Date: Sat, 9 Jul 2016 22:24:58 +0300 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Subject: CVE-2016-4971: wget < 1.18 trusts server-provided filename on HTTP to FTP redirects Hi, In 2010, several command-line programs were fixed to distrust filenames provided by HTTP servers via Location and Content-Disposition headers. wget gained --trust-server-names and --content-disposition options to let users revert to the old (risky) behavior. http://www.ocert.org/advisories/ocert-2010-001.html http://www.openwall.com/lists/oss-security/2010/05/17/1 http://www.openwall.com/lists/oss-security/2010/08/17/2 As it turns out, the fix for wget was incomplete, not covering the special case of HTTP to FTP redirects. This is addressed in wget 1.18 released a month ago: https://lists.gnu.org/archive/html/info-gnu/2016-06/msg00004.html "This version fixes a security vulnerability (CVE-2016-4971) present in all old versions of wget. The vulnerability was discovered by Dawid Golunski which were reported to us by Beyond Security's SecuriTeam. On a server redirect from HTTP to a FTP resource, wget would trust the HTTP server and uses the name in the redirected URL as the destination filename. This behaviour was changed and now it works similarly as a redirect from HTTP to another HTTP resource so the original name is used as the destination file. To keep the previous behaviour the user must provide --trust-server-names." Upstream commit: http://git.savannah.gnu.org/cgit/wget.git/commit/?id=e996e322ffd42aaa051602da182d03178d0f13e1 Exploit: http://legalhackers.com/advisories/Wget-Arbitrary-File-Upload-Vulnerability-Exploit.txt (also attached to this message). A component of the attack - making wget download a .wgetrc first - was described here: http://www.openwall.com/lists/oss-security/2010/05/18/13 but there are also new tricks: the HTTP to FTP redirect, and the use of post_file to make wget POST a file from the server with the cron job. Alexander View attachment "Wget-Arbitrary-File-Upload-Vulnerability-Exploit.txt" of type "text/plain" (16266 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.