# CVE-2014-4877 wget exploit



## wlanboy (Nov 3, 2014)

This is a small and nasty one: http://www.cvedetails.com/cve/CVE-2014-4877/



> Absolute path traversal vulnerability in GNU Wget before 1.16, when recursion is enabled, allows remote FTP servers to write to arbitrary files, and consequently execute arbitrary code, via a LIST response that references the same filename within two entries, one of which indicates that the filename is for a symlink.


The flaw is triggered when wget receives a directory listing that includes a symlink followed by a directory with the same name. The output of the LIST command would look like the following, which is not possible on a real FTP server.

*lrwxrwxrwx  1 root    root          33 Nov 03  2014 BAD -> /*

*drwxrwxr-x  15 root    root        4096 Nov 03  2014 BAD*

Wget would first create a local symlink named TARGET that points to the root filesystem. It would then enter the BAD directory and mirror its contents across the user's filesystem.



> Upgrade to wget version 1.16 or a package that has backported the CVE-2014-4877 patch. If you use a distribution that does not ship a patched version of wget, you can mitigate the issue by adding the line "retr-symlinks=on" to either /etc/wgetrc or ~/.wgetrc. This issue is only exploitable when running wget with recursive mode against a FTP server URL. Although a HTTP service can redirect wget to a FTP URL, it implicitly disables the recursive option after following this redirect, and is not exploitable in this scenario.


----------



## HalfEatenPie (Nov 4, 2014)

sounds like fun on the bun!


----------



## wlanboy (Nov 4, 2014)

It might change the way mirrors are handled.

More will change to ssh-based access.


----------



## rds100 (Nov 4, 2014)

Noone uses wget for mirrors nowadays, usually it's rsync instead.


----------



## fixidixi (Nov 4, 2014)

@rds100

well i'm noone 

and guess whole bunch of companies who dont get to modify their current working codebase on a daily basis are noone too


----------



## Licensecart (Nov 4, 2014)

I use curl -O url lately, not sure why though haha.


----------



## raindog308 (Nov 4, 2014)

This could certainly foul up a filesystem tree but unless I'm missing something, the wget client still can't get to things it shouldn't be able to get to.  In other words, the client may be misdirected to root, but that doesn't mean he can override Unix permissions.


----------



## TheLinuxBug (Nov 4, 2014)

I believe the issue would be if it was run as root, not as a regular user @raindog308.  Obviously a user account would not have enough access to do any damage, but if done as root, I can see how this could end up causing you a few hours of unhappiness if you were to fall prey to someone who setup their FTP in such a way.  Though, in the end, it really begs the question of who would be malicious enough to setup an FTP in such a way,  as it would have to be done on purpose.

I would assume the issue here would be either it overwriting your system making your system not work, or by overwriting files like passwd and shadow (if run as root) to provide access to the malicious host.  All and all, someone would have to have malicious intent against you for this to happen it looks like, as I don't see a way to set it up like this 'by accident'.

Cheers!


----------

