Review your cronjobs for rogue wget downloads. On June 9, the GNU wget project released version 1.18 of its famous file downloading package, following a report from security researcher Dawid Golunski and SecuriTeam.
Almost a month later, the reported vulnerability (CVE-2016-4971) is still not patched in all Linux distros that include this utility in their standard packages.
GNU wget flaw leads to RCE
Golunski explains in an advisory that a malicious actor could trick a wget file download process into executing code on someone’s Linux machine.
“The vulnerability could potentially [be] abused by attackers to upload arbitrary files and achieve code execution,” Dawid Golunski told Softpedia in an email.
GNU wget, which is a Linux command-line utility for silently downloading content, has support for URL redirections, in case a link has changed across time.
GNU wget doesn’t rename files when redirected to FTP links
Golunski discovered that wget doesn’t properly handle file names when redirected from an initial HTTP URL to an FTP link.
For example, an attacker in control of a server from where files are regularly downloaded via wget can use 302 redirects on their files. A user running the “wget http://attackers-server/safe_file.txt” command would be redirected to download “ftp://attackers-server/.bash_profile” instead.
In normal HTTP to HTTP redirects, GNU wget will rename the second file with the name of the original file (.bash_profile to safe_file.txt) in order to prevent RCE (Remote Code Execution). For HTTP to FTP links, wget doesn’t include this safety mechanism. This issue affects all GNU wget versions prior to the patched 1.18 version.
Since wget commands are used regularly in scripts that most of the time execute the downloaded file automatically, this opens the door for a new wave of possible attacks. Cronjobs where wget is the preferred method of downloading content should be reviewed by all sysadmins.
Patching slow for affected Linux distros
But while the GNU wget project has done its duty, some Linux distros are lagging behind when it comes to updates. Golunski says that only Ubuntu has included GNU wget 1.18 (as wget 1.17-1) in its distro updates where wget was included. Rolling distros like Arch Linux have already patched the issue since mid-June.
Debian, another popular Linux OS, especially with networking specialists, is in the process of fixing the issue. Wget 1.18 is currently included in the latest “testing” and “unstable” branches.
Red Hat, on the other hand, has deferred fixing the issue in its 7.x branch, while it also announced a “nofix” for the wget issue on older 6.x and 5.x versions.
Even if CVE-2016-4971 has received a high severity score, the speed of the patching process is slower than usual, according to Softpedia’s Linux editor Marius Nestor.
“The important part is that wget has released a new version 1.18 so affected users can always download the official sources if they are affected and want to be on a safe side,” the researcher also told Softpedia via email.
Both Golunski and SecuriTeam have published security advisories containing details about the vulnerability and proof-of-concept exploit code to raise awareness to this issue, that remains largely unpatched, even if exploitation is script-kiddie-level trivial.