Technical Advisory: Shell Injection in MacVim mvim URI Handler
Vendor: macvim-dev Vendor URL: http://macvim.org Versions affected: snapshot-110 Author: Daniel Crowley <daniel.crowley[at]nccgroup[dot]trust> Bug discovery credit: Anonymous Advisory URL / CVE Identifier: TBD Risk: Critical Summary
MacVim is a Mac OS port of Vim.
MacVim is vulnerable to shell injection in mvim:// URIs through the column parameter, allowing attacks through a variety of means, including through malicious web pages.
Impact
Attackers can execute arbitrary shell commands as the logged-in user when that user visits an attacker-controlled web page or clicks an attacker-provided link.
Location
MMAppController.m
Details
MacVim is vulnerable to a shell injection attack in its handling of ‘mvim’ URLs. Shell injection is a class of vulnerability where an attacker can change the nature of executed shell commands through malformed input.
Recommendation
As no patch is available, discontinue use of MacVim or disable the mvim:// URI scheme using RCDefaultApp until a patch is made available.
Vendor Communication
2016-10-06 - Emailed MacVim asking for security contact address using email listed on github repo 2016-11-02 - Emailed MacVim asking for security contact address using email addresses for owner accounts listed on github repo 2016-12-08 - Sent final notice of public disclosure including full advisory details and proof of concept exploit, providing a planned disclosure date of December 15th, 2016. 2016-12-08 - Response from MacVim received acknowledging the email and promising to look into the bug 2017-01-16 - Asked for update from MacVim 2017-02-15 - Moved to accelerated disclosure due to unresponsive contact About NCC Group
NCC Group is a global expert in cyber security and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cyber security.