+++ This bug was initially created as a clone of Bug #591580 +++
The draft advisory from oCERT follows:
The lftp, wget and lwp-download applications are ftp/http clients and file
transfer tools supporting various network protocols. The lwp-download
script is shipped along with the libwww-perl library.
Unsafe behaviours have been found in lftp and lwp-download handling the
Content-Disposition header in conjunction with the 'suggested filename'
Additionally unsafe behaviours have been found in wget and lwp-download in
case of HTTP 3xx redirections during file dowloading. The two applications
automatically use the URL's filename portion specified in the Location
Implicitly trusting the suggested filenames results in a saved file that
differs from the expected one according to the URL specified by the user.
This can be used by a malicious attacker to silently write hidden and/or
initialization files under the user's current directory (e.g. .login,
The impact of this vulnerability is increased in the case of lftp/lftpget
as the default configuration allows file overwrite without prompting
confirmation to the user. In case of lftp the get1 command is affected.
This command can be invoked directly by the user from lftp's command line
interface or indirectly by using the lftpget script, packaged within lftp
lftp <= 4.0.5
wget <= 1.12
libwww-perl <= 5.834
lftp >= 4.0.6
libwww-perl >= 5.835
Vulnerability discovered and reported by Hank Leininger and Solar Designer
under the Openwall Project, with further analysis by Daniele Bianco of
--- Additional comment from firstname.lastname@example.org on 2010-05-15 08:54:02 EDT ---
Florian noted the following as testcases for wget:
$ wget http://www.postbank.de/-snm-0184304830-1273865547-04f6f00001-0000000023-1273866968-enm-privatkunden/fonds_boerse.htm
(adds ;jsessionied= to the stored file name)
There's yet another case, but that only results in an index.html
$ wget http://www.enyo.de/fw
--- Additional comment from email@example.com on 2010-05-17 10:51:26 EDT ---
This is now public:
--- Additional comment from firstname.lastname@example.org on 2010-05-18 11:17:25 EDT ---
Florian made a post to oss-security with a preliminary patch for wget. It probably requires some upstream review as it does add a new configuration option:
However, Ludwig Nussel indicates that wget's behaviour is acceptable and probably doesn't require fixing at all, as wget does not overwrite existing files by default (adds suffixes like .1 and .2 to the new file if it already exists), and also prints the file name it used so there are no surprises.
In light of that, I would consider this a non-issue for wget, especially considering how intrusive the patch is for a backport.
MITRE has assigned the name CVE-2010-2252 to this issue.
Additional comments on oss-security from Solar Designer (http://www.openwall.com/lists/oss-security/2010/05/18/13) indicate that this is something we should be looking at for wget:
I disagree. Uses from scripts and cron jobs are too common, and they
often don't care to specify an output filename explicitly.
Let's suppose there's a cron job like this:
1 * * * * wget http://www.openwall.com/pvt/wget/log &> /dev/null
If the server is malicious or compromised, it can have:
RedirectMatch log $1/pvt/wget/.wgetrc
in .htaccess, and
reject=; exec id
in .wgetrc. When the cron job runs for the first time after the above
changes made on the server, it does:
02:01:02 (2.64 MB/s) - `.wgetrc' saved [47/47]
At this point, .wgetrc is on the client system. The second time the
cron job runs, it does:
03:01:02 (2.99 MB/s) - `.bash_profile' saved [47/47]
This has happily overwritten my .bash_profile file.
(I replaced "/dev/null" in the cron job with another filename for
obtaining these wget output lines.)
When I am logging in to the affected account, I get the output of "id".
Of course, the shell command could as well be nastier than that.
Although I used a somewhat tricky approach in the above exploit,
eventually making wget overwrite a file, it is also possible to mount
attacks that do not rely on overwriting any files. Many programs
support optional startup/config files of fixed/known/guessable names
that a malicious or compromised server could provide. In fact, I've
just demonstrated this attack against wget itself, but it could also
work against another program.
Created attachment 425763 [details]
patch to correct the issue
This patch is based on Florian's patch posted on oss-security: http://article.gmane.org/gmane.comp.security.oss.general/2908 and works on Red Hat Enterprise Linux 5.
On Red Hat Enterprise Linux 3 and 4 (wget 1.10.2), the first issue (the appended jsessionied) is not seen, but the malicious server redirect is a problem.
On Red Hat Enterprise Linux 5 (wget 1.11.4), both issues are apparent.
I am changing the severity of this flaw to low. It is not trivial to exploit. It needs a combination of events to be successful.
This has now been addressed upstream and the next version of wget will correct this issue (patch included in the message):
(In reply to Vincent Danen from comment #2)
> Created attachment 425763 [details]
> patch to correct the issue
> This patch is based on Florian's patch posted on oss-security:
> http://article.gmane.org/gmane.comp.security.oss.general/2908 and works on
> Red Hat Enterprise Linux 5.
Upstream patch uses trust_server_names and --trust-server-names:
This issue has been addressed in following products:
Red Hat Enterprise Linux 6
Via RHSA-2014:0151 https://rhn.redhat.com/errata/RHSA-2014-0151.html
Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Low security impact due to the series of events required to successfully exploit it, and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.