CVE-2014-4877: Wget FTP Symlink Attack Vulnerability

The open-source Wget application which is most widely used on Linux and Unix systems for retrieving files from the web has found vulnerable to a critical flaw.
GNU Wget is a command-line utility designed to retrieve files from the Web using HTTP, HTTPS, and FTP, the most widely used Internet protocols. Wget can be easily installed on any Unix-like system and has been ported to many environments, including Microsoft Windows, Mac OS X, OpenVMS, MorphOS and AmigaOS.
When a recursive directory fetch over FTP server as the target, it would let an attacker “create arbitrary files, directories or symbolic links” due to a symlink flaw.

 

IMPACT OF SYMLINK ATTACK

It was found that wget was susceptible to a symlink attack which could create arbitrary files, directories or symbolic links and set their permissions when retrieving a directory recursively through FTP,” developer Vasyl Kaigorodov wrote in a Red Hat Bugzilla comment.

A remote unauthenticated malicious FTP server connected to the victim via wget would allow attackers to do anything they wanted. Wget could download and create or overwrite existing files within the context of the user running wget.
The vulnerability was first reported to the GNU Wget project by HD Moore, chief research officer at Rapid7. and is publicly identified as CVE-2014-4877. The flaw is considered critical since wget is present on nearly every Linux server in the world, and is installable (although not by default) on OS X machines as well, so needs a patch as soon as possible.

 

PATCH AVAILABLE

This flaw can lead to remote code execution through system-level vectors such as cron and user-level vectors such as bash profile files and SSH authorized_keys,” Moore wrote.

The vulnerability has now been fixed by the Wget project in wget 1.16, which blocks the default setting that allowed the setting of local symlinks.

Upgrade to wget version 1.16 or a package that has backported the CVE-2014-4877 patch,” Moore said.

 

WORKAROUND AVAILABLE EXPLOIT

This issue can be mitigated by ensuring that all invocations of wget in the mirror mode also specify –retr-symlinks command line option,” wrote Tomas Hoger on the Bugzilla report. “Doing so is equivalent to applying the upstream commit linked in comment 14, which changes the default for the retr-symlinks options from off/no to on/yes, preventing creation of symbolic links locally.

In addition to changing arguments in all scripts or programs that invoke wget, it is possible to enabled[sic] retr-symlinks option via wget configuration file – either global /etc/wgetrc, or user specific ~/.wgetrc – by adding the line: retr-symlinks=on

An exploit for the vulnerability is now available on the open-source Metasploit penetration testing Website, so that security researchers could test the bug. You can download the exploit from here.

 

 

 

Credit:  thehackernews

 

Advertisements

One thought on “CVE-2014-4877: Wget FTP Symlink Attack Vulnerability

  1. Pingback: Sõnumid lahinguväljalt » Blog Archive » RT @JZdziarski: CVE-2014-4877: Wget FTP Symlink At…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s