wget: Arbitrary file overwriting/appending/creating and other vulnerabilities
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
wget (Debian) |
Fix Released
|
Unknown
|
|||
wget (Ubuntu) |
Fix Released
|
High
|
Martin Pitt |
Bug Description
Automatically imported from Debian bug report #284875 http://
Debian Bug Importer (debzilla) wrote : | #1 |
Debian Bug Importer (debzilla) wrote : | #2 |
Message-ID: <email address hidden>
Date: Thu, 9 Dec 2004 09:30:41 +0000
From: Jan Minar <email address hidden>
To: <email address hidden>
Subject: wget: Arbitrary file overwriting/
--4bRzO86E/ozDv8r1
Content-Type: multipart/mixed; boundary=
Content-
--C7zPtVaVf+AK4Oqc
Content-Type: text/plain; charset=iso-8859-2
Content-
Content-
Package: wget
Version: 1.8.1-6.1
Version: 1.9.1-8
Tags: security
Severity: grave
The most severe of these bugs is that wget(1) allows the remote attacker
to overwrite arbitrary files the user running wget has permissions to
(woody), or any files in and below the current directory (sarge), or,
with the help of DNS poisoning, in and below the parent directory
(sarge, woody). At the same time, wget is being widely used. That's
why the severity.
The 1.8 version severity is mainly a Debian issue, and we cannoct expect
it will be fixed upstream, as the code differs vastly between the
branches.
A cropped version of my BugTraq post follows:
(1) Wget doesn't know which files it is permitted to write to
Wget erroneously thinks that the current directory is a fair game, and
will happily write in any file in and below it. Malicious HTTP response
or malicious HTML file can redirect wget to a file that is vital to the
system, and wget will create/
$ cd /home/user
$ wget http://
-> .bashrc
(2) Wget doesn't sanitize the redirection data properly
Wget apparently has at least two methods of ``sanitizing'' the
potentially malicious data it receives from the HTTP stream, therefore a
malicious redirects can pass the check. We haven't find a way to trick
wget into writing above the parent directory, which doesn't mean it's
not possible.
# cd /root [1]
# wget -x http://
-> ../lib/
$ cd /foo/bar
$ wget -r http://
$ -> ../../.
-> ../../.
[1] If inetd is not running on the system, the user name can be
social-engineered, or guessed from preceding traffic.
[2] '..' must resolve to an IP address of the malicious server, or at
least to an address, provided that we will be able to stuff data in the
HTTP stream afterwards. The POC doesn't exploit this.
(3) Wget prints control characters to the terminal verbatim
Malicious HTTP response can overwrite parts of the terminal so that the
user will not notice anything wrong, or will believe the error was not
fatal. See the [1]Debian bug #261755 for details.
[1] http://
(4) Just about any stupid hack will work with wget. %00 bytes (see the
POC) and other %-escaped control characters handling, symlink attacks:
=09
$ cd /tmp
$ ln -s index.html /path/to/foo
$ wget -x http://
-> /path/to/foo
-------
Reproduction
-------
A proof of concept is attache...
In Debian Bug tracker #284875, Noël Köthe (noel) wrote : wget bugs | #3 |
tags 284875 + upstream
forwarded 284875 http://
forwarded 284550 http://
--
Noèl Köthe <noel debian.org>
Debian GNU/Linux, www.debian.org
Debian Bug Importer (debzilla) wrote : | #4 |
Message-Id: <email address hidden>
Date: Sun, 19 Dec 2004 22:57:08 +0100
From: =?ISO-8859-
To: <email address hidden>
Subject: wget bugs
--=-svq4+
Content-Type: text/plain; charset=UTF-8
Content-
tags 284875 + upstream
forwarded 284875 http://
forwarded 284550 http://
--=20
No=C3=A8l K=C3=B6the <noel debian.org>
Debian GNU/Linux, www.debian.org
--=-svq4+
Content-Type: application/
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQBBxfk09/
etZ0sLwMpadvhzl
=RT8K
-----END PGP SIGNATURE-----
--=-svq4+
In Debian Bug tracker #284875, Oliver Oberlach (oliver-oberlach) wrote : Patch for security problem is in CVS | #5 |
Hi!
There is a patch in CVS:
http://
--- wget/src/ftp-ls.c 2003/12/14 13:35:27 1.27
+++ wget/src/ftp-ls.c 2004/12/09 01:20:39 1.28
@@ -456,11 +456,14 @@
/* First column: mm-dd-yy. Should atoi() on the month fail, january
will be assumed. */
tok = strtok(line, "-");
+ if (tok == NULL) continue;
month = atoi(tok) - 1;
if (month < 0) month = 0;
tok = strtok(NULL, "-");
+ if (tok == NULL) continue;
day = atoi(tok);
tok = strtok(NULL, " ");
+ if (tok == NULL) continue;
year = atoi(tok);
/* Assuming the epoch starting at 1.1.1970 */
if (year <= 70) year += 100;
@@ -468,8 +471,10 @@
/* Second column: hh:mm[AP]M, listing does not contain value for
seconds */
tok = strtok(NULL, ":");
+ if (tok == NULL) continue;
hour = atoi(tok);
tok = strtok(NULL, "M");
+ if (tok == NULL) continue;
min = atoi(tok);
/* Adjust hour from AM/PM. Just for the record, the sequence goes
11:00AM, 12:00PM, 01:00PM ... 11:00PM, 12:00AM, 01:00AM . */
@@ -499,7 +504,9 @@
here. */
tok = strtok(NULL, " ");
- while (*tok == '\0') tok = strtok(NULL, " ");
+ if (tok == NULL) continue;
+ while ((tok != NULL) && (*tok == '\0')) tok = strtok(NULL, " ");
+ if (tok == NULL) continue;
if (*tok == '<')
{
cur.type = FT_DIRECTORY;
@@ -680,6 +687,7 @@
/* Third/Second column: Date DD-MMM-YYYY. */
tok = strtok(NULL, "-");
+ if (tok == NULL) continue;
day = atoi(tok);
tok = strtok(NULL, "-");
@@ -697,11 +705,13 @@
/* Uknown months are mapped to January */
month = i % 12 ;
tok = strtok (NULL, " ");
+ if (tok == NULL) continue;
year = atoi (tok) - 1900;
/* Fourth/Third column: Time hh:mm[:ss] */
tok = strtok (NULL, " ");
+ if (tok == NULL) continue;
hour = min = sec = 0;
p = tok;
hour = atoi (p);
@@ -732,10 +742,12 @@
/* Skip the fifth column */
tok = strtok(NULL, " ");
+ if (tok == NULL) continue;
/* Sixth column: Permissions */
tok = strtok(NULL, ","); /* Skip the VMS-specific SYSTEM
permissons */
+ if (tok == NULL) continue;
tok = strtok(NULL, ")");
if (tok == NULL)
{
Can you please integrate the fix into woody and sarge, since
I believe many people need this utility (at least I use it
very much). If you want me to debianize the patch, get back
to me.
Thanks a lot,
Oliver
--
-------
Oliver Oberlach
telematis Netzwerke GmbH
mailto: <email address hidden>
Tel: +49 (0) 7243-3448-0, Fax: -498
visit us: http://
-------
In Debian Bug tracker #284875, Oliver Oberlach (oliver-oberlach) wrote : Patch for different bug, so sorry | #6 |
Sorry, the fix I reported earlier is actually
for a different bug. (279901, which has the
bug already attached). Egg on my face :-(
In the Bug Tracker at wget-bugs.
the bug is "deferred" and a comment says, it's long
fixed.
I could not find anything in the ChangeLog.
Thank you and best regards,
Oliver
--
-------
Oliver Oberlach
telematis Netzwerke GmbH
mailto: <email address hidden>
Tel: +49 (0) 7243-3448-0, Fax: -498
visit us: http://
-------
Debian Bug Importer (debzilla) wrote : | #7 |
Message-ID: <email address hidden>
Date: Mon, 20 Dec 2004 22:22:18 +0100
From: Oliver Oberlach <email address hidden>
To: <email address hidden>
Subject: Patch for security problem is in CVS
Hi!
There is a patch in CVS:
http://
--- wget/src/ftp-ls.c 2003/12/14 13:35:27 1.27
+++ wget/src/ftp-ls.c 2004/12/09 01:20:39 1.28
@@ -456,11 +456,14 @@
/* First column: mm-dd-yy. Should atoi() on the month fail, january
will be assumed. */
tok = strtok(line, "-");
+ if (tok == NULL) continue;
month = atoi(tok) - 1;
if (month < 0) month = 0;
tok = strtok(NULL, "-");
+ if (tok == NULL) continue;
day = atoi(tok);
tok = strtok(NULL, " ");
+ if (tok == NULL) continue;
year = atoi(tok);
/* Assuming the epoch starting at 1.1.1970 */
if (year <= 70) year += 100;
@@ -468,8 +471,10 @@
/* Second column: hh:mm[AP]M, listing does not contain value for
seconds */
tok = strtok(NULL, ":");
+ if (tok == NULL) continue;
hour = atoi(tok);
tok = strtok(NULL, "M");
+ if (tok == NULL) continue;
min = atoi(tok);
/* Adjust hour from AM/PM. Just for the record, the sequence goes
11:00AM, 12:00PM, 01:00PM ... 11:00PM, 12:00AM, 01:00AM . */
@@ -499,7 +504,9 @@
here. */
tok = strtok(NULL, " ");
- while (*tok == '\0') tok = strtok(NULL, " ");
+ if (tok == NULL) continue;
+ while ((tok != NULL) && (*tok == '\0')) tok = strtok(NULL, " ");
+ if (tok == NULL) continue;
if (*tok == '<')
{
cur.type = FT_DIRECTORY;
@@ -680,6 +687,7 @@
/* Third/Second column: Date DD-MMM-YYYY. */
tok = strtok(NULL, "-");
+ if (tok == NULL) continue;
day = atoi(tok);
tok = strtok(NULL, "-");
@@ -697,11 +705,13 @@
/* Uknown months are mapped to January */
month = i % 12 ;
tok = strtok (NULL, " ");
+ if (tok == NULL) continue;
year = atoi (tok) - 1900;
/* Fourth/Third column: Time hh:mm[:ss] */
tok = strtok (NULL, " ");
+ if (tok == NULL) continue;
hour = min = sec = 0;
p = tok;
hour = atoi (p);
@@ -732,10 +742,12 @@
/* Skip the fifth column */
tok = strtok(NULL, " ");
+ if (tok == NULL) continue;
/* Sixth column: Permissions */
tok = strtok(NULL, ","); /* Skip the VMS-specific SYSTEM
permissons */
+ if (tok == NULL) continue;
tok = strtok(NULL, ")");
if (tok == NULL)
{
Can you please integrate the fix into woody and sarge, since
I believe many people need this utility (at least I use it
very much). If you want me to debianize the patch, get back
to me.
Thanks a lot,
Oliver
--
-------
Oliver Oberlach
telematis Netzwerke GmbH
mailto: <email address hidden>
Debian Bug Importer (debzilla) wrote : | #8 |
Message-ID: <email address hidden>
Date: Mon, 20 Dec 2004 22:33:23 +0100
From: Oliver Oberlach <email address hidden>
To: <email address hidden>
Subject: Patch for different bug, so sorry
Sorry, the fix I reported earlier is actually
for a different bug. (279901, which has the
bug already attached). Egg on my face :-(
In the Bug Tracker at wget-bugs.
the bug is "deferred" and a comment says, it's long
fixed.
I could not find anything in the ChangeLog.
Thank you and best regards,
Oliver
--
-------
Oliver Oberlach
telematis Netzwerke GmbH
mailto: <email address hidden>
Tel: +49 (0) 7243-3448-0, Fax: -498
visit us: http://
-------
In Debian Bug tracker #284875, Andreas Barth (aba) wrote : wget - solving strategies | #9 |
reopen 261755
tag 261755 +sarge
thanks
Hi,
just a few annotation from me on how to make wget reach sarge. IMHO,
the current patch to 261755 is _not_ acceptable for inclusion into a
stable release, because it is too clumpsy. It is of no use to filter the
printout to the console (after adding localized characters), but the
sanitation should take part of the input stream.
Therefore, IMHO the right fix to the other bug is a prerequisite to be
able to finally release with a good version of wget.
Some annotations to the listed bugs:
Can (1) really happen in a normal scenario? According to the man page
When running Wget without -N, -nc, or -r, downloading the same file in
the same directory will result in the original copy of file being
preserved and the second copy being named file.1.
So, this case will happen only if -r is specified. (Or is wget buggy to
allow the remote side to overwrite that documented behaviour?)
(2) seems to happen _exactly_ when the hostnames are created in the
directory hierarchy. This needs tackling.
(3) see my comment above.
(4) needs probably be discussed a bit more.
Cheers,
Andi
--
http://
PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C
Debian Bug Importer (debzilla) wrote : | #10 |
Message-ID: <email address hidden>
Date: Tue, 4 Jan 2005 22:03:27 +0100
From: Andreas Barth <email address hidden>
To: <email address hidden>, <email address hidden>
Subject: wget - solving strategies
reopen 261755
tag 261755 +sarge
thanks
Hi,
just a few annotation from me on how to make wget reach sarge. IMHO,
the current patch to 261755 is _not_ acceptable for inclusion into a
stable release, because it is too clumpsy. It is of no use to filter the
printout to the console (after adding localized characters), but the
sanitation should take part of the input stream.
Therefore, IMHO the right fix to the other bug is a prerequisite to be
able to finally release with a good version of wget.
Some annotations to the listed bugs:
Can (1) really happen in a normal scenario? According to the man page
When running Wget without -N, -nc, or -r, downloading the same file in
the same directory will result in the original copy of file being
preserved and the second copy being named file.1.
So, this case will happen only if -r is specified. (Or is wget buggy to
allow the remote side to overwrite that documented behaviour?)
(2) seems to happen _exactly_ when the hostnames are created in the
directory hierarchy. This needs tackling.
(3) see my comment above.
(4) needs probably be discussed a bit more.
Cheers,
Andi
--
http://
PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C
In Debian Bug tracker #284875, Lars Wirzenius (liw-iki) wrote : wget security problem: trouble replicating | #11 |
I had a look at Debian bug 284875, "wget: Arbitrary file
overwriting/
about points (1) and (2) therein. I set up the proof of concept Perl
script to run via inetd, which I think is a working way of setting it
up. The script responds to HTTP queries and does, I think, respond in
the way to trigger the exploit. Lynx and wget both follow the
redirections.
I can't, however, replicate the points (1) and (2) using version
1.9.1-10 in Debian sid. Instead of overwriting or appending or other bad
things happening, wget seems to only create a file with ".1" (or ".2"
etc) appended to the filename. The same happens with 1.9.1-8 in Debian
sarge.
Jan, could you clarify how to replicate these two points? More detailed
steps, a typescript (from script(1)) of a terminal session where you do
it, or something like that?
(I haven't looked at points (3) and (4) yet, I'll do that later.)
In Debian Bug tracker #284875, Lars Wirzenius (liw-iki) wrote : wget security problem: more reproduction problems | #12 |
Hi,
I've looked again at Debian bug #284875 and I can't see how to reproduce
the fourth part, either:
> (4) Just about any stupid hack will work with wget. %00 bytes (see the
> POC) and other %-escaped control characters handling, symlink attacks:
>
> $ cd /tmp
> $ ln -s index.html /path/to/foo
> $ wget -x http://
> -> /path/to/foo
In my tests wget does sanitize the input, so these attacks would seem to
be fruitless. Could you explain in further detail how to reproduce this?
In Debian Bug tracker #284875, Lars Wirzenius (liw-esme) wrote : tagging 284875 | #13 |
tags 284875 + unreproducible
In Debian Bug tracker #284875, Jan Minar (jjminar) wrote : Re: Bug#284875: wget security problem: trouble replicating | #14 |
On Fri, Feb 04, 2005 at 02:57:12AM +0200, Lars Wirzenius wrote:
> I had a look at Debian bug 284875, "wget: Arbitrary file
> overwriting/
> about points (1) and (2) therein. I set up the proof of concept Perl
> script to run via inetd, which I think is a working way of setting it
> up. The script responds to HTTP queries and does, I think, respond in
> the way to trigger the exploit. Lynx and wget both follow the
> redirections.
> I can't, however, replicate the points (1) and (2) using version
> 1.9.1-10 in Debian sid. Instead of overwriting or appending or other bad
> things happening, wget seems to only create a file with ".1" (or ".2"
> etc) appended to the filename. The same happens with 1.9.1-8 in Debian
> sarge.
Anybody wanting to fix this will sooner or later need to RTFM -- no pun
intended; the options are really hairy, and many of them have one or
another bearing on this.
The trick is to use the -c or -N options. Also note that -x can be used
instead of -r. See the discussion in the manpage under the `-nc'
option.
On the server (exploiter's) side, you might use a filename that is highly unlikely to
be present on the target system, yet is highly likely to be executed
(/etc/cron.
that it is possible to make an educated guess about the presence/absence
of -c, -N, and -r options.
Cheers,
Jan.
--
)^o-o^| jabber: <email address hidden>
| .v K e-mail: jjminar FastMail FM
` - .' phone: +44(0)7981 738 696
\ __/Jan icq: 345 355 493
__|o|__Minář irc: <email address hidden>
In Debian Bug tracker #284875, Jan Minar (jjminar) wrote : Re: Bug#284875: wget security problem: more reproduction problems | #15 |
On Sat, Feb 05, 2005 at 02:41:35AM +0200, Lars Wirzenius wrote:
> I've looked again at Debian bug #284875 and I can't see how to reproduce
> the fourth part, either:
>
> > (4) Just about any stupid hack will work with wget. %00 bytes (see the
> > POC) and other %-escaped control characters handling, symlink attacks:
> >
> > $ cd /tmp
> > $ ln -s index.html /path/to/foo
> > $ wget -x http://
> > -> /path/to/foo
>
> In my tests wget does sanitize the input, so these attacks would seem to
> be fruitless. Could you explain in further detail how to reproduce this?
Which version? What command exactly?
--
)^o-o^| jabber: <email address hidden>
| .v K e-mail: jjminar FastMail FM
` - .' phone: +44(0)7981 738 696
\ __/Jan icq: 345 355 493
__|o|__Minář irc: <email address hidden>
Debian Bug Importer (debzilla) wrote : | #16 |
Message-Id: <email address hidden>
Date: Fri, 04 Feb 2005 02:57:12 +0200
From: Lars Wirzenius <email address hidden>
To: <email address hidden>
Cc: <email address hidden>
Subject: wget security problem: trouble replicating
I had a look at Debian bug 284875, "wget: Arbitrary file
overwriting/
about points (1) and (2) therein. I set up the proof of concept Perl
script to run via inetd, which I think is a working way of setting it
up. The script responds to HTTP queries and does, I think, respond in
the way to trigger the exploit. Lynx and wget both follow the
redirections.
I can't, however, replicate the points (1) and (2) using version
1.9.1-10 in Debian sid. Instead of overwriting or appending or other bad
things happening, wget seems to only create a file with ".1" (or ".2"
etc) appended to the filename. The same happens with 1.9.1-8 in Debian
sarge.
Jan, could you clarify how to replicate these two points? More detailed
steps, a typescript (from script(1)) of a terminal session where you do
it, or something like that?
(I haven't looked at points (3) and (4) yet, I'll do that later.)
Debian Bug Importer (debzilla) wrote : | #17 |
Message-Id: <email address hidden>
Date: Sat, 05 Feb 2005 02:41:35 +0200
From: Lars Wirzenius <email address hidden>
To: <email address hidden>
Cc: <email address hidden>
Subject: wget security problem: more reproduction problems
Hi,
I've looked again at Debian bug #284875 and I can't see how to reproduce
the fourth part, either:
> (4) Just about any stupid hack will work with wget. %00 bytes (see the
> POC) and other %-escaped control characters handling, symlink attacks:
>
> $ cd /tmp
> $ ln -s index.html /path/to/foo
> $ wget -x http://
> -> /path/to/foo
In my tests wget does sanitize the input, so these attacks would seem to
be fruitless. Could you explain in further detail how to reproduce this?
Debian Bug Importer (debzilla) wrote : | #18 |
Message-Id: <email address hidden>
Date: Sat, 5 Feb 2005 03:36:22 +0200 (EET)
From: <email address hidden> (Lars Wirzenius)
To: <email address hidden>
Subject: tagging 284875
tags 284875 + unreproducible
Debian Bug Importer (debzilla) wrote : | #19 |
Message-ID: <email address hidden>
Date: Sat, 5 Feb 2005 20:45:22 +0000
From: Jan Minar <email address hidden>
To: Lars Wirzenius <email address hidden>, <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: Re: Bug#284875: wget security problem: trouble replicating
--azLHFNyN32YCQGCU
Content-Type: text/plain; charset=iso-8859-2
Content-
Content-
On Fri, Feb 04, 2005 at 02:57:12AM +0200, Lars Wirzenius wrote:
> I had a look at Debian bug 284875, "wget: Arbitrary file
> overwriting/
> about points (1) and (2) therein. I set up the proof of concept Perl
> script to run via inetd, which I think is a working way of setting it
> up. The script responds to HTTP queries and does, I think, respond in
> the way to trigger the exploit. Lynx and wget both follow the
> redirections.
> I can't, however, replicate the points (1) and (2) using version
> 1.9.1-10 in Debian sid. Instead of overwriting or appending or other bad
> things happening, wget seems to only create a file with ".1" (or ".2"
> etc) appended to the filename. The same happens with 1.9.1-8 in Debian
> sarge.
Anybody wanting to fix this will sooner or later need to RTFM -- no pun
intended; the options are really hairy, and many of them have one or
another bearing on this.
The trick is to use the -c or -N options. Also note that -x can be used
instead of -r. See the discussion in the manpage under the `-nc'
option.
On the server (exploiter's) side, you might use a filename that is highly u=
nlikely to
be present on the target system, yet is highly likely to be executed
(/etc/cron.
that it is possible to make an educated guess about the presence/absence
of -c, -N, and -r options.
Cheers,
Jan.
--=20
)^o-o^| jabber: <email address hidden>
| .v K e-mail: jjminar FastMail FM
` - .' phone: +44(0)7981 738 696
\ __/Jan icq: 345 355 493
__|o|__Min=E1=F8 irc: <email address hidden>
--azLHFNyN32YCQGCU
Content-Type: application/
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://
iD8DBQFCBTBi+
GS/8kcMmCjoBsg0
=Sfq/
-----END PGP SIGNATURE-----
--azLHFNyN32YCQ
Debian Bug Importer (debzilla) wrote : | #20 |
Message-ID: <email address hidden>
Date: Sat, 5 Feb 2005 20:51:40 +0000
From: Jan Minar <email address hidden>
To: Lars Wirzenius <email address hidden>, <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: Re: Bug#284875: wget security problem: more reproduction problems
--QTprm0S8XgL7H0Dt
Content-Type: text/plain; charset=iso-8859-2
Content-
Content-
On Sat, Feb 05, 2005 at 02:41:35AM +0200, Lars Wirzenius wrote:
> I've looked again at Debian bug #284875 and I can't see how to reproduce
> the fourth part, either:
>=20
> > (4) Just about any stupid hack will work with wget. %00 bytes (see the
> > POC) and other %-escaped control characters handling, symlink attacks:
> > =09
> > $ cd /tmp
> > $ ln -s index.html /path/to/foo
> > $ wget -x http://
> > -> /path/to/foo
>=20
> In my tests wget does sanitize the input, so these attacks would seem to=
=20
> be fruitless. Could you explain in further detail how to reproduce this?
Which version? What command exactly?
--=20
)^o-o^| jabber: <email address hidden>
| .v K e-mail: jjminar FastMail FM
` - .' phone: +44(0)7981 738 696
\ __/Jan icq: 345 355 493
__|o|__Min=E1=F8 irc: <email address hidden>
--QTprm0S8XgL7H0Dt
Content-Type: application/
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://
iD4DBQFCBTHc+
lq17J703vIAtOoi
=kpZz
-----END PGP SIGNATURE-----
--QTprm0S8XgL7H
In Debian Bug tracker #284875, Lars Wirzenius (liw-esme) wrote : tagging 284875 | #21 |
tags 284875 - unreproducible
Debian Bug Importer (debzilla) wrote : | #22 |
Message-Id: <email address hidden>
Date: Wed, 9 Feb 2005 01:37:53 +0200 (EET)
From: <email address hidden> (Lars Wirzenius)
To: <email address hidden>
Subject: tagging 284875
tags 284875 - unreproducible
In Debian Bug tracker #284875, Lars Wirzenius (liw-iki) wrote : Re: Bug#284875: wget security problem: trouble replicating | #23 |
My apologies for taking so long to reply.
la, 2005-02-05 kello 20:45 +0000, Jan Minar kirjoitti:
> Anybody wanting to fix this will sooner or later need to RTFM -- no pun
> intended; the options are really hairy, and many of them have one or
> another bearing on this.
Indeed, I probably should have tried hard to replicate it. On the other
hand, when reporting bugs, it is good to be clear and precise;
especially so when reporting security bugs.
Here's what I've now done, and I can indeed replicate some of the things
you reported. Could you explain (in some detail, as it is clear that I
am clueless) how to replicate the rest? Bugs that can't be replicated
usually won't get fixed, either.
I'm using 1.9.1-10, from sid, on i386.
The bug report claims that "DNS poisoning" needs to
happen for the output file to be placed somewhere else
than the current working directory. Since I don't want
to muck with my DNS server, I'll modify wget so that
whenever it looks up ".." as a domain name, it will
get a reply. Change required: src/host.c, around
line 610, if host equals "..", set it to "127.0.0.1".
* Get proof-of-concept exploit script from the bug report.
Store it in /home/liw/
and give it execution permissions.
* Modify the script to open log file /tmp/wgettrap.log in
append mode and use "/home/xxx" instead of "/home/jan"
(very small changes).
* Add the following line to /etc/inetd.conf: "31340 stream
tcp nowait liw
/
* Create a new user, xxx, and log in as that user. Home
directory is empty (only contains .bash_history). Create
directory foo and change to that directory. Create a
subdirectory of foo called bar.
* Run: "wget http://
~
attacker. Conclusion: wget may create files that will be
executed (such as .procmailrc) if run in a suitable
location. The worrying part here is that wget chooses
the name based on data given by the remote end and
redirections may cause a file to be created that the
user did not expect from the original URL.
* Run the same command with -c added, after removing the
~
* Replace ~/foo/.procm4ilrc with empty file, run wget
without -c. Result: ~/foo/.procm4ilrc.1 is created.
Conclusion: this works as it should. No worries.
* Remove ~/foo/.
run wget with -c. Result: wget appends the contents
downloaded from the remote end to ~/foo/.procm4ilrc.
Conclusion: an attacker may replace an empty file with
data. Difference from what happens with the file not
existing is that only write permission on the file is
required, not permission to the current working
directory.
* Remove ~/foo/.procm4ilrc, create a new one containing
the word "hello". Run wget without -c. Result:
~
Debian Bug Importer (debzilla) wrote : | #24 |
Message-Id: <email address hidden>
Date: Wed, 09 Feb 2005 02:42:58 +0200
From: Lars Wirzenius <email address hidden>
To: Jan Minar <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#284875: wget security problem: trouble replicating
My apologies for taking so long to reply.
la, 2005-02-05 kello 20:45 +0000, Jan Minar kirjoitti:
> Anybody wanting to fix this will sooner or later need to RTFM -- no pun
> intended; the options are really hairy, and many of them have one or
> another bearing on this.
Indeed, I probably should have tried hard to replicate it. On the other
hand, when reporting bugs, it is good to be clear and precise;
especially so when reporting security bugs.
Here's what I've now done, and I can indeed replicate some of the things
you reported. Could you explain (in some detail, as it is clear that I
am clueless) how to replicate the rest? Bugs that can't be replicated
usually won't get fixed, either.
I'm using 1.9.1-10, from sid, on i386.
The bug report claims that "DNS poisoning" needs to
happen for the output file to be placed somewhere else
than the current working directory. Since I don't want
to muck with my DNS server, I'll modify wget so that
whenever it looks up ".." as a domain name, it will
get a reply. Change required: src/host.c, around
line 610, if host equals "..", set it to "127.0.0.1".
* Get proof-of-concept exploit script from the bug report.
Store it in /home/liw/
and give it execution permissions.
* Modify the script to open log file /tmp/wgettrap.log in
append mode and use "/home/xxx" instead of "/home/jan"
(very small changes).
* Add the following line to /etc/inetd.conf: "31340 stream
tcp nowait liw
/
* Create a new user, xxx, and log in as that user. Home
directory is empty (only contains .bash_history). Create
directory foo and change to that directory. Create a
subdirectory of foo called bar.
* Run: "wget http://
~
attacker. Conclusion: wget may create files that will be
executed (such as .procmailrc) if run in a suitable
location. The worrying part here is that wget chooses
the name based on data given by the remote end and
redirections may cause a file to be created that the
user did not expect from the original URL.
* Run the same command with -c added, after removing the
~
* Replace ~/foo/.procm4ilrc with empty file, run wget
without -c. Result: ~/foo/.procm4ilrc.1 is created.
Conclusion: this works as it should. No worries.
* Remove ~/foo/.
run wget with -c. Result: wget appends the contents
downloaded from the remote end to ~/foo/.procm4ilrc.
Conclusion: an attacker may replace an empty file with
data. Difference from what happens with the file not
existing is that only write permiss...
In Debian Bug tracker #284875, Jan Minar (jjminar) wrote : | #25 |
On Wed, Feb 09, 2005 at 02:42:58AM +0200, Lars Wirzenius wrote:
> la, 2005-02-05 kello 20:45 +0000, Jan Minar kirjoitti:
> > Anybody wanting to fix this will sooner or later need to RTFM -- no pun
> > intended; the options are really hairy, and many of them have one or
> > another bearing on this.
>
> Indeed, I probably should have tried hard to replicate it. On the other
> hand, when reporting bugs, it is good to be clear and precise;
> especially so when reporting security bugs.
Wget needs a redesign of major portions of the code base, not just
patching one or even lots of isolated bugs.
> Here's what I've now done, and I can indeed replicate some of the things
> you reported. Could you explain (in some detail, as it is clear that I
> am clueless) how to replicate the rest? Bugs that can't be replicated
> usually won't get fixed, either.
So You say a PoC should work out-of-the-box? Allright then...
> I'm using 1.9.1-10, from sid, on i386.
>
> The bug report claims that "DNS poisoning" needs to
> happen for the output file to be placed somewhere else
> than the current working directory. Since I don't want
> to muck with my DNS server, I'll modify wget so that
> whenever it looks up ".." as a domain name, it will
> get a reply. Change required: src/host.c, around
> line 610, if host equals "..", set it to "127.0.0.1".
>
> * Get proof-of-concept exploit script from the bug report.
> Store it in /home/liw/
> and give it execution permissions.
>
> * Modify the script to open log file /tmp/wgettrap.log in
> append mode and use "/home/xxx" instead of "/home/jan"
> (very small changes).
>
> * Add the following line to /etc/inetd.conf: "31340 stream
> tcp nowait liw
> /home/liw/
>
> * Create a new user, xxx, and log in as that user. Home
> directory is empty (only contains .bash_history). Create
> directory foo and change to that directory. Create a
> subdirectory of foo called bar.
>
> * Run: "wget http://
> ~/foo/.procm4ilrc was created, with contets decided by
> attacker. Conclusion: wget may create files that will be
> executed (such as .procmailrc) if run in a suitable
> location. The worrying part here is that wget chooses
> the name based on data given by the remote end and
> redirections may cause a file to be created that the
> user did not expect from the original URL.
Note: The attacker may create multiple files even when wget is run in a
single-file retrieving mode (the default settings; without -r, -p, or
similar), by repeatedly closing the connection -- wget will try to
re-establish the connection -- and redirecting to different URLs. One
of the interesting switches here is -t, which specifies the number of
retries.
This is IMO the most amusing misfeature of wget: when downloading a
large file (say a CD image), the attacker can interrupt the download in
the middle, create few files, then resume the original file. The
original file will be downloaded OK....
Debian Bug Importer (debzilla) wrote : | #26 |
Message-ID: <email address hidden>
Date: Thu, 10 Feb 2005 00:56:01 +0000
From: Jan Minar <email address hidden>
To: Lars Wirzenius <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#284875: wget security problem: trouble replicating
--BXVAT5kNtrzKuDFl
Content-Type: text/plain; charset=iso-8859-2
Content-
Content-
On Wed, Feb 09, 2005 at 02:42:58AM +0200, Lars Wirzenius wrote:
> la, 2005-02-05 kello 20:45 +0000, Jan Minar kirjoitti:
> > Anybody wanting to fix this will sooner or later need to RTFM -- no pun
> > intended; the options are really hairy, and many of them have one or
> > another bearing on this.
>=20
> Indeed, I probably should have tried hard to replicate it. On the other
> hand, when reporting bugs, it is good to be clear and precise;
> especially so when reporting security bugs.
Wget needs a redesign of major portions of the code base, not just
patching one or even lots of isolated bugs.
> Here's what I've now done, and I can indeed replicate some of the things
> you reported. Could you explain (in some detail, as it is clear that I
> am clueless) how to replicate the rest? Bugs that can't be replicated
> usually won't get fixed, either.
So You say a PoC should work out-of-the-box? Allright then...
> I'm using 1.9.1-10, from sid, on i386.
>=20
> The bug report claims that "DNS poisoning" needs to
> happen for the output file to be placed somewhere else
> than the current working directory. Since I don't want
> to muck with my DNS server, I'll modify wget so that
> whenever it looks up ".." as a domain name, it will
> get a reply. Change required: src/host.c, around
> line 610, if host equals "..", set it to "127.0.0.1".
> =20
> * Get proof-of-concept exploit script from the bug report.
> Store it in /home/liw/
> and give it execution permissions.
> =20
> * Modify the script to open log file /tmp/wgettrap.log in
> append mode and use "/home/xxx" instead of "/home/jan"
> (very small changes).
> =20
> * Add the following line to /etc/inetd.conf: "31340 stream
> tcp nowait liw
> /home/liw/
> =20
> * Create a new user, xxx, and log in as that user. Home
> directory is empty (only contains .bash_history). Create
> directory foo and change to that directory. Create a
> subdirectory of foo called bar.
> =20
> * Run: "wget http://
> ~/foo/.procm4ilrc was created, with contets decided by
> attacker. Conclusion: wget may create files that will be
> executed (such as .procmailrc) if run in a suitable
> location. The worrying part here is that wget chooses
> the name based on data given by the remote end and
> redirections may cause a file to be created that the
> user did not expect from the original URL.
Note: The attacker may create multiple files even when wget is run in a
single-file retrieving mode (the default settings; without -r, -p, or
similar), by repeatedly closing the conn...
Matt Zimmerman (mdz) wrote : | #27 |
Is there a genuine security issue here which is relevant to Ubuntu?
Martin Pitt (pitti) wrote : | #28 |
(In reply to comment #14)
> Is there a genuine security issue here which is relevant to Ubuntu?
Yes, I think overwriting arbitrary files in the current directory (when called
with '-r' and other switches) is pretty severe.
The necessary changes are pretty fundamental (design changes), and there are no
patches so far (apart from (3) which is already fixed in Sid/Hoary). In terms of
a security update I'm more inclined to disable some dangerous features which are
not commonly used rather than trying to fix them. I'll look into this soon, so
that we can ship a good version with Hoary.
In Debian Bug tracker #284875, Noël Köthe (noel) wrote : Re: wget security bug #284875 (arbitrary file overwriting..) | #29 |
Am Sonntag, den 24.04.2005, 14:18 +0200 schrieb Christian Hammers:
Hello Christian,
> The bug is flagged security + grave but seemed to be stalled for more
> than two month. As the "forwarded to" URL gives only a 404 and
> http://
> been fixed in a new upstream version?
sorry, no.
There is no new upstream version. Upstream is now more active and its at
1.10alpha2 which has it fixed but afaik -release wouldn't allow a new
version because this version has new (important for many) features like
LFS (>2gb) and better ipv6 support.
--
Noèl Köthe <noel debian.org>
Debian GNU/Linux, www.debian.org
In Debian Bug tracker #284875, Christian Hammers (ch) wrote : | #30 |
Hello Noel
On 2005-04-24 Noèl Köthe wrote:
> > The bug is flagged security + grave but seemed to be stalled for more
> > than two month. As the "forwarded to" URL gives only a 404 and
> > http://
> > been fixed in a new upstream version?
>
> sorry, no.
> There is no new upstream version. Upstream is now more active and its at
> 1.10alpha2 which has it fixed but afaik -release wouldn't allow a new
> version because this version has new (important for many) features like
> LFS (>2gb) and better ipv6 support.
Well, -release will surely not allow Sarge to be release with a security
bug, so something has to be done :)
If a backported patch would be too intrusive then the new version must
be accepted (if it fixes other "important" issues like LFS, the better).
At least we cannot simply drop wget because it's used too much by other
scripts.
Or you decide with the security team to downgrade the bug to "important" if
the bug is too hard to exploit and release Sarge with it, maybe waiting for
the 3.1r1 with the new upstream version (but I guess if the new version has
been in unstable for 1month or so it can be considered ok).
bye,
-christian-
In Debian Bug tracker #284875, Hrvoje Nikšić (hniksic) wrote : | #31 |
I believe the bugs reported here have been fixed in CVS.
Specifically:
* ".." will not be injected as a file name component even if it is the
valid host name.
* Escape sequences printed by the server are being filtered.
* %00 is no longer unescaped.
The fixes for all of these issues could be backported to 1.9.1.
In Debian Bug tracker #284875, Noël Köthe (noel) wrote : Bug#284875: fixed in wget 1.9.1-11 | #32 |
Source: wget
Source-Version: 1.9.1-11
We believe that the bug you reported is fixed in the latest version of
wget, which is due to be installed in the Debian FTP archive:
wget_1.
to pool/main/
wget_1.9.1-11.dsc
to pool/main/
wget_1.
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Noèl Köthe <email address hidden> (supplier of updated wget package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 05 May 2005 22:58:58 +0200
Source: wget
Binary: wget
Architecture: source i386
Version: 1.9.1-11
Distribution: unstable
Urgency: high
Maintainer: Noèl Köthe <email address hidden>
Changed-By: Noèl Köthe <email address hidden>
Description:
wget - retrieves files from the web
Closes: 261755 284875 305425
Changes:
wget (1.9.1-11) unstable; urgency=high
.
* going back to -8 status to have minimal changes to current
sarge version
* backported fixes from Hrvoje Niksic/upstream from wget 1.10
cvs version (thanks alot Hrvoje Niksic!):
- adds the filtering of control chars
(closes: Bug#261755)
- prevents hosts named ".." from writing to ../. and
prevents "%00" truncating C strings that hold URLs
(closes: Bug#284875)
* removed unneeded texi2html build-dep
(closes: Bug#305425)
Files:
ba4c07b0f2a998
1421b183f36da5
f200df94d7cb8d
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCeoQl9/
ulkXZX2xdW1kUlu
=868g
-----END PGP SIGNATURE-----
In Debian Bug tracker #284875, Frank Lichtenheld (djpig) wrote : tagging 308622, reopening 261755, tagging 261755, reopening 284875, tagging 284875 | #33 |
# Automatically generated email from bts, devscripts version 2.8.14
tags 308622 - fixed patch
reopen 261755
tags 261755 sarge
reopen 284875
tags 284875 sarge
In Debian Bug tracker #284875, Frank Lichtenheld (djpig) wrote : reopening 308622, closing 284875 | #34 |
# Automatically generated email from bts, devscripts version 2.8.14
# argh, what have I smoked today?
reopen 308622
close 284875
In Debian Bug tracker #284875, Frank Lichtenheld (djpig) wrote : tagging 284875 | #35 |
# Automatically generated email from bts, devscripts version 2.8.14
tags 284875 - sarge
Martin Pitt (pitti) wrote : | #36 |
Sorry for dragging this so long, but since none of this stuff was overly
critical, I defered that a bit. All issues have been fixed in USN-145-1.
Changed in wget: | |
status: | Unknown → Fix Released |
Automatically imported from Debian bug report #284875 http:// bugs.debian. org/284875