461750 – (CVE-2008-4677) CVE-2008-4677 vim: netrw plugin: FTP username and password disclosure

Bug 461750 (CVE-2008-4677) - CVE-2008-4677 vim: netrw plugin: FTP username and password disclosure

Summary: CVE-2008-4677 vim: netrw plugin: FTP username and password disclosure

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2008-4677
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2008-09-10 12:36 UTC by Jan Lieskovsky
Modified:	2021-11-12 19:53 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-01-08 11:12:34 UTC
Embargoed:

Attachments	(Terms of Use)

Description Jan Lieskovsky 2008-09-10 12:36:54 UTC

Description of problem (pasted from original rdancer.org vim vulnerability
description -- see references):

The Vim Netrw Plugin shares the FTP user name and password across all
FTP sessions.  Every time Vim makes a new FTP connection, it sends the
user name and password of the previous FTP session to the FTP server.

Once vim successfully connects to an FTP server using a user name and
password credentials, it will re-use them in all subsequent FTP
sessions, regardless of the domain name or TCP port.

This behaviour is documented, although the documentation states the
credentials are ``retained on a per-session basis''.  Apparently the Vim
session, not the FTP session:

  ``g:netrw_uid      (ftp) user-id,    retained on a per-session basis
    s:netrw_passwd   (ftp) password,   retained on a per-session basis''

    		-- Netrw Reference Manual (``pi_netrw.txt'')

Although FTP communication is not encrypted and therefore open to
eavesdropping, if the access to the network is protected, a
credentials-based access control is meaningful, and the credentials must
be kept secret.

Version-Release number of selected component (if applicable):
7.1.266, 7.2 and earlier versions of Vim

How reproducible:
Always

Steps to Reproduce:
1. See "4. EXPLOIT" from the rdancer vim vulnerability report [1]
  
Actual results:
Credentials disclosure.

Expected results:
Credentials are kept secret.

References (rdancer.org vim original vulnerability report):

[1] http://www.rdancer.org/vulnerablevim-netrw-credentials-dis.html

Comment 1 Jan Lieskovsky 2008-10-06 09:03:21 UTC

Link to thread discussing this vulnerability:

http://groups.google.com/group/vim_dev/browse_thread/thread/2f6fad581a037971/a5fcf4c4981d34e6?show_docid=a5fcf4c4981d34e6#

Proposed partial fix:

http://mysite.verizon.net/astronaut/vim/index.html#NETRW

Comment 2 Tomas Hoger 2009-01-08 11:12:34 UTC

This issue did not affect the versions of vim as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. 

All stable Fedora versions were updated to vim upstream version 7.2.060, which contains netrw plugin version that prompts for new password when connecting to new FTP site.  Update requests:
  https://admin.fedoraproject.org/updates/F9/FEDORA-2008-10587
  https://admin.fedoraproject.org/updates/F10/FEDORA-2008-10644

Note You need to log in before you can comment on or make changes to this bug.