org/vulnerablevim-netrw.v5.html | exploit vendor advisory |
| http://www.openwall.com/lists/oss-security/2008/10/20/2 | mailing list |
| http://www.rdancer.org/vulnerablevim-netrw.html | exploit patch vendor advisory |
| http://www.openwall.com/lists/oss-security/2008/10/16/2 | mailing list exploit |
| http://www.redhat.com/support/errata/RHSA-2008-0580.html | vendor advisory |
| http://secunia.com/advisories/34418 | third party advisory |
| https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11247 | vdb entry signature |
| http://www.rdancer.org/vulnerablevim-netrw.v2.html | patch |