SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (File Transfer/Sharing)  >   wget Vendors:   GNU [multiple authors]
(Caldera Issues Fix) Wget FTP Client Input Validation Flaw May Let Malicious Servers Write Files to Arbitrary Locations
SecurityTracker Alert ID:  1005940
SecurityTracker URL:  http://securitytracker.com/id/1005940
CVE Reference:   CVE-2002-1344   (Links to External Site)
Date:  Jan 17 2003
Impact:   Modification of system information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.8.1, possibly others
Description:   An input validation vulnerability was reported in wget's ftp client functionality. A remote FTP server may be able to write files to arbitrary locations when the wget client retrieves files from the FTP server.

Steve Christey reported that a malicious FTP server containing files with specially crafted filenames could exploit a flaw in the wget FTP client. When a target user attempts to download a file from a malicious server, the specially crafted filename may cause the client to create a file or overwrite a file in a directory on the target user's system that is located outside of the current working directory. The write location on the target system is specified by the malicious filename and is subject to the permissions of the target user.

While the target user must request that the malicious file be downloaded, the filename may be obscured or the user may be unaware of the filename (e.g., mget requests).

Several other FTP client implementations are affected [separate Alerts will be issued for each vulnerable client implementation.]

Impact:   A malicious FTP server may be able to cause the target user's client to write a file being downloaded by the target user to an arbitrary location on the target user's computer.
Solution:   Caldera has released a fix for Caldera OpenLinux.

OpenLinux 3.1.1 Server:

Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-003.0/RPMS

Packages

0adc5e5568cc589b9ab90ebb0e181e65 wget-1.7.1-3.i386.rpm

Installation

rpm -Fvh wget-1.7.1-3.i386.rpm

Source Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-003.0/SRPMS

Source Packages

b443ec3aa56abaa8236a88bffebba036 wget-1.7.1-3.src.rpm


OpenLinux 3.1.1 Workstation:

Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-003.0/RPMS

Packages

d5ef7e346ec79bead0cba20189904a11 wget-1.7.1-3.i386.rpm

Installation

rpm -Fvh wget-1.7.1-3.i386.rpm

Source Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-003.0/SRPMS

Source Packages

02c04170cbdef2de1b1f2c1a478681f7 wget-1.7.1-3.src.rpm


OpenLinux 3.1 Server:

Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2003-003.0/RPMS

Packages

7c2901898d0cc4d0bbb6132d82fefd0e wget-1.7.1-3.i386.rpm

Installation

rpm -Fvh wget-1.7.1-3.i386.rpm

Source Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2003-003.0/SRPMS

Source Packages

b19f59dedcd9b2382a41c8af3cf056d0 wget-1.7.1-3.src.rpm


OpenLinux 3.1 Workstation:

Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2003-003.0/RPMS

Packages

fbba3488352d9617a0b3b6507633c312 wget-1.7.1-3.i386.rpm

Installation

rpm -Fvh wget-1.7.1-3.i386.rpm

Source Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2003-003.0/SRPMS

Source Packages

7a30085d938ad07bde1f67267910a71d wget-1.7.1-3.src.rpm

Vendor URL:  www.gnu.org/software/wget/wget.html (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Caldera/SCO)
Underlying OS Comments:  3.1, 3.1.1; Server and Workstation

Message History:   This archive entry is a follow-up to the message listed below.
Dec 12 2002 Wget FTP Client Input Validation Flaw May Let Malicious Servers Write Files to Arbitrary Locations



 Source Message Contents

Subject:  Security Update: [CSSA-2003.003.0] Linux: wget directory traversal and buffer overrun vulnerabilities


--EVF5PPMfhYS0aIcm
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

To: bugtraq@securityfocus.com announce@lists.caldera.com security-alerts@linuxsecurity.com full-disclosure@lists.netsys

______________________________________________________________________________

			SCO Security Advisory

Subject:		Linux: wget directory traversal and buffer overrun vulnerabilities
Advisory number: 	CSSA-2003-003.0
Issue date: 		2003 January 16
Cross reference:
______________________________________________________________________________


1. Problem Description

	Stefano Zacchiroli found a buffer overrun in the url_filename
	function, which would make wget segfault on very long urls.

	Steven M. Christey discovered that wget did not verify the FTP
	server response to a NLST command: it must not contain any
	directory information, since that can be used to make a FTP
	client overwrite arbitrary files.


2. Vulnerable Supported Versions

	System				Package
	----------------------------------------------------------------------

	OpenLinux 3.1.1 Server		prior to wget-1.7.1-3.i386.rpm

	OpenLinux 3.1.1 Workstation	prior to wget-1.7.1-3.i386.rpm

	OpenLinux 3.1 Server		prior to wget-1.7.1-3.i386.rpm

	OpenLinux 3.1 Workstation	prior to wget-1.7.1-3.i386.rpm


3. Solution

	The proper solution is to install the latest packages. Many
	customers find it easier to use the Caldera System Updater, called
	cupdate (or kcupdate under the KDE environment), to update these
	packages rather than downloading and installing them by hand.


4. OpenLinux 3.1.1 Server

	4.1 Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-003.0/RPMS

	4.2 Packages

	0adc5e5568cc589b9ab90ebb0e181e65	wget-1.7.1-3.i386.rpm

	4.3 Installation

	rpm -Fvh wget-1.7.1-3.i386.rpm

	4.4 Source Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-003.0/SRPMS

	4.5 Source Packages

	b443ec3aa56abaa8236a88bffebba036	wget-1.7.1-3.src.rpm


5. OpenLinux 3.1.1 Workstation

	5.1 Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-003.0/RPMS

	5.2 Packages

	d5ef7e346ec79bead0cba20189904a11	wget-1.7.1-3.i386.rpm

	5.3 Installation

	rpm -Fvh wget-1.7.1-3.i386.rpm

	5.4 Source Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-003.0/SRPMS

	5.5 Source Packages

	02c04170cbdef2de1b1f2c1a478681f7	wget-1.7.1-3.src.rpm


6. OpenLinux 3.1 Server

	6.1 Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2003-003.0/RPMS

	6.2 Packages

	7c2901898d0cc4d0bbb6132d82fefd0e	wget-1.7.1-3.i386.rpm

	6.3 Installation

	rpm -Fvh wget-1.7.1-3.i386.rpm

	6.4 Source Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2003-003.0/SRPMS

	6.5 Source Packages

	b19f59dedcd9b2382a41c8af3cf056d0	wget-1.7.1-3.src.rpm


7. OpenLinux 3.1 Workstation

	7.1 Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2003-003.0/RPMS

	7.2 Packages

	fbba3488352d9617a0b3b6507633c312	wget-1.7.1-3.i386.rpm

	7.3 Installation

	rpm -Fvh wget-1.7.1-3.i386.rpm

	7.4 Source Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2003-003.0/SRPMS

	7.5 Source Packages

	7a30085d938ad07bde1f67267910a71d	wget-1.7.1-3.src.rpm


8. References

	Specific references for this advisory:

		http://marc.theaimsgroup.com/?l=bugtraq&m=103962838628940&w=2
		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1344
		http://www.kb.cert.org/vuls/id/210148

	SCO security resources:

		http://www.sco.com/support/security/index.html

	This security fix closes SCO incidents sr872622, fz526854,
	erg712181.


9. Disclaimer

	SCO is not responsible for the misuse of any of the information
	we provide on this website and/or through our security
	advisories. Our advisories are a service to our customers intended
	to promote secure installation and use of SCO products.


10. Acknowledgements

	Stefano Zacchiroli and Steve Christey (coley@mitre.org)
	discovered and researched these vulnerabilities.

______________________________________________________________________________

--EVF5PPMfhYS0aIcm
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SCO_SV)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAj4nJmYACgkQbluZssSXDTGAVQCeKhGY5Pf9yu8VB0Z+cvLY4cO4
QUsAoIPuxbOV0DTdkcraeK5Q7R/Z/YFh
=K/3N
-----END PGP SIGNATURE-----

--EVF5PPMfhYS0aIcm--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC