Vim和Neovim是Unix类操作系统下广泛使用的跨平台文本编辑器,其中Neovim是基于Vim开发的。
Vim/Neovim中的modeline功能可以让用户在文本文件的开头或结尾使用特定代码来控制编辑器的一些行为。这个功能被限制到仅能执行特定set指令,且有沙箱隔离,但:source!指令却可以用来绕过沙箱执行命令。
Modeline功能会将所有含表达式的语句在沙箱中执行,可能的选项包括’fo[......]
|
1 2 3 |
commit 8cc2f8afa8c2c682b8cd01bd06d8db230fe0e6fc (grafted, HEAD -> master, origin/master, origin/HEAD) Author: Romain Bouqueau <romain.bouqueau.pro@gmail.com> Date: Thu May 30 16:58:27 2019 +0200 |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 |
==8590==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x616000001db4 at pc 0x7ff2ad2265fa bp 0x7ffeba57c050 sp 0x7ffeba57c048 READ of size 1 at 0x616000001db4 thread T0 #0 0x7ff2ad2265f9 in gf_m2ts_sync /home/test/Desktop/gpac_ve/src/media_tools/mpegts.c:1258:33 #1 0x7ff2ad2265f9 in gf_m2ts_process_data /home/test/Desktop/gpac_ve/src/media_tools/mpegts.c:3475 #2 0x7ff2ad1f6d79 in gf_import_mpeg_ts /home/test/Desktop/gpac_ve/src/media_tools/media_import.c:9968:3 #3 0x7ff2ad203206 in gf_media_import /home/test/Desktop/gpac_ve/src/media_tools/media_import.c #4 0x5754f8 in convert_file_info /home/test/Desktop/gpac_ve/applications/mp4box/fileimport.c:124:6 #5 0x548f97 in mp4boxMain /home/test/Desktop/gpac_ve/applications/mp4box/main.c:4786:6 #6 0x7ff2aba1db96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310 #7 0x425779 in _start (/home/test/Desktop/gpac_ve/bin/gcc/MP4Box+0x425779) 0x616000001db4 is located 0 bytes to the right of 564-byte region [0x616000001b80,0x616000001db4) allocated by thread T0 here: #0 0x4e5ab0 in realloc (/home/test/Desktop/gpac_ve/bin/gcc/MP4Box+0x4e5ab0) #1 0x7ff2ad22639b in gf_m2ts_process_data /home/test/Desktop/gpac_ve/src/media_tools/mpegts.c:3464:24 #2 0x7ff2ad1f6d79 in gf_import_mpeg_ts /home/test/Desktop/gpac_ve/src/media_tools/media_import.c:9968:3 #3 0x7ff2ad203206 in gf_media_import /home/test/Desktop/gpac_ve/src/media_tools/media_import.c #4 0x5754f8 in convert_file_info /home/test/Desktop/gpac_ve/applications/mp4box/fileimport.c:124:6 #5 0x548f97 in mp4boxMain /home/test/Desktop/gpac_ve/applications/mp4box/main.c:4786:6 #6 0x7ff2aba1db96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310 SUMMARY: AddressSanitizer: heap-buffer-overflow /home/test/Desktop/gpac_ve/src/media_tools/mpegts.c:1258:33 in gf_m2ts_sync Shadow bytes around the buggy address: 0x0c2c7fff8360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2c7fff8370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c2c7fff8380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c2c7fff8390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c2c7fff83a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c2c7fff83b0: 00 00 00 00 00 00[04]fa fa fa fa fa fa fa fa fa 0x0c2c7fff83c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2c7fff83d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2c7fff83e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2c7fff83f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2c7fff8400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==8590==ABORTING |
#site: http://www.typesettercms.com
#Version: 5.1
#Introduction:
Typesetter is free, open source CMS which is faster and Easier. There is a storage XSS vulnerability in position Settings-> Manage Classes
#Proof of Concepts:
1 – visit: http://127.0.0.1/Typesetter/index.ph[......]