Bug 1139181 (CVE-2014-4877)
Summary: | CVE-2014-4877 wget: FTP symlink arbitrary filesystem access | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vasyl Kaigorodov <vkaigoro> | ||||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||
Status: | CLOSED ERRATA | QA Contact: | |||||||
Severity: | medium | Docs Contact: | |||||||
Priority: | medium | ||||||||
Version: | unspecified | CC: | carnil, fcami, gscrivan, johfulto, jrusnack, pasteur, pmatouse, robatino, ronaldochaves, sauchter, sbeal, scorneli, security-response-team, thozza, zpytela | ||||||
Target Milestone: | --- | Keywords: | Security | ||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | wget 1.16 | Doc Type: | Bug Fix | ||||||
Doc Text: |
A flaw was found in the way Wget handled symbolic links. A malicious FTP server could allow Wget running in the mirror mode (using the '-m' command line option) to write an arbitrary file to a location writable to by the user running Wget, possibly leading to code execution.
|
Story Points: | --- | ||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2015-10-09 12:51:36 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | 1156133, 1156134, 1156135, 1156136, 1157633, 1169860 | ||||||||
Bug Blocks: | 1139182 | ||||||||
Attachments: |
|
Description
Vasyl Kaigorodov
2014-09-08 10:26:03 UTC
Created attachment 935576 [details]
proposed fix
Acknowledgements: Red Hat would like to thank the GNU Wget project for reporting this issue. Upstream acknowledges HD Moore of Rapid7, Inc as the original reporter. Created attachment 936905 [details]
updated fix
updated version for the proposed fix
Statement: Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/. Upstream patch: http://git.savannah.gnu.org/cgit/wget.git/commit/?id=18b0979357ed7dc4e11d4f2b1d7e0f5932d82aa7 A related commit is: http://git.savannah.gnu.org/cgit/wget.git/commit/?id=69c45cba4382fcaabe3d86876bd5463dc34f442c It adds a sanity check for the FTP directory listings to reject duplicate listings of the same file, which is one attack vector against this flaw. This issue was fixed upstream in GNU wget 1.16: http://lists.gnu.org/archive/html/bug-wget/2014-10/msg00150.html This issue can be mitigated by ensuring that all invocations of wget in the mirror mode also specify --retr-symlinks command line option. Doing so is equivalent to applying the upstream commit linked in comment 14, which changes the default for the retr-symlinks options from off/no to on/yes, preventing creation of symbolic links locally. In addition to changing arguments in all scripts or programs that invoke wget, it is possible to enable retr-symlinks option via wget configuration file - either global /etc/wgetrc, or user specific ~/.wgetrc - by adding the following line: retr-symlinks=on Created wget tracking bugs for this issue: Affects: fedora-all [bug 1157633] Reporter's blog post about this issue: https://community.rapid7.com/community/metasploit/blog/2014/10/28/r7-2014-15-gnu-wget-ftp-symlink-arbitrary-filesystem-access Metasploit module for this issue: http://www.rapid7.com/db/modules/auxiliary/server/wget_symlink_file_write https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/server/wget_symlink_file_write.rb This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Via RHSA-2014:1764 https://rhn.redhat.com/errata/RHSA-2014-1764.html wget-1.16-3.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. wget-1.16-3.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. IssueDescription: A flaw was found in the way Wget handled symbolic links. A malicious FTP server could allow Wget running in the mirror mode (using the '-m' command line option) to write an arbitrary file to a location writable to by the user running Wget, possibly leading to code execution. This issue has been addressed in the following products: Red Hat Enterprise Linux 6.5 EUS - Server and Compute Node Only Via RHSA-2014:1955 https://rhn.redhat.com/errata/RHSA-2014-1955.html wget-1.16-3.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. After update to this version, sssd + ldap + sudo stop working. Sorry, wrong bug. |