Shell command execution vulnerability in Subl, a third-party Sublime Text URL handler

This is an advisory regarding a vulnerability I’ve discovered in a third-party add-on for the Sublime Text programmer’s editor.

I am not a vulnerability researcher; I just happened to read the source code out of curiosity and alarm bells immediately rang. I was using this add-on myself, having been recommended to it via the Ruby community.

I don’t actually know how popular it is. A thousand users? Or tens of thousands? Or more? No data available.

Product affected

‘Subl’, a URL protocol handler for Sublime Text on Mac OS.

Description of the problem

With this handler installed, an attacker can craft a URL that, when followed, will execute shell commands on the victim’s machine. This URL can be delivered as an innocuous-seeming link in email or in a webpage.

The victim may perceive suspicious activity, since Sublime Text will launch.

Am I vulnerable?

Enter the following shell command:

open 'subl://open?url=file:///dev/null&line=%22%3Btouch%20/tmp/vulnerable%3Bx%3D%22%0D%0A'

If the file /tmp/vulnerable now exists, then yes.

Fix

If you have ‘Subl’ installed, you should immediately remove it. Delete the app, then run the test again.

The add-on was distributed via a github repository, dhoulb/subl. After I contacted the author he took it down in preference to developing a fix.

Alternatives

• I developed my own drop-in replacement, https://github.com/inopinatus/sublime_url.
• There is also https://github.com/sardaukar/subl-handler

They work slightly differently. I disliked the way subl-handler left a process lying around, so I wrote my own.