GNU Wget is a command-line utility designed to retrieve files from the Web using HTTP, HTTPS, and FTP, the most widely used Internet protocols. Wget can be easily installed on any Unix-like system and has been ported to many environments, including Microsoft Windows, Mac OS X, OpenVMS, MorphOS and AmigaOS.
When a recursive directory fetch over FTP server as the target, it would let an attacker “create arbitrary files, directories or symbolic links” due to a symlink flaw.
IMPACT OF SYMLINK ATTACK
“It was found that wget was susceptible to a symlink attack which could create arbitrary files, directories or symbolic links and set their permissions when retrieving a directory recursively through FTP,” developer Vasyl Kaigorodov wrote in a Red Hat Bugzilla comment.
A remote unauthenticated malicious FTP server connected to the victim via wget would allow attackers to do anything they wanted. Wget could download and create or overwrite existing files within the context of the user running wget.
The vulnerability was first reported
to the GNU Wget project by HD Moore, chief research officer at Rapid7. and is publicly identified as CVE-2014-4877
. The flaw is considered critical since wget is present on nearly every Linux server in the world, and is installable (although not by default) on OS X machines as well, so needs a patch as soon as possible.
“This flaw can lead to remote code execution through system-level vectors such as cron and user-level vectors such as bash profile files and SSH authorized_keys,” Moore wrote.
The vulnerability has now been fixed by the Wget project
in wget 1.16, which blocks the default setting that allowed the setting of local symlinks.
“Upgrade to wget version 1.16 or a package that has backported the CVE-2014-4877 patch,” Moore said.
WORKAROUND AVAILABLE EXPLOIT
“This issue can be mitigated by ensuring that all invocations of wget in the mirror mode also specify –retr-symlinks command line option,” wrote Tomas Hoger on the Bugzilla report. “Doing so is equivalent to applying the upstream commit linked in comment 14, which changes the default for the retr-symlinks options from off/no to on/yes, preventing creation of symbolic links locally.“
“In addition to changing arguments in all scripts or programs that invoke wget, it is possible to enabled[sic] retr-symlinks option via wget configuration file – either global /etc/wgetrc, or user specific ~/.wgetrc – by adding the line: retr-symlinks=on“
An exploit for the vulnerability is now available on the open-source Metasploit penetration testing Website, so that security researchers could test the bug. You can download the exploit