Dangerous Vulnerability Fixed In Wget

jones_supa writes: A critical flaw has been found and patched in the open source Wget file retrieval utility that is widely used on UNIX systems. The vulnerability is publicly identified as CVE-2014-4877. "It was found that wget was susceptible to a symlink attack which could create arbitrary files, directories or symbolic links and set their permissions when retrieving a directory recursively through FTP," developer Vasyl Kaigorodov writes in Red Hat Bugzilla. A malicious FTP server can stomp over your entire filesystem, tweets HD Moore, chief research officer at Rapid 7, who is the original reporter of the bug.

Wget

Is that the tool you use to download IE ??

Erm... wait, that wasn't right....

Re:Wget

[fugas]

There's actually a tiny implementation of wget for Windows that I've been using for that type of thing precisely ;) It's called nugget, doesn't have all the bells and whistles of wget but still has some pretty interesting and unique features. Don't have the URL at hand, though.

Re:Wget

Is that something different than the NuGet package manager for the .Net framework?

Re:Wget

[tyggna]

It's the tool you use to download elinks

Thank god!

All the shitty ruby, python, and php packages specifically tell me to pipe their installer through curl instead of wget.

Re: Thank god!

They only do that because curl comes with OS X, and wget doesn't.

super user

[goombah99]

so dont run wget as root?

Re:super user

[gweihir]

You should not do that anyways.

Re:super user

[caseih]

Yes that's good practice for any command. Though wget is used behind the scenes by, say, opkg on openwrt boxes, which has to run as root since it's unpacking and installing packages. In fact on embedded devices, most everything runs as root there, typically, even if it's a bad idea, and is going to have to change as the internet of things becomes a fact of life. Never thought I'd need to run selinux on an embedded device, but we're to the point now where that's required.

It's good to have this particular bug fixed at least.

Re:super user

[DarkOx]

I was going to make essentially the same comment. Someone is going to jump in and suggest that utilities like that should have their own user account and call sudo or fork and su to start wget as the limited user, and fetch certificates to some specific directory.

Those someones are probably correct, but we all know in practice that rarely happens.

Re:super user

Never thought I'd need to run selinux on an embedded device,

Luckily at a point when the CPU and disk space of many embedded devices is now affordably at a point that makes the extra overhead viable.

Re: super user

[undisclosedrecipient]

Root access is the worst case indeed, but it's not a silver bullet if what you really want to protect is accessible by current user. I've seen my share of magical thinking banning root at all costs while in fact confidential data can be grabbed by an exploitable non-root user.

Re:super user

[Qzukk]

which has to run as root since it's unpacking and installing

wget isn't unpacking and installing, it should not be run as root.

Re:super user

If it's installing packages it can pwn your box anyway, no wget vulnerability required.

Re:super user

[MouseTheLuckyDog]

Whoosh.

Re:super user

[MouseTheLuckyDog]

Yes but, I would hope that an installation of openwrt is getting it's packages from a highly trusted source. If the source is using a bug to damage your system then you've got a lot more problems then wget.

Re:super user

Never thought I'd need to run selinux on an embedded device

So, instead of using a program with a known vulnerability that's being fixed as we speak, you want me to run NSA code? FUCK OFF SHILL.

SELinux is dead to me, regardless of whether it might or might not be safe to run. I refuse to trust anything that they've gone anywhere near. It's like how FTDI fucked up. You lost any trust I might have had, and I'm not auditing your piece of shit. I'm walking away from it.

Re:super user

That's a good start, but imagine that user "joe" gets hit by this bug. ~/.bash_logout could get replaced with some commands that set up cron jobs for the current user and make further wgets for command and control or add entries to .ssh/authorized_keys. If a new local privilege escalation is discovered, the owned local account can be used to deploy that priv escalation via the automated C&C.

All of this can happen in the background while joe does his normal work. I mean, what user checks their .bash_logout regularly?

Re:super user

[peppepz]

It's not enough to download some files: in order to be susceptible to the attack, those devices should download stuff as root in recursive mode from a compromised ftp server. I honestly can't see that happening in reality.

(But then again I wouldn't believe that home routers could be sold with an internet-facing backdoor open by default in their stock firmware, until that happened.)

Re:super user

"anyway". The word is "anyway".

Re:super user

[whoever57]

Though wget is used behind the scenes by, say, opkg on openwrt boxes, which has to run as root since it's unpacking and installing packages.

No, it doesn't. A safer architecture would be to use an unprivileged user for downloading and only use root for installing.

Re:super user

wget is a program not a command you fucking moron.

Re:super user

[rebelwarlock]

I run everything as root because YOLO. I'm not gonna be guessing perms and retyping commands, son. I got shit to do.

rapid7.com metasploit & kb.cert.org advisory

- The disclosure is here:

https://community.rapid7.com/c...

- Vulnerability Note VU#685996 (kb.cert.org):

http://www.kb.cert.org/vuls/id...

Re:rapid7.com metasploit & kb.cert.org advisor

- A Metasploit module is available for testing:

https://github.com/rapid7/meta...

Nothing to see here, move along

[gweihir]

Bug found, bug fixed, another venerable tool got even better. This is just business as usual.

Re:Nothing to see here, move along

not true - several distros have yet to publish anything or upgrade.

this is important news not easily swept away by hand waving.

Re:Nothing to see here, move along

[gweihir]

Very moderately so. Of course, you should not wget to not trustworthy servers until you have a patched version. But you should not do that anyways, even with the patched version. The biggest risk is still what you get from the server, even if it is confined to its intended place.

Of course, for clueless people using insecure practice, this issue may have some importance. The others are not really at risk and will get the information anyways from the vulnerability information feed of their choice.

Re:Nothing to see here, move along

[jsepeta]

wasn't this addressed in February?
https://www.redhat.com/archive...

Re:Dangerous Vulnerability Fixed In Wget

[pe1rxq]

The two terms are not mutualy exclusive

Re:Dangerous Vulnerability Fixed In Wget

Yes, it is Free Software, but it is Open Source too.

GNU Wget is licensed under GPL 3 or above, and GPL 3 is an OSI-approved Open Source licence.

Neat.

[ledow]

Neat trick.

But if you have arbitrary FTP URL's from untrusted sources piped straight into wget on a server you run, you have bigger problems than someone trashing your filesystem or overwriting your /etc/passwd.

That's why I like to CURL up with a good book.

NT

Switching to windows

Too tired of this kind of crap from the open source community

Re: Switching to windows

Using a file retrieval tool has always had the potential to overwrite existing files. In windows using FTP you could download files that overwrite existing system files and you could also easily download viruses.

The solution is to know what you are doing when downloading files. The problem today is that people are reaching new lows of stupidity and so now we have to update old programs to save users from themselves.

Give it a year: "EXPLOIT FOUND IN THE 'rm' COMMAND." "Turns out it has the potential to remove important system files if logged in as root."

Lowering the barrier to entry in linux isn't making anything better. I've been thinking that since 2002.

Re: Switching to windows

Serious problem, but don't admit it.

In order to protect the MIGHTY LINUX:
1) insult the user and call them stupid.
2) make a slippery slope joke, about how at this rate things will get worse and worse.
3) push for exclusivity, instead of making things better by accepting an expanding user base that will do reasonable things with their computer that your lordship wouldn't apparently ever fall for.

Re:Switching to windows

10/10

Re:Switching to windows

LOL...this has to be a troll. There's no way anyone who gets the weekly security updates from Windows can possibly think that this doesn't happen on any OS. Windows either doesn't disclose it or it has become so commonplace to have vulnerabilities in Windows that they usually don't even talk about it anymore. It's not news. Point in fact, Windows is still vulnerable to this if you download something from an untrusted source, but that's not Windows or LInux's fault. It's doing what it's asked to do, you're the one supposed to trust the packages.

Re: Switching to windows

Has nothing to do with linux. It's an application that runs in GNU/linux. It's like saying that Evernote has a vulnerability so it's Window's fault. This problem is only something that gets fixed at the user level. Sure the poster was a jerk, but it doesn't mean he wasn't accurate. It's a user issue not an OS issue.

Re:Switching to windows

[Culture20]

Don't forget to manually update all the patches that should be part of a service pack before connecting to the network. Especially the ones that patch the Windows Update service that fix errors where Windows Update can be tricked into downloading and installing anything from anywhere.

Re: Switching to windows

[MrBingoBoingo]

Well, OpenBSD patched this in 2009 in their wget...

Re: Switching to windows

Well, OpenBSD patched this in 2009 in their wget...

No, they fixed it in their implementation of the ftp program, which is a completely different application. Like the GP said, "Has nothing to do with linux. It's an application that runs in GNU/linux." If you ran wget on OpenBSD it would still have the bug, and if you ran OpenBSD's ftp program on Linux it would still be fixed.

FTP?

[Polizei]

Anyone read the article?
The vulnerability is only exploitable when fetching an FTP directory, recursively, from a malicious server.

Yeah, it's a hole, but it's not shellshock. Stop bitching around and just update your box.

Re:FTP?

[ledow]

And only as the user running wget.

If someone can replace the URL's passed to wget as root, presumably it's only a small step to actually have them execute without needed wget to actually overwrite existing filesystem files.

Re:FTP?

Indeed. It cannot even be used with anonymous FTP to a site with full permissions on /incoming, it requires a symlink and a directory WITH THE SAME NAME, and no regular file system would allow that. So the FTP daemon needs to be specifically designed to send this.

So yeah, unless ftp.redhat.com gets broken into, and the attacker gets root access to be able to replace ftpd, you don't need to worry about your package manager using wget to download stuff.

And it only affects recursive downloads, so using wget to pull a URL from a malware e-mail is not going to be a problem either. Nobody would fetch those recursively.

2014 - Year of The *nix Exploits?

What the hell is going on?

Re:2014 - Year of The *nix Exploits?

[__aaclcg7560]

Everyone and their script kiddy grandmothers have claimed Windows as their own. If you want to earn your hacker creds these days, you need to go after *nix.

Re:2014 - Year of The *nix Exploits?

I go after *dows.

Is busybox wget vulnerable?

[emil]

I can't tell from their website.

Re:Is busybox wget vulnerable?

I would guess its not. The vulnerability occurs when recursively pulling ftp directories and pulling symlinks. Busybox's wget doesn't support recursion. Or didn't in v1.22.1 at least.

Heartbleed, poodle, shellshock

Where's the catchy buzzword to scare management?

Not a problem if you have MAC

[rgms]

This is why I use AppArmor

running strings on bad file also unsafe

[throwaway18]

Slightly related;
Lcamtuf writes that that running strings over a maliciously crafted file can probably result in code execution on your system.

http://lcamtuf.blogspot.co.uk/2014/10/psa-dont-run-strings-on-untrusted-files.html

The big picture is nothing new, when you use software, particularly software which is written in C/C++, to process data from untrustworth sources there is a reasonable chance of hard to spot security vulnerabilities.

Re:running strings on bad file also unsafe

[squiggleslash]

Does anyone run "strings" on files they know enough to "trust"? It's essentially a "What the hell is this file? Let me see if it has any useful text strings in it that might give me a hint" tool.

Danger! Panic! Linux is bad!

Another media hype spree for a tempest in a teacup. Anyone who uses FTP these days has got to expect bad things to happen, and this bug is triggered under bizarre circumstances.

Debian updates

[lord_rob+the+only+on]

Well as I read this article, I just apt-get upgrade my system and voilÃ, vulnerability fixed. This is not to say "haha Debian p0wnz you" because any *serious* distro would be that reactive, I just find that's awesome to have patches available so quickly after a flaw is found.

So, will this new bug be called...

[v3xt0r]

"The Hot-link Injection"?? Sounds pretty spicy.