CVE-2016-4971: wget < 1.18 trusts server-provided filename on HTTP to FTP redirects

[Solar Designer <solar () openwall com>]

Hi,

In 2010, several command-line programs were fixed to distrust filenames
provided by HTTP servers via Location and Content-Disposition headers.
wget gained --trust-server-names and --content-disposition options to
let users revert to the old (risky) behavior.

http://www.ocert.org/advisories/ocert-2010-001.html
http://www.openwall.com/lists/oss-security/2010/05/17/1
http://www.openwall.com/lists/oss-security/2010/08/17/2

As it turns out, the fix for wget was incomplete, not covering the
special case of HTTP to FTP redirects.  This is addressed in wget 1.18
released a month ago:

https://lists.gnu.org/archive/html/info-gnu/2016-06/msg00004.html

"This version fixes a security vulnerability (CVE-2016-4971) present in
all old versions of wget.  The vulnerability was discovered by Dawid
Golunski which were reported to us by Beyond Security's SecuriTeam.

On a server redirect from HTTP to a FTP resource, wget would trust the
HTTP server and uses the name in the redirected URL as the destination
filename.
This behaviour was changed and now it works similarly as a redirect from
HTTP to another HTTP resource so the original name is used as
the destination file.  To keep the previous behaviour the user must
provide --trust-server-names."

Upstream commit:

http://git.savannah.gnu.org/cgit/wget.git/commit/?id=e996e322ffd42aaa051602da182d03178d0f13e1

Exploit:

http://legalhackers.com/advisories/Wget-Arbitrary-File-Upload-Vulnerability-Exploit.txt

(also attached to this message).  A component of the attack - making
wget download a .wgetrc first - was described here:

http://www.openwall.com/lists/oss-security/2010/05/18/13

but there are also new tricks: the HTTP to FTP redirect, and the use of
post_file to make wget POST a file from the server with the cron job.

Alexander

Attachment: Wget-Arbitrary-File-Upload-Vulnerability-Exploit.txt
Description: