from the getting-more-than-you-asked-for dept.
wget prior to 1.16 allows for an FTP server to write arbitrary files on the client side, with the permissions of the user running wget, when performing a recursive get using FTP.
Redhat's bug is here: https://bugzilla.redhat.com/show_bug.cgi?id=1139181 and notes:
It was found that wget was susceptible to a symlink attack which could create arbitrary files, directories or symbolic links and set their permissions when retrieving a directory recursively through FTP.
There is a workaround:
This issue can be mitigated by ensuring that all invocations of wget in the mirror mode also specify --retr-symlinks command line option. Doing so is equivalent to applying the upstream commit linked in comment 14, which changes the default for the retr-symlinks options from off/no to on/yes, preventing creation of symbolic links locally.
In addition to changing arguments in all scripts or programs that invoke wget, it is possible to enabled[sic] retr-symlinks option via wget configuration file - either global /etc/wgetrc, or user specific ~/.wgetrc - by adding the following line:
retr-symlinks=on
Separately, Metasploit has released both a disclosure and a Metasploit module for testing.
[Update: Corrected story title and introduction.]
Related Stories
"Just FYI, it appears there is a bug in wget while using a proxy that allows wget to be forced to use the FTP port and thereby unmask the user's IP (normal usage) or at least leak the user's network adapter IP (in TAILS)."
- Comment @Reddit:
https://www.reddit.com/r/TOR/comments/3hc02l/how_can_i_download_webm_videos_longer_than_30/cu6yzv5
https://archive.is/3YYo0
- Original discovery of bug @lists.gnu.org:
https://lists.gnu.org/archive/html/bug-wget/2015-08/msg00020.html
https://archive.is/Ah3Pg
- Reported to TAILS project development list (tails-dev):
https://mailman.boum.org/pipermail/tails-dev/2015-August/009370.html
https://archive.is/nPi5h
- First response @tails-dev
https://mailman.boum.org/pipermail/tails-dev/2015-August/009383.html
https://archive.is/derHC
Another bug in wget has been discussed on Soylentnews in the past.
(Score: 1, Informative) by Anonymous Coward on Wednesday October 29 2014, @04:53PM
From the summary (emphasis by me):
Sorry, no. The program that allows files to be accessed via FTP is called, quite aptly, FTP server. FTP servers existed already before the web was invented.
(Score: 2, Funny) by Anonymous Coward on Wednesday October 29 2014, @04:57PM
I've got a program called systemd that has been replacing all my daemons with crap. Beat that wget developers!
(Score: 0) by Anonymous Coward on Wednesday October 29 2014, @05:31PM
Thanks to this bug, wget, when run as root, can be used by a malicious ftp server to replace your init system by systemd.
(Score: 0) by Anonymous Coward on Wednesday October 29 2014, @05:38PM
I think apt-get may be affected by the same bug, then. It also trashed my Debian system by installing systemd.
(Score: 0) by Anonymous Coward on Wednesday October 29 2014, @06:00PM
Prior to Version 1.16, wget Allows for a FTP Server to Write Arbitrary Files on the Client Side but only when running in recursive mode
FTFY.
(Score: 2) by PizzaRollPlinkett on Wednesday October 29 2014, @06:24PM
At least people can see why I had questions about the severity of the bash bug and whether it was a lot of hype or real. This is a very, very limited bug in one gonzo special case of wget, but is being echoed around the Internet as if any and all wget operations were affected. These bugs are often hyped out of existence, especially any bug which affects Linux. The media always exaggerates them.
Don't think it ever occurred to me to use wget for FTP. I'd use an FTP client. In fact, I can't remember using FTP in the past decade or two. Even on my local network, I use sftp, because I am too lazy to set up an FTP server when I already have sftp.
Anyway, if you're using FTP, you have to be comfortable with insecurity.
(E-mail me if you want a pizza roll!)
(Score: 2) by frojack on Wednesday October 29 2014, @06:52PM
Agreed.
Who uses wget to download entire directory structures? (They get what they deserve).
Its used for quick and dirty single file fetches and it is no more powerful that the protocol it uses behind the scenes (http, ftp, etc).
No, you are mistaken. I've always had this sig.
(Score: 0) by Anonymous Coward on Wednesday October 29 2014, @08:27PM
This is a very, very limited bug in one gonzo special case of wget
Indeed: running wget as a root to recursively get stuff over ftp
Try saying that quickly...
(Score: 2) by ticho on Wednesday October 29 2014, @10:44PM
At least this one doesn't (yet) have a cool, ominous nickname. There is still hope.
(Score: 1) by dltaylor on Wednesday October 29 2014, @07:35PM
In order to rewrite ANYTHING in the root of the filesystem, or any system files, you have to BE root. Unless you're re-populating a file system from an FTP server, you shouldn't be running a recursive wget as root, anyway. I've cloned a few backups with wget, although I prefer rsync, so there is a legitimate use case for this action.
(Score: 3, Informative) by cafebabe on Wednesday October 29 2014, @11:50PM
When I tried adding features to wget, I found that it was a mess inside and requires re-factoring. If you wonder why wget spiders other websites after a re-direct, it is because the URL fetching routine is called from about six different places (URL from parameter, URL from file, recursive retrieval handling the quirks of each protocol) and the interface doesn't indicate if a re-direct occurred.
I added the featured that I required but I left it with a memory leak. If you malloc() in one place and free() in six places then you're doing something wrong.
1702845791×2