Arbitrary code execution in Netrw version 127, Vim 7.2b

1. Summary

Product  : Vim -- Vi IMproved, Netrw
Version  : Tested with Vim 7.2b, Netrw 127
Impact   : Arbitrary code execution
Wherefrom: Local, possibly remote
Original : http://www.rdancer.org/vulnerablevim-netrw.v5.html
	   http://www.rdancer.org/vulnerablevim-latest.tar.bz2

Lack of sanitization throughout Netrw can lead to arbitrary code execution upon
opening a directory with a crafted name.

2. Overview

``Netrw makes reading, writing, and browsing over a network connection
easy!  [...] Netrw supports "transparent" editing of files on other
machines using urls [...]''

	-- Netrw Reference Manual (pi_netrw.txt)

For the new Vim version, the Netrw plugin has been updated with the new
fnameescape() and shellescape() functions.  However, not all of the
vulnerable statements have been sanitized, and Netrw is still vulnerable
to arbitrary code execution.

The latest version of the archive with code that we're using can be
found at: ``http://www.rdancer.org/vulnerablevim-latest.tar.bz2''.

Best results are achieved by running ``make test'' in the root directory
of the abovementioned archive (this advisory details the ``netrw.v5''