Join the community today
Become a Member

Security CVE-2014-4877: Wget FTP Symlink Attack Vulnerability

Discussion in 'CentOS, Redhat & Oracle Linux News' started by pamamolf, Oct 30, 2014.

  1. pamamolf

    pamamolf Premium Member Premium Member

    4,070
    427
    83
    May 31, 2014
    Ratings:
    +832
    Local Time:
    3:59 AM
    Nginx-1.25.x
    MariaDB 10.3.x
    The open-source Wget application which is most widely used on Linux and Unix systems for retrieving files from the web has found vulnerable to a critical flaw.

    GNU Wget is a command-line utility designed to retrieve files from the Web using HTTP, HTTPS, and FTP, the most widely used Internet protocols. Wget can be easily installed on any Unix-like system and has been ported to many environments, including Microsoft Windows, Mac OS X, OpenVMS, MorphOS and AmigaOS.

    When a recursive directory fetch over FTP server as the target, it would let an attacker "create arbitrary files, directories or symbolic links" due to a symlink flaw.

    IMPACT OF SYMLINK ATTACK
    "It was found that wget was susceptible to a symlink attack which could create arbitrary files, directories or symbolic links and set their permissions when retrieving a directory recursively through FTP," developer Vasyl Kaigorodov wrote in a Red Hat Bugzilla comment.

    A remote unauthenticated malicious FTP server connected to the victim via wget would allow attackers to do anything they wanted. Wget could download and create or overwrite existing files within the context of the user running wget.

    The vulnerability was first reported to the GNU Wget project by HD Moore, chief research officer at Rapid7. and is publicly identified as CVE-2014-4877. The flaw is considered critical since wget is present on nearly every Linux server in the world, and is installable (although not by default) on OS X machines as well, so needs a patch as soon as possible.

    PATCH AVAILABLE
    The vulnerability has now been fixed by the Wget project in wget 1.16, which blocks the default setting that allowed the setting of local symlinks."This flaw can lead to remote code execution through system-level vectors such as cron and user-level vectors such as bash profile files and SSH authorized_keys," Moore wrote.

    WORKAROUND AVAILABLE EXPLOIT
    "Upgrade to wget version 1.16 or a package that has backported the CVE-2014-4877 patch," Moore said.
    "This issue can be mitigated by ensuring that all invocations of wget in the mirror mode also specify --retr-symlinks command line option," wrote Tomas Hoger on the Bugzilla report. "Doing so is equivalent to applying the upstream commit linked in comment 14, which changes the default for the retr-symlinks options from off/no to on/yes, preventing creation of symbolic links locally."

    "In addition to changing arguments in all scripts or programs that invoke wget, it is possible to enabled[sic] retr-symlinks option via wget configuration file - either global /etc/wgetrc, or user specific ~/.wgetrc - by adding the line: retr-symlinks=on"



    Why just running yum install wget the new version is not available on Centos ? :(
    I can see only this: 1.12-5.el6 as new and not the 1.16 :(
     
  2. eva2000

    eva2000 Administrator Staff Member

    53,614
    12,139
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,683
    Local Time:
    10:59 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    CentOS and Redhat nearly always back ports patches using same major version numbers with minor build numbers appended to the end.

    You can use rpm --changelog command to see if the patch has been back ported in which this case 1.12-5.el6 has not yet backported a fix yet.
    Code:
    rpm -qa --changelog | head -n20
    * Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.5-2
    - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
    
    * Thu Mar 27 2014 Mikolaj Izdebski <mizdebsk@redhat.com> - 2.5-1
    - Update to upstream version 2.5
    
    * Wed Mar 26 2014 Mikolaj Izdebski <mizdebsk@redhat.com> - 2.4-4
    - Add patch for performance regression during compression
    
    * Wed Mar 26 2014 Mikolaj Izdebski <mizdebsk@redhat.com> - 2.4-3
    - Fix a typo in compression order block patch
    
    * Wed Mar 26 2014 Mikolaj Izdebski <mizdebsk@redhat.com> - 2.4-2
    - Add patch fixing block ordering during compression
    
    * Mon Mar 24 2014 Mikolaj Izdebski <mizdebsk@redhat.com> - 2.4-1
    - Update to upstream version 2.4
    
    * Sun Dec 22 2013 Ville Skyttä <ville.skytta@iki.fi> - 2.3-3
    - Drop INSTALL from docs.
    Grepping for CVE-2014-4877 nothing
    Code:
    rpm -qa --changelog | grep -C3 CVE-2014-4877
    According to Redhat bug they have no intention of fixing it Bug 1139181 – CVE-2014-4877 wget: FTP symlink arbitrary filesystem access and access.redhat.com | CVE-2014-4877

    from Metasploit: R7-2014-15: GNU Wget FTP Symlink Ar... | SecurityStreet

     
  3. eva2000

    eva2000 Administrator Staff Member

    53,614
    12,139
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,683
    Local Time:
    10:59 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    so basically working around for CVE-2014-4877 is to add retr-symlinks=on to /etc/wgetrc config file

    can easily be done via SSH commands
    Code:
    echo -e "\n# prevent SYMLINK attack CVE-2014-4877" >> /etc/wgetrc
    echo "retr-symlinks=on" >> /etc/wgetrc
    then check it was added
    Code:
    cat /etc/wgetrc | grep -C2 symlink
    
    # prevent SYMLINK attack CVE-2014-4877
    retr-symlinks=on
    if you just want all 3 commands
    Code:
    echo -e "\n# prevent SYMLINK attack CVE-2014-4877" >> /etc/wgetrc
    echo "retr-symlinks=on" >> /etc/wgetrc
    cat /etc/wgetrc | grep -C2 symlink
     
  4. pamamolf

    pamamolf Premium Member Premium Member

    4,070
    427
    83
    May 31, 2014
    Ratings:
    +832
    Local Time:
    3:59 AM
    Nginx-1.25.x
    MariaDB 10.3.x
    Great info thanks :)
     
  5. eva2000

    eva2000 Administrator Staff Member

    53,614
    12,139
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,683
    Local Time:
    10:59 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    You're welcome and thanks for the heads up.. just updated all 25+ of my servers via the 3 commands :D
     
  6. pamamolf

    pamamolf Premium Member Premium Member

    4,070
    427
    83
    May 31, 2014
    Ratings:
    +832
    Local Time:
    3:59 AM
    Nginx-1.25.x
    MariaDB 10.3.x
    Great :)

    Is it ok if i share your commands on another site so other people can fix it also?
     
  7. eva2000

    eva2000 Administrator Staff Member

    53,614
    12,139
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,683
    Local Time:
    10:59 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    no probs.. just be aware if it's non-Redhat/CentOS, the wgetrc file could be located elsewhere
     
    Last edited: Oct 31, 2014
  8. eva2000

    eva2000 Administrator Staff Member

    53,614
    12,139
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,683
    Local Time:
    10:59 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Seems there's progress for Redhat 6 and 7 too

    For Redhat 6.x
    Code:
    x86_64:
    wget-1.12-5.el6_6.1.x86_64.rpm        MD5: b535a8f09565abbec099b0d62f192dba
    SHA-256: eeaeb4e4f7bd04aa25d192a756b39fa47935cd46116c2461bb5e60637b5568e1
    wget-debuginfo-1.12-5.el6_6.1.x86_64.rpm        MD5: 73aee304801bbe248e03ce985602aec1
    SHA-256: a3d70ae848293249cbade130ef5e1b764b28fd5e5d04e5845eff9f92ad01e822
    For Redhat 7.x
    Code:
    x86_64:
    wget-1.14-10.el7_0.1.x86_64.rpm        MD5: a3884a3070c8388566c6aeef2ea73aa3
    SHA-256: 85596955529dc357e1027276169b43682dee1cd0f1138691dbc28966716b4356
    wget-debuginfo-1.14-10.el7_0.1.x86_64.rpm        MD5: 74e82b2e0c11bc47fdb53a78a6211534
    SHA-256: d8298278dad2950f3930f6056f5d80e5dbd2c3dc7179fa47c192d69d37f12454
    For CentOS 7 server, I am seeing an update
    Code:
    yum list wget -q
    Installed Packages
    wget.x86_64                                                               1.14-10.el7                                                                    @base
    Available Packages
    wget.x86_64                                                               1.14-10.el7_0.1                                                                updates
    but nothing in change log after install/update

    Code:
     yum list wget -q
    Installed Packages
    wget.x86_64                                                               1.14-10.el7_0.1                                                               @updates
    Code:
     rpm -qa --changelog| head -n20
    * Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 0.98-243
    - Mass rebuild 2013-12-27
    
    * Wed Nov 21 2012 Jitka Plesnikova <jplesnik@redhat.com> - 0.98-242
    - Update dependencies and comments
    Same with CentOS 6 and updated wget package 1.12-5.el6_6.1.x86_64 - there's no change log entry although there was an update

    I have yum-cron enabled for auto yum daily updates

    Code:
     yum history info 111
    Loaded plugins: downloadonly, fastestmirror, priorities
    Transaction ID : 111
    Begin time     : Fri Oct 31 03:48:23 2014
    Begin rpmdb    : 473:0d7cded8a95b3a3b20a4fec95552e21364d77c08
    End time       :            03:48:24 2014 (1 seconds)
    End rpmdb      : 473:310ac869145a8ff747c483e7cf7b6cfb0ca07097
    User           : root <root>
    Return-Code    : Success
    Command Line   : -e 0 -d 0 -y shell /etc/yum/yum-daily.yum
    Additional non-default information stored: 1
    Transaction performed with:
        Installed     rpm-4.8.0-37.el6.x86_64                       @anaconda-CentOS-201311291202.x86_64/6.5
        Installed     yum-3.2.29-60.el6.centos.noarch               @base
        Installed     yum-plugin-fastestmirror-1.1.30-30.el6.noarch @base
    Packages Altered:
        Updated wget-1.12-5.el6.x86_64     @base
        Update       1.12-5.el6_6.1.x86_64 @updates
    history info
    Code:
    yum history
    Loaded plugins: downloadonly, fastestmirror, priorities
    ID     | Login user               | Date and time    | Action(s)      | Altered
    -------------------------------------------------------------------------------
       111 | root <root>              | 2014-10-31 03:48 | Update         |    1
       110 | root <root>              | 2014-10-30 03:21 | I, U           |  154 EE
       109 | root <root>              | 2014-10-30 03:20 | Update         |    1 EE
       108 | root <root>              | 2014-10-17 03:14 | Update         |    2
       107 | root <root>              | 2014-10-10 04:26 | Update         |    6 EE
       106 | root <root>              | 2014-10-05 23:56 | Install        |    2
       105 | root <root>              | 2014-10-05 19:49 | Install        |    1
       104 | root <root>              | 2014-10-04 03:17 | Update         |    1
       103 | root <root>              | 2014-10-01 04:29 | Update         |    4
       102 | root <root>              | 2014-09-27 04:08 | Update         |    6
       101 | root <root>              | 2014-09-26 04:31 | Update         |    1
       100 | root <root>              | 2014-09-25 09:43 | Install        |    1
        99 | root <root>              | 2014-09-24 17:52 | I, U           |   10
        98 | root <root>              | 2014-09-16 08:17 | Install        |    2
        97 | root <root>              | 2014-09-16 08:17 | Install        |    1
        96 | root <root>              | 2014-09-10 22:37 | Install        |    1
        95 | root <root>              | 2014-09-08 18:01 | Update         |   12
        94 | root <root>              | 2014-09-08 18:01 | Erase          |    2
        93 | root <root>              | 2014-08-14 06:13 | I, U           |   32 EE
        92 | root <root>              | 2014-06-30 15:40 | Install        |    4   
    Code:
     rpm -qa --changelog| head -n20           
    * Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.5-2
    - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
    
    * Thu Mar 27 2014 Mikolaj Izdebski <mizdebsk@redhat.com> - 2.5-1
    - Update to upstream version 2.5
     
    Last edited: Oct 31, 2014
  9. Afterward

    Afterward Member

    94
    29
    18
    Jul 20, 2014
    Ratings:
    +29
    Local Time:
    1:59 AM
    1.7.5
    5.5
    Thanks guys, just updated my vps.