Vimattack: How to get someone's database credentials while they are editing config files on a live server

Vimattack: How to get someone's database credentials while they are editing config files on a live server Thumbnail image

Vimattack: How to get someone's database credentials while they are editing config files on a live server Table of contents

  1. Introduction
  2. How to get any config files source*
    1. Proof of concept
    2. PoC Video
  3. How to prevent this 'vim attack'

    Introduction

    When editing files in Vim, by default it'll create a .swp file in the same directory as the file you're editing. This will contain information about what edits were made to the file.

    How to get any config files source*

    * where the following is true:

    • An admin user is editing the wp-config.php file (or any other config file) in Vim, using default settings (which save the .swp swap file in the same directory)
    • The admin user editing the file has made the changes but hasn't yet saved the changes
    • The config file is in /public (or /public_html/, or however you had it set up)
    • The web server allows requests to dot files (i.e. a request to theirsite.com/.wp-config.php.swp will download that file)

    Proof of concept

    Let's say you that you know someone just bought ANewDomain.com and that they will be installing WordPress. You know their favourite text editor is Vim, and you know that they will be installing WP soon.

    (This could apply to other systems/config options, but WordPress is common, and it stores its wp-config.php in the public directory)

    Set up a script to keep downloading http://anewdomain.com/.wp-config.php.swp several times a second.

    If someone is currently editing the file on the server in Vim and you download that URL, you will get the swap file.

    Once you have that downloaded, just run vim -r .wp-config.php.swp, hit enter at the vim dialog and you should see whatever changes they've made to the file.

    This isn't really a big deal, but could be used by someone if you know that they're editing files within the public directory (/public, /public_html/ etc) and that they use Vim without changing the default swap file directory.

    I've used WordPress just as an example - it has absolutely nothing to do with WordPress. But it is useful for this example just because it stores its config file (wp-config.php) inside the public directory. It would be much better, security wise, to put it somewhere else and just do something like include __DIR__."/../wp-config.php"

    PoC Video

    How to prevent this 'vim attack'

    1. in ~/.vimrc/ use ‘set directory’ to change where to store .swp files (or just disable it) - See this guide on how to disable or change the swap directory
    2. don’t allow access to *.swp files in your web server
    3. don’t store or edit files in /public/ (or /public_html/, etc)
    webdevetc profile pic
    webdevetc

    I am a 29 year old freelance backend web developer from London, mostly focusing on PHP and Laravel lately. This is my site - I mostly write about PHP here. Contact me here (especially for any contracting jobs early 2019 in London ;) ).

    Leave a Comment