Bug 602797 (CVE-2010-2252)
Summary: | CVE-2010-2252 wget: multiple HTTP client download filename vulnerability [OCERT 2010-001] | ||||||
---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> | ||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
Status: | CLOSED ERRATA | QA Contact: | |||||
Severity: | low | Docs Contact: | |||||
Priority: | low | ||||||
Version: | unspecified | CC: | bressers, hannes, jraju, mjc, security-response-team | ||||
Target Milestone: | --- | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
URL: | http://www.ocert.org/advisories/ocert-2010-001.html | ||||||
Whiteboard: | |||||||
Fixed In Version: | wget 1.13.3 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | CVE-2010-2251 | Environment: | |||||
Last Closed: | 2015-01-22 17:29:54 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 833831, 1062190 | ||||||
Bug Blocks: | 1062205 | ||||||
Attachments: |
|
Description
Vincent Danen
2010-06-10 19:14:42 UTC
MITRE has assigned the name CVE-2010-2252 to this issue. Additional comments on oss-security from Solar Designer (http://www.openwall.com/lists/oss-security/2010/05/18/13) indicate that this is something we should be looking at for wget: I disagree. Uses from scripts and cron jobs are too common, and they often don't care to specify an output filename explicitly. Let's suppose there's a cron job like this: 1 * * * * wget http://www.openwall.com/pvt/wget/log &> /dev/null If the server is malicious or compromised, it can have: RedirectMatch log $1/pvt/wget/.wgetrc in .htaccess, and reject=; exec id output-document=.bash_profile in .wgetrc. When the cron job runs for the first time after the above changes made on the server, it does: 02:01:02 (2.64 MB/s) - `.wgetrc' saved [47/47] At this point, .wgetrc is on the client system. The second time the cron job runs, it does: 03:01:02 (2.99 MB/s) - `.bash_profile' saved [47/47] This has happily overwritten my .bash_profile file. (I replaced "/dev/null" in the cron job with another filename for obtaining these wget output lines.) When I am logging in to the affected account, I get the output of "id". Of course, the shell command could as well be nastier than that. Although I used a somewhat tricky approach in the above exploit, eventually making wget overwrite a file, it is also possible to mount attacks that do not rely on overwriting any files. Many programs support optional startup/config files of fixed/known/guessable names that a malicious or compromised server could provide. In fact, I've just demonstrated this attack against wget itself, but it could also work against another program. Created attachment 425763 [details] patch to correct the issue This patch is based on Florian's patch posted on oss-security: http://article.gmane.org/gmane.comp.security.oss.general/2908 and works on Red Hat Enterprise Linux 5. On Red Hat Enterprise Linux 3 and 4 (wget 1.10.2), the first issue (the appended jsessionied) is not seen, but the malicious server redirect is a problem. On Red Hat Enterprise Linux 5 (wget 1.11.4), both issues are apparent. I am changing the severity of this flaw to low. It is not trivial to exploit. It needs a combination of events to be successful. This has now been addressed upstream and the next version of wget will correct this issue (patch included in the message): http://lists.gnu.org/archive/html/bug-wget/2010-07/msg00076.html (In reply to Vincent Danen from comment #2) > Created attachment 425763 [details] > patch to correct the issue > > This patch is based on Florian's patch posted on oss-security: > http://article.gmane.org/gmane.comp.security.oss.general/2908 and works on > Red Hat Enterprise Linux 5. Upstream patch uses trust_server_names and --trust-server-names: http://git.savannah.gnu.org/cgit/wget.git/commit/?id=3e25a9817f47fbb8660cc6a3b2f3eea239526c6c External References: http://www.ocert.org/advisories/ocert-2010-001.html This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2014:0151 https://rhn.redhat.com/errata/RHSA-2014-0151.html Statement: Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Low security impact due to the series of events required to successfully exploit it, and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/. |