Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 9 Jul 2016 22:24:58 +0300
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2016-4971: wget < 1.18 trusts server-provided filename on HTTP to FTP redirects

Hi,

In 2010, several command-line programs were fixed to distrust filenames
provided by HTTP servers via Location and Content-Disposition headers.
wget gained --trust-server-names and --content-disposition options to
let users revert to the old (risky) behavior.

http://www.ocert.org/advisories/ocert-2010-001.html
http://www.openwall.com/lists/oss-security/2010/05/17/1
http://www.openwall.com/lists/oss-security/2010/08/17/2

As it turns out, the fix for wget was incomplete, not covering the
special case of HTTP to FTP redirects.  This is addressed in wget 1.18
released a month ago:

https://lists.gnu.org/archive/html/info-gnu/2016-06/msg00004.html

"This version fixes a security vulnerability (CVE-2016-4971) present in
all old versions of wget.  The vulnerability was discovered by Dawid
Golunski which were reported to us by Beyond Security's SecuriTeam.

On a server redirect from HTTP to a FTP resource, wget would trust the
HTTP server and uses the name in the redirected URL as the destination
filename.
This behaviour was changed and now it works similarly as a redirect from
HTTP to another HTTP resource so the original name is used as
the destination file.  To keep the previous behaviour the user must
provide --trust-server-names."

Upstream commit:

http://git.savannah.gnu.org/cgit/wget.git/commit/?id=e996e322ffd42aaa051602da182d03178d0f13e1

Exploit:

http://legalhackers.com/advisories/Wget-Arbitrary-File-Upload-Vulnerability-Exploit.txt

(also attached to this message).  A component of the attack - making
wget download a .wgetrc first - was described here:

http://www.openwall.com/lists/oss-security/2010/05/18/13

but there are also new tricks: the HTTP to FTP redirect, and the use of
post_file to make wget POST a file from the server with the cron job.

Alexander

View attachment "Wget-Arbitrary-File-Upload-Vulnerability-Exploit.txt" of type "text/plain" (16266 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ