CVE-2016-4971 [Arbitrary File Upload / Potential Remote Code Execution]
Severity: High below 1.8 version.
All versions of Wget before the patched version of 1.18 are affected.
1. GNU wget before 1.18 when supplied with a malicious URL (to a malicious or compromised web server) can be tricked into saving an arbitrary remote file supplied by an attacker, with arbitrary contents and file name under the current directory and possibly other directories by writing to .wgetrc.
2. Remote code execution and even root privilege escalation if wget is run via a root cronjob as is often the case in many web application deployments.
3. Can exploit intercept/modify the network traffic.
Due to lack of control in the utility (wget) , downloading a link from a remote server which is controled by an attacker create an arbitrary file
with an arbitrary contents and filename by issuing a crafted HTTP 30X Redirect containing FTP server reference in response to the victim’s wget request.
ubuntusyn:~/test/blog$ wget –version | head -n1
GNU Wget 1.15 built on linux-gnu.
Solution:
Update wget to version 1.18
Patch lists::
Ubuntu ::
Ubuntu 12.04 LTS (Precise Pangolin) = released (1.13.4-2ubuntu1.4)
Ubuntu 14.04 LTS (Trusty Tahr) = released (1.15-1ubuntu1.14.04.2)
Ubuntu Touch 15.04 = needed
Ubuntu Core 15.04 = does not exist
Ubuntu 15.10 (Wily Werewolf) = released (1.16.1-1ubuntu1.1)
Ubuntu 16.04 LTS (Xenial Xerus) = released (1.17.1-1ubuntu1.1)
Ubuntu 16.10 (Yakkety Yak) = released (1.17.1-1ubuntu2)RedHat::
Red Hat Enterprise Linux 6 = Will not fix
Red Hat Enterprise Linux 7 = Fix deferred
Red Hat Enterprise Linux 5 = Will not fix
Ubuntu::
The latest wget version is not available in any PPA or repository to install Wget version 1.18.
Below installation steps will guide you the manual installation process of GNU Wget.
root@ubuntusyn:/usr/local/src# apt-get update
root@ubuntusyn:/usr/local/src# apt-get build-dep wgetroot@ubuntusyn:/usr/local/src# wget http://ftp.gnu.org/gnu/wget/wget-1.18.tar.gz
root@ubuntusyn:/usr/local/src# tar -xvf wget-1.18.tar.gz
root@ubuntusyn:/usr/local/src# cd wget-1.18
root@ubuntusyn:/usr/local/src/wget-1.18# ./configure –with-ssl=openssl –prefix=/opt/wget
root@ubuntusyn:/usr/local/src/wget-1.18# make
root@ubuntusyn:/usr/local/src/wget-1.18# make installroot@ubuntusyn:/usr/local/src/wget-1.18# /opt/wget/bin/wget -V | head -n1
GNU Wget 1.18 built on linux-gnu.root@ubuntusyn:/usr/bin# mv wget wget_v1.15
root@ubuntusyn:/usr/bin# ln -s /opt/wget/bin/wget /usr/bin/wget
root@ubuntusyn:/usr/bin# wget -V | head -n1
GNU Wget 1.18 built on linux-gnu.
