lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20041209091438.GA15010__38702.4225238294$1102694743$gmane$org@kontryhel.haltyr.dyndns.org>
Date: Thu, 9 Dec 2004 09:14:38 +0000
From: Jan Minar <jjminar@...tMail.FM>
To: bugtraq@...urityfocus.com
Subject: wget: Arbitrary file overwriting/appending/creating and other vulnerabilities

------------------------------------------------------------------------
Summary
------------------------------------------------------------------------
Product:   wget
Versions:  1.8.x
Versions:  1.9.x (to lesser extent)
Versions:  Versions < 1.8 are probably vulnerable too
Platforms: Linux, probably POSIX, others?
Tested:    1.8.1-6 (Debian Woody)
           1.9.1-4 (Debian Sarge)
Problems:  Overwriting/appending/creating files and directories
           Retrieving file existence, size, permissions info
	   Etc.
Remote?:   Both remote and local
Author:	   Jan Minar <jjminar foo fastmail bar fm>

------------------------------------------------------------------------
Background
------------------------------------------------------------------------

``GNU wget is a free software package for retrieving files using HTTP,
HTTPS and FTP, the most widely-used Internet protocols. It is a
non-interactive commandline tool, so it may easily be called from
scripts, cron jobs, terminals without X-Windows [sic!] support, etc.''

	-- http://www.gnu.org/software/wget/wget.html

wget(1) is the de facto standard HTTP retrieval program on GNU/Linux,
both for interactive use and for use in scripts and programs.  76
packages in the Debian Sarge currently depend on the wget package.

------------------------------------------------------------------------
Vulnerabilities
------------------------------------------------------------------------

(0) Wget authors are/were incompetent.  Everything else is a corollary.

In the current maintainer's own words: ``[T]he code is buggy, poorly
commented, very hard to understand, extremely resistant to changes and
looks like a bunch of patches put together in a careless way.
[I]t badly needs a lot of auditing and rewriting.''

	-- Mauro Tortonesi in a private mail exchange with me

Note: Wget has numerous commandline options which are relevant to these
vulnerabilities.

(1) Wget doesn't know which files it is permitted to write to

Wget erroneously thinks that the current directory is a fair game, and
will happily write in any file in and below it.  Malicious HTTP response
or malicious HTML file can redirect wget to a file that is vital to the
system, and wget will create/append/overwrite it.

$ cd /home/user
$ wget http://localhost/wgettrap.bashrc
	-> .bashrc

(2) Wget doesn't sanitize the redirection data properly

Wget apparently has at least two methods of ``sanitizing'' the
potentially malicious data it receives from the HTTP stream, therefore a
malicious redirects can pass the check.  We haven't find a way to trick
wget into writing above the parent directory, which doesn't mean it's
not possible.

# cd /root [1]
# wget -x http://localhost/wgettrap.redirect-1.9
	-> ../lib/libc-2.2.5.so   [2]

$ cd /foo/bar
$ wget -r http://localhost/wgettrap.redirect-1.8
$	-> ../../../../../../../../../home/jan/.bashrc	[1]
	-> ../../../../../../../../../var/www/jan/.htaccess

[1] If inetd is not running on the system, the user name can be
social-engineered, or guessed from preceding traffic.

[2] '..' must resolve to an IP address of the malicious server, or at
least to an address, provided that we will be able to stuff data in the
HTTP stream afterwards.  The POC doesn't exploit this.


(3) Wget prints control characters to the terminal verbatim

Malicious HTTP response can overwrite parts of the terminal so that the
user will not notice anything wrong, or will believe the error was not
fatal.  See the [1]Debian bug #261755 for details.

[1] http://bugs.debian.org/261755

(4) Just about any stupid hack will work with wget.  %00 bytes (see the
POC) and other %-escaped control characters handling, symlink attacks:
	
	$ cd /tmp
	$ ln -s index.html /path/to/foo
	$ wget -x http://localhost/
		-> /path/to/foo

------------------------------------------------------------------------
Reproduction
------------------------------------------------------------------------

A proof of concept is attached.

------------------------------------------------------------------------
Patched versions
------------------------------------------------------------------------

Not available.

------------------------------------------------------------------------
Workarounds
------------------------------------------------------------------------

(1) Don't use programs/scripts which use wget internally.

(2) Use alternative retrieval programs, such as pavuk, axel, or
ncftpget.

(3) Use the -o and -O options.

(4) Create two levels of new directories, cd to the directories, only
then run wget (won't protect you when using version <= 1.8 with
'-x' or '-r'):

   	$ mkdir sand/box
	$ cd sand/box
	$ wget http://localhost/

------------------------------------------------------------------------
Bug history
------------------------------------------------------------------------

We discovered this bug few months earlier.  We contacted the Debian
package maintainer and the Debian Security Team on 2004-10-03.  The wget
maintainer had not been responding to emails at that time, so we didn't
contact him.  Few days ago, a new maintainer was appointed, who
[1]disclosed this vulnerability.

[1] http://wget-bugs.ferrara.linux.it/msg12


-- 
 )^o-o^|    jabber: rdancer@....NetLab.Cz
 | .v  K    e-mail: jjminar FastMail FM
 `  - .'     phone: +44(0)7981 738 696
  \ __/Jan     icq: 345 355 493
 __|o|__Minář  irc: rdancer@....FreeNode.Net

View attachment "wgettrap.poc" of type "text/plain" (2580 bytes)

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ