Vulnerabilities > CVE-2017-13089 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products
Summary
The http.c:skip_short_body() function is called in some circumstances, such as when processing redirects. When the response is sent chunked in wget before 1.19.2, the chunk parser uses strtol() to read each chunk's length, but doesn't check that the chunk length is a non-negative number. The code then tries to skip the chunk in pieces of 512 bytes by using the MIN() macro, but ends up passing the negative chunk length to connect.c:fd_read(). As fd_read() takes an int argument, the high 32 bits of the chunk length are discarded, leaving fd_read() with a completely attacker controlled length argument.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Nessus
NASL family Huawei Local Security Checks NASL id EULEROS_SA-2017-1270.NASL description According to the versions of the wget package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - A stack-based and a heap-based buffer overflow flaws were found in wget when processing chunked encoded HTTP responses. By tricking an unsuspecting user into connecting to a malicious HTTP server, an attacker could exploit these flaws to potentially execute arbitrary code. (CVE-2017-13089, CVE-2017-13090) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2017-11-01 plugin id 104295 published 2017-11-01 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/104295 title EulerOS 2.0 SP2 : wget (EulerOS-SA-2017-1270) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(104295); script_version("3.12"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/04"); script_cve_id( "CVE-2017-13089", "CVE-2017-13090" ); script_name(english:"EulerOS 2.0 SP2 : wget (EulerOS-SA-2017-1270)"); script_summary(english:"Checks the rpm output for the updated packages."); script_set_attribute(attribute:"synopsis", value: "The remote EulerOS host is missing multiple security updates."); script_set_attribute(attribute:"description", value: "According to the versions of the wget package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - A stack-based and a heap-based buffer overflow flaws were found in wget when processing chunked encoded HTTP responses. By tricking an unsuspecting user into connecting to a malicious HTTP server, an attacker could exploit these flaws to potentially execute arbitrary code. (CVE-2017-13089, CVE-2017-13090) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues."); # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2017-1270 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a1ec10d8"); script_set_attribute(attribute:"solution", value: "Update the affected wget packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"patch_publication_date", value:"2017/10/27"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/11/01"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:wget"); script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Huawei Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp"); script_exclude_keys("Host/EulerOS/uvp_version"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/EulerOS/release"); if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS"); if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0"); sp = get_kb_item("Host/EulerOS/sp"); if (isnull(sp) || sp !~ "^(2)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP2"); uvp = get_kb_item("Host/EulerOS/uvp_version"); if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP2", "EulerOS UVP " + uvp); if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu); flag = 0; pkgs = ["wget-1.14-15.1.h1"]; foreach (pkg in pkgs) if (rpm_check(release:"EulerOS-2.0", sp:"2", reference:pkg)) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "wget"); }
NASL family Fedora Local Security Checks NASL id FEDORA_2017-F0B3231763.NASL description new upstream release with CVE fixes Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-11-08 plugin id 104452 published 2017-11-08 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/104452 title Fedora 26 : wget (2017-f0b3231763) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory FEDORA-2017-f0b3231763. # include("compat.inc"); if (description) { script_id(104452); script_version("3.5"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2017-13089", "CVE-2017-13090"); script_xref(name:"FEDORA", value:"2017-f0b3231763"); script_name(english:"Fedora 26 : wget (2017-f0b3231763)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "new upstream release with CVE fixes Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2017-f0b3231763" ); script_set_attribute(attribute:"solution", value:"Update the affected wget package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:wget"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:26"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/10/27"); script_set_attribute(attribute:"patch_publication_date", value:"2017/11/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/11/08"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! preg(pattern:"^26([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 26", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC26", reference:"wget-1.19.2-1.fc26")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "wget"); }
NASL family Fedora Local Security Checks NASL id FEDORA_2017-DE8A421DCD.NASL description new upstream release with CVE fixes Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-11-16 plugin id 104609 published 2017-11-16 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/104609 title Fedora 25 : wget (2017-de8a421dcd) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory FEDORA-2017-de8a421dcd. # include("compat.inc"); if (description) { script_id(104609); script_version("3.5"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2017-13089", "CVE-2017-13090"); script_xref(name:"FEDORA", value:"2017-de8a421dcd"); script_name(english:"Fedora 25 : wget (2017-de8a421dcd)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "new upstream release with CVE fixes Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2017-de8a421dcd" ); script_set_attribute(attribute:"solution", value:"Update the affected wget package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:wget"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:25"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/10/27"); script_set_attribute(attribute:"patch_publication_date", value:"2017/11/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/11/16"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! preg(pattern:"^25([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 25", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC25", reference:"wget-1.19.2-1.fc25")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "wget"); }
NASL family SuSE Local Security Checks NASL id OPENSUSE-2017-1210.NASL description This update for wget fixes the following security issues : - CVE-2017-13089,CVE-2017-13090: Missing checks for negative remaining_chunk_size in skip_short_body and fd_read_body could cause stack-based buffer overflows, which could have been exploited by malicious servers. (bsc#1064715,bsc#1064716) This update was imported from the SUSE:SLE-12:Update update project. last seen 2020-06-05 modified 2017-10-30 plugin id 104240 published 2017-10-30 reporter This script is Copyright (C) 2017-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/104240 title openSUSE Security Update : wget (openSUSE-2017-1210) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2017-0046.NASL description An update of [wget] packages for PhotonOS has been released. last seen 2019-02-08 modified 2019-02-07 plugin id 111895 published 2018-08-17 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=111895 title Photon OS 2.0: Wget PHSA-2017-0046 (deprecated) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-4008.NASL description Antti Levomaeki, Christian Jalio, Joonas Pihlaja and Juhani Eronen discovered two buffer overflows in the HTTP protocol handler of the Wget download tool, which could result in the execution of arbitrary code when connecting to a malicious HTTP server. last seen 2020-06-01 modified 2020-06-02 plugin id 104223 published 2017-10-30 reporter This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/104223 title Debian DSA-4008-1 : wget - security update NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-2871-2.NASL description This update for wget fixes the following security issues : - CVE-2017-13089,CVE-2017-13090: Missing checks for negative remaining_chunk_size in skip_short_body and fd_read_body could cause stack-based buffer overflows, which could have been exploited by malicious servers. (bsc#1064715,bsc#1064716) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 104650 published 2017-11-17 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/104650 title SUSE SLED12 / SLES12 Security Update : wget (SUSE-SU-2017:2871-2) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2017-0046_WGET.NASL description An update of the wget package has been released. last seen 2020-03-17 modified 2019-02-07 plugin id 121765 published 2019-02-07 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121765 title Photon OS 2.0: Wget PHSA-2017-0046 NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2017-3075.NASL description From Red Hat Security Advisory 2017:3075 : An update for wget is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The wget packages provide the GNU Wget file retrieval utility for HTTP, HTTPS, and FTP protocols. Security Fix(es) : * A stack-based and a heap-based buffer overflow flaws were found in wget when processing chunked encoded HTTP responses. By tricking an unsuspecting user into connecting to a malicious HTTP server, an attacker could exploit these flaws to potentially execute arbitrary code. (CVE-2017-13089, CVE-2017-13090) Red Hat would like to thank the GNU Wget project for reporting these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 104200 published 2017-10-27 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/104200 title Oracle Linux 7 : wget (ELSA-2017-3075) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1149.NASL description CVE-2017-13089 Fix stack overflow in HTTP protocol handling. CVE-2017-13090 Fix heap overflow in HTTP protocol handling. For Debian 7 last seen 2020-03-17 modified 2017-10-30 plugin id 104221 published 2017-10-30 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/104221 title Debian DLA-1149-1 : wget security update NASL family Huawei Local Security Checks NASL id EULEROS_SA-2017-1269.NASL description According to the versions of the wget package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - A stack-based and a heap-based buffer overflow flaws were found in wget when processing chunked encoded HTTP responses. By tricking an unsuspecting user into connecting to a malicious HTTP server, an attacker could exploit these flaws to potentially execute arbitrary code. (CVE-2017-13089, CVE-2017-13090) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2017-11-01 plugin id 104294 published 2017-11-01 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/104294 title EulerOS 2.0 SP1 : wget (EulerOS-SA-2017-1269) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201711-06.NASL description The remote host is affected by the vulnerability described in GLSA-201711-06 (GNU Wget: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Wget. Please review the referenced CVE identifiers for details. Impact : A remote attacker, by enticing a user to connect to a malicious server, could remotely execute arbitrary code or cause a Denial of Service condition. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 104514 published 2017-11-13 reporter This script is Copyright (C) 2017-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/104514 title GLSA-201711-06 : GNU Wget: Multiple vulnerabilities NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1413.NASL description According to the versions of the wget package installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - A cookie injection flaw was found in wget. An attacker can create a malicious website which, when accessed, overrides cookies belonging to arbitrary domains.(CVE-2018-0494) - A stack-based buffer overflow when processing chunked, encoded HTTP responses was found in wget. By tricking an unsuspecting user into connecting to a malicious HTTP server, an attacker could exploit this flaw to potentially execute arbitrary code.(CVE-2017-13089) - A heap-based buffer overflow, when processing chunked encoded HTTP responses, was found in wget. By tricking an unsuspecting user into connecting to a malicious HTTP server, an attacker could exploit this flaw to potentially execute arbitrary code.(CVE-2017-13090) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 124916 published 2019-05-14 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124916 title EulerOS Virtualization for ARM 64 3.0.1.0 : wget (EulerOS-SA-2019-1413) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1417.NASL description According to the versions of the wget package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - A stack-based buffer overflow when processing chunked, encoded HTTP responses was found in wget. By tricking an unsuspecting user into connecting to a malicious HTTP server, an attacker could exploit this flaw to potentially execute arbitrary code.(CVE-2017-13089) - A flaw was found in the way Wget handled symbolic links. A malicious FTP server could allow Wget running in the mirror mode (using the last seen 2020-06-01 modified 2020-06-02 plugin id 124920 published 2019-05-14 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124920 title EulerOS Virtualization 3.0.1.0 : wget (EulerOS-SA-2019-1417) NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2017-300-02.NASL description New wget packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, 14.2, and -current to fix security issues. last seen 2020-06-01 modified 2020-06-02 plugin id 104216 published 2017-10-30 reporter This script is Copyright (C) 2017-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/104216 title Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : wget (SSA:2017-300-02) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2017-3075.NASL description An update for wget is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The wget packages provide the GNU Wget file retrieval utility for HTTP, HTTPS, and FTP protocols. Security Fix(es) : * A stack-based and a heap-based buffer overflow flaws were found in wget when processing chunked encoded HTTP responses. By tricking an unsuspecting user into connecting to a malicious HTTP server, an attacker could exploit these flaws to potentially execute arbitrary code. (CVE-2017-13089, CVE-2017-13090) Red Hat would like to thank the GNU Wget project for reporting these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 104218 published 2017-10-30 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/104218 title CentOS 7 : wget (CESA-2017:3075) NASL family Virtuozzo Local Security Checks NASL id VIRTUOZZO_VZLSA-2017-3075.NASL description An update for wget is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The wget packages provide the GNU Wget file retrieval utility for HTTP, HTTPS, and FTP protocols. Security Fix(es) : * A stack-based and a heap-based buffer overflow flaws were found in wget when processing chunked encoded HTTP responses. By tricking an unsuspecting user into connecting to a malicious HTTP server, an attacker could exploit these flaws to potentially execute arbitrary code. (CVE-2017-13089, CVE-2017-13090) Red Hat would like to thank the GNU Wget project for reporting these issues. Note that Tenable Network Security has attempted to extract the preceding description block directly from the corresponding Red Hat security advisory. Virtuozzo provides no description for VZLSA advisories. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 119236 published 2018-11-27 reporter This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119236 title Virtuozzo 7 : wget (VZLSA-2017-3075) NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2017-916.NASL description Heap-based buffer overflow in HTTP protocol handling A heap-based buffer overflow, when processing chunked encoded HTTP responses, was found in wget. By tricking an unsuspecting user into connecting to a malicious HTTP server, an attacker could exploit this flaw to potentially execute arbitrary code. (CVE-2017-13090) Stack-based buffer overflow in HTTP protocol handling A stack-based buffer overflow when processing chunked, encoded HTTP responses was found in wget. By tricking an unsuspecting user into connecting to a malicious HTTP server, an attacker could exploit this flaw to potentially execute arbitrary code. (CVE-2017-13089) last seen 2020-06-01 modified 2020-06-02 plugin id 104182 published 2017-10-27 reporter This script is Copyright (C) 2017-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/104182 title Amazon Linux AMI : wget (ALAS-2017-916) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2017-3075.NASL description An update for wget is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The wget packages provide the GNU Wget file retrieval utility for HTTP, HTTPS, and FTP protocols. Security Fix(es) : * A stack-based and a heap-based buffer overflow flaws were found in wget when processing chunked encoded HTTP responses. By tricking an unsuspecting user into connecting to a malicious HTTP server, an attacker could exploit these flaws to potentially execute arbitrary code. (CVE-2017-13089, CVE-2017-13090) Red Hat would like to thank the GNU Wget project for reporting these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 104205 published 2017-10-27 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/104205 title RHEL 7 : wget (RHSA-2017:3075) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3464-1.NASL description Antti Levomaki, Christian Jalio, and Joonas Pihlaja discovered that Wget incorrectly handled certain HTTP responses. A remote attacker could use this issue to cause Wget to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2017-13089, CVE-2017-13090) Dawid Golunski discovered that Wget incorrectly handled recursive or mirroring mode. A remote attacker could possibly use this issue to bypass intended access list restrictions. (CVE-2016-7098) Orange Tsai discovered that Wget incorrectly handled CRLF sequences in HTTP headers. A remote attacker could possibly use this issue to inject arbitrary HTTP headers. (CVE-2017-6508). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 104211 published 2017-10-27 reporter Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/104211 title Ubuntu 14.04 LTS / 16.04 LTS / 17.04 / 17.10 : wget vulnerabilities (USN-3464-1) NASL family Scientific Linux Local Security Checks NASL id SL_20171026_WGET_ON_SL7_X.NASL description Security Fix(es) : - A stack-based and a heap-based buffer overflow flaws were found in wget when processing chunked encoded HTTP responses. By tricking an unsuspecting user into connecting to a malicious HTTP server, an attacker could exploit these flaws to potentially execute arbitrary code. (CVE-2017-13089, CVE-2017-13090) last seen 2020-03-18 modified 2017-10-27 plugin id 104207 published 2017-10-27 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/104207 title Scientific Linux Security Update : wget on SL7.x x86_64 (20171026) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2017-0047.NASL description An update of [wget] packages for PhotonOS has been released. last seen 2019-02-08 modified 2019-02-07 plugin id 111896 published 2018-08-17 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=111896 title Photon OS 1.0: Wget PHSA-2017-0047 (deprecated) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_09849E71BB1211E783573065EC6F3643.NASL description Antti Levomaki, Christian Jalio, Joonas Pihlaja : Wget contains two vulnerabilities, a stack overflow and a heap overflow, in the handling of HTTP chunked encoding. By convincing a user to download a specific link over HTTP, an attacker may be able to execute arbitrary code with the privileges of the user. last seen 2020-06-01 modified 2020-06-02 plugin id 104226 published 2017-10-30 reporter This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/104226 title FreeBSD : wget -- Stack overflow in HTTP protocol handling (09849e71-bb12-11e7-8357-3065ec6f3643) NASL family Fedora Local Security Checks NASL id FEDORA_2017-10FBCE01EC.NASL description new upstream release with CVE fixes Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2018-01-15 plugin id 105816 published 2018-01-15 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105816 title Fedora 27 : wget (2017-10fbce01ec) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2017-0047_WGET.NASL description An update of the wget package has been released. last seen 2020-03-17 modified 2019-02-07 plugin id 121766 published 2019-02-07 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121766 title Photon OS 1.0: Wget PHSA-2017-0047
Redhat
advisories |
| ||||
rpms |
|
Seebug
bulletinFamily | exploit |
description | That’s an interesting vulnerability in GNU wget. According to the wget project, this was reported by Antti Levomäki, Christian Jalio, Joonas Pihlaja of Forcepoint as well as Juhani Eronen of the Finnish National Cyber Security Centre. The vulnerability is in src/http.c source code file and more precisely in skip_short_body() function. ``` /* Read the body of the request, but don't store it anywhere and don't display a progress gauge. This is useful for reading the bodies of administrative responses to which we will soon issue another request. The response is not useful to the user, but reading it allows us to continue using the same connection to the server. If reading fails, false is returned, true otherwise. In debug mode, the body is displayed for debugging purposes. */ static bool skip_short_body (int fd, wgint contlen, bool chunked) { enum { SKIP_SIZE = 512, /* size of the download buffer */ SKIP_THRESHOLD = 4096 /* the largest size we read */ }; wgint remaining_chunk_size = 0; ... return true; } ``` The description in the comment is pretty clear but what we care about here is the “remaining_chunk_size” variable which has data type of “wgint”. This is a data type defined in src/wget.h header file based on the architecture and operating system. ``` /* Pick an integer type large enough for file sizes, content lengths, and such. Because today's files can be very large, it should be a signed integer at least 64 bits wide. This can't be typedeffed to off_t because: a) off_t is always 32-bit on Windows, and b) we don't necessarily want to tie having a 64-bit type for internal calculations to having LFS support. */ #ifdef WINDOWS /* nothing to do, see mswindows.h */ #elif SIZEOF_LONG >= 8 /* long is large enough, so use it. */ typedef long wgint; # define SIZEOF_WGINT SIZEOF_LONG #elif SIZEOF_LONG_LONG >= 8 /* long long is large enough and available, use that */ typedef long long wgint; # define SIZEOF_WGINT SIZEOF_LONG_LONG #elif HAVE_INT64_T typedef int64_t wgint; # define SIZEOF_WGINT 8 #elif SIZEOF_OFF_T >= 8 /* In case off_t is typedeffed to a large non-standard type that our tests don't find. */ typedef off_t wgint; # define SIZEOF_WGINT SIZEOF_OFF_T #else /* Fall back to using long, which is always available and in most cases large enough. */ typedef long wgint; # define SIZEOF_WGINT SIZEOF_LONG #endif ``` What is worth noting is all of the type definitions are using signed data types. This means that “wgint” variables can get both positive and negative values. Now that this is clear, let’s move back to http.c and skip_short_body() function. ``` static bool skip_short_body (int fd, wgint contlen, bool chunked) { ... SKIP_SIZE = 512, /* size of the download buffer */ ... wgint remaining_chunk_size = 0; char dlbuf[SKIP_SIZE + 1]; ... while (contlen > 0 || chunked) { int ret; if (chunked) { if (remaining_chunk_size == 0) { char *line = fd_read_line (fd); char *endl; if (line == NULL) break; remaining_chunk_size = strtol (line, &endl, 16); xfree (line); ... contlen = MIN (remaining_chunk_size, SKIP_SIZE); ... ret = fd_read (fd, dlbuf, MIN (contlen, SKIP_SIZE), -1); ... } ``` So, when wget processes chunked responses it will enter this “while” loop (content length greater than zero or the response is chunked). When the chunk size gets to 0, it will read the next line using fd_read_line() and then attempt to retrieve the remaining chunk size using strtol() in hexadecimal. This value is 100% controlled by the response header and it could be anything, including so large that it will wrap around this signed integer into a negative value. Then MIN() macro will be used to compare that value with SKIP_SIZE (which is 512) and use this to initialize “contlen” signed integer. If “remaining_chunk_size” had a negative value it means that this will now be stored in “contlen” which is then used in fd_read() leading to a stack based buffer overflow as the attacker completely controls the size argument that is used to copy data from “fd” (the HTTP page) to “dlbuf” (stack based buffer with size of 513 bytes). The fix was relatively simple as you can see below. ``` remaining_chunk_size = strtol (line, &endl, 16); xfree (line); + if (remaining_chunk_size < 0) + return false; + if (remaining_chunk_size == 0) ``` The fix was a simple bound check after the strtol() call to ensure that the value of “remaining_chunk_size” was not set to a negative value before continuing with the processing. |
id | SSV:96839 |
last seen | 2017-11-19 |
modified | 2017-11-13 |
published | 2017-11-13 |
reporter | Root |
source | https://www.seebug.org/vuldb/ssvid-96839 |
title | wget HTTP integer overflow(CVE-2017-13089) |
References
- https://www.viestintavirasto.fi/en/cybersecurity/vulnerabilities/2017/haavoittuvuus-2017-037.html
- http://git.savannah.gnu.org/cgit/wget.git/commit/?id=d892291fb8ace4c3b734ea5125770989c215df3f
- http://www.securitytracker.com/id/1039661
- http://www.securityfocus.com/bid/101592
- https://github.com/r1b/CVE-2017-13089
- http://www.debian.org/security/2017/dsa-4008
- https://security.gentoo.org/glsa/201711-06
- https://access.redhat.com/errata/RHSA-2017:3075
- https://www.synology.com/support/security/Synology_SA_17_62_Wget