This Metasploit module exploits a vulnerability in Wget when used in recursive (-r) mode with a FTP server as a destination. A symlink is used to allow arbitrary writes to the targets filesystem. To specify content for the file, use the "file:/path" syntax for the TARGET_DATA option. Tested successfully with wget 1.14. Versions prior to 1.16 are presumed vulnerable.
62612ba79d628f891d445243f96df2b5c091fbe819429ee2b1fcf90c6a1f031fHP Security Bulletin HPSBMU03691 1 - Several potential security vulnerabilities have been identified in HPE Insight Control. The vulnerabilities could be exploited remotely resulting in remote denial of Service (DoS), cross-site request forgery (CSRF), remote execution of arbitrary commands, disclosure of sensitive information, cross-site scripting (XSS), bypass access restriction or unauthorized modification. Revision 1 of this advisory.
5a6300cd07db8aac889b73990a0bf5f4d05a4d50059bb2513a0f1e88ece0ae94HP Security Bulletin HPSBMU03685 1 - Multiple potential security vulnerabilities have been identified in HPE Insight Control server provisioning (ICsp) software. The vulnerabilities could be exploited remotely resulting in Denial of Service (DoS), arbitrary code execution, arbitrary command execution, unauthorized access to files or disclosure of sensitive information. Revision 1 of this advisory.
7c572b3e24df1d149872d9d6f48b13a5c0031cc58055e6a8a1c95b1c448324e2Mandriva Linux Security Advisory 2015-121 - Wget was susceptible to a symlink attack which could create arbitrary files, directories or symbolic links and set their permissions when retrieving a directory recursively through FTP. The default settings in wget have been changed such that wget no longer creates local symbolic links, but rather traverses them and retrieves the pointed-to file in such a retrieval. The old behaviour can be attained by passing the --retr-symlinks=no option to the wget command.
59bdc8205dc2a955b3e45bdfe18e3e28e22b1aa03648e070bbd52cf091cea9beRed Hat Security Advisory 2014-1955-01 - The wget package provides the GNU Wget file retrieval utility for HTTP, HTTPS, and FTP protocols. A flaw was found in the way Wget handled symbolic links. A malicious FTP server could allow Wget running in the mirror mode to write an arbitrary file to a location writable to by the user running Wget, possibly leading to code execution. Note: This update changes the default value of the --retr-symlinks option. The file symbolic links are now traversed by default and pointed-to files are retrieved rather than creating a symbolic link locally.
51853f68b06bfa1f86977edb0079f1e01780dd7b24d5ce3fd6a4d15a80a28a6bGentoo Linux Security Advisory 201411-5 - An absolute path traversal vulnerability could lead to arbitrary code execution. Versions less than 1.16 are affected.
39901c03eab865732404934e3b213c41e488f4c3eeb744fcb7b80f48c2e1f681Debian Linux Security Advisory 3062-1 - HD Moore of Rapid7 discovered a symlink attack in Wget, a command-line utility to retrieve files via HTTP, HTTPS, and FTP. The vulnerability allows to create arbitrary files on the user's system when Wget runs in recursive mode against a malicious FTP server. Arbitrary file creation may override content of user's files or permit remote code execution with the user privilege.
81ca62ff439d497dff2d7be293884c4948bacdd36c50899703bccdedf1e419e2Red Hat Security Advisory 2014-1764-01 - The wget package provides the GNU Wget file retrieval utility for HTTP, HTTPS, and FTP protocols. A flaw was found in the way Wget handled symbolic links. A malicious FTP server could allow Wget running in the mirror mode to write an arbitrary file to a location writable to by the user running Wget, possibly leading to code execution. Note: This update changes the default value of the --retr-symlinks option. The file symbolic links are now traversed by default and pointed-to files are retrieved rather than creating a symbolic link locally.
d36bbbede02f913b084b4361c228e65d7ef334e4d5f06eccc25479f06659a9baUbuntu Security Notice 2393-1 - HD Moore discovered that Wget contained a path traversal vulnerability when downloading symlinks using FTP. A malicious remote FTP server or a man in the middle could use this issue to cause Wget to overwrite arbitrary files, possibly leading to arbitrary code execution.
be489e5ed4b4f1ef450838f84b3ff51fa70f4752a4054d60cc9e25f0142d6f2cSlackware Security Advisory - New wget packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue.
23a5b34c8621b180b34363b354480359e81aa737a51689af40b6b5bb9c2bbc39Mandriva Linux Security Advisory 2014-212 - Wget was susceptible to a symlink attack which could create arbitrary files, directories or symbolic links and set their permissions when retrieving a directory recursively through FTP. The default settings in wget have been changed such that wget no longer creates local symbolic links, but rather traverses them and retrieves the pointed-to file in such a retrieval. The old behaviour can be attained by passing the --retr-symlinks=no option to the wget command.
bf0915948536e4eaf028020281ada0528221b6ad662a3169b50ade6d2b53bef7
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed