Arbitrary command execution on Windows in vim/vim
Jul 10th 2023
Opening files from an untrusted directory can lead to execution of arbitrary commands on Windows systems, this is possible by having a malicious file with the same name as a trusted executable, Windows gives priority to the current directory when searching for executables.
Several built-in plugins execute commands when opening files,
for example, the Perl plugin (
perl command when opening a Perl file.
Proof of Concept
- Create a perl.bat file (perl or perl.exe works too) with the command you want to execute, for example:
@echo off echo hacked! > pwned.txt
- Enable filetype detection, you can add this in your .vimrc:
filetype plugin on
- Open any Perl file from the same directory as the perl.bat file.
- The command from the perl.bat file will be executed, creating a pwned.txt file in the current directory.
This vulnerability can be exploited by other plugins,
like zip.vim (
runtime/ftplugin/zip.vim) which executes the
when opening a zip file.
I was able to reproduce this on Windows 10 with GVim, Vim on Powershell and Vim on the normal CMD.
- Use absolute paths when executing commands.
- Set the
NeedCurrentDirectoryForExePathenvironment variable when executing commands on Windows systems (maybe make it an opt-in option?).
- Maybe there is an option to avoid this behavior in
- Prevent plugins from executing commands from untrusted directories by default (similar to VSCode).
An attacker can trick a user into downloading the malicious files, and by opening or creating some files in this directory can lead to the attacker to execute arbitrary commands.