oss-sec mailing list archives
CVE-2016-4971: wget < 1.18 trusts server-provided filename on HTTP to FTP redirects
From: Solar Designer <solar () openwall com>
Date: Sat, 9 Jul 2016 22:24:58 +0300
Hi, In 2010, several command-line programs were fixed to distrust filenames provided by HTTP servers via Location and Content-Disposition headers. wget gained --trust-server-names and --content-disposition options to let users revert to the old (risky) behavior. http://www.ocert.org/advisories/ocert-2010-001.html http://www.openwall.com/lists/oss-security/2010/05/17/1 http://www.openwall.com/lists/oss-security/2010/08/17/2 As it turns out, the fix for wget was incomplete, not covering the special case of HTTP to FTP redirects. This is addressed in wget 1.18 released a month ago: https://lists.gnu.org/archive/html/info-gnu/2016-06/msg00004.html "This version fixes a security vulnerability (CVE-2016-4971) present in all old versions of wget. The vulnerability was discovered by Dawid Golunski which were reported to us by Beyond Security's SecuriTeam. On a server redirect from HTTP to a FTP resource, wget would trust the HTTP server and uses the name in the redirected URL as the destination filename. This behaviour was changed and now it works similarly as a redirect from HTTP to another HTTP resource so the original name is used as the destination file. To keep the previous behaviour the user must provide --trust-server-names." Upstream commit: http://git.savannah.gnu.org/cgit/wget.git/commit/?id=e996e322ffd42aaa051602da182d03178d0f13e1 Exploit: http://legalhackers.com/advisories/Wget-Arbitrary-File-Upload-Vulnerability-Exploit.txt (also attached to this message). A component of the attack - making wget download a .wgetrc first - was described here: http://www.openwall.com/lists/oss-security/2010/05/18/13 but there are also new tricks: the HTTP to FTP redirect, and the use of post_file to make wget POST a file from the server with the cron job. Alexander
Attachment:
Wget-Arbitrary-File-Upload-Vulnerability-Exploit.txt
Description:
Current thread:
- CVE-2016-4971: wget < 1.18 trusts server-provided filename on HTTP to FTP redirects Solar Designer (Jul 09)