wget prior to 1.16 allows for a web server to write arbitrary files on the client side

by
Anonymous Coward
in security on (#2TS1)
Here's a concern for most of us. Be aware that the popular program wget, in versions prior to 1.16, allows for a FTP server to write arbitrary files on the client side. Wget is commonly used in shell scripts to get files or web pages from servers for further processing locally. Wget has many other uses as well, and is an important part of much command line sorcery.

A Metasploit module is available for testing:

https://github.com/rapid7/metasploit-framework/pull/4088

the disclosure is here:

https://community.rapid7.com/community/metasploit/blog/2014/10/28/r7-2014-15-gnu-wget-ftp-symlink-arbitrary-filesystem-access

Redhat's bug is here:

https://bugzilla.redhat.com/show_bug.cgi?id=1139181

This one is really serious (Score: 2, Informative)

by engblom@pipedot.org on 2014-10-29 12:37 (#2TS4)

I think this one has bigger potential than the bash-bug recently discussed. Very few are passing stuff down to a bash shell unfiltered comparing to downloading with wget. Aren't almost all admins pasting in urls and downloading with wget on servers if they need a file from the net? It will not help if you checked the MD5 sum of what you downloaded as the vulnerability was in the client and not in the package you downloaded.

It is enough that one important server get compromized by this vulnerability and it will spread like a wild fire. An exploit will for sure check if the computer wget is running on also is running a web server. If it does, it will probably infect the web server for further spreading.
Post Comment
Subject
Comment
Captcha
Nose, egg, tooth and school: how many body parts in the list?