#VU32477 Path traversal in wget - CVE-2014-4877

Cybersecurity Help s.r.o.

Published: 2014-10-29 | Updated: 2020-07-29

Vulnerability identifier: #VU32477

Vulnerability risk: High

CVSSv4.0: 9.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber]

CVE-ID: CVE-2014-4877

CWE-ID: CWE-22

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
wget
Server applications / File servers (FTP/HTTP)

Vendor: GNU

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

Absolute path traversal vulnerability in GNU Wget before 1.16, when recursion is enabled, allows remote FTP servers to write to arbitrary files, and consequently execute arbitrary code, via a LIST response that references the same filename within two entries, one of which indicates that the filename is for a symlink.

Mitigation
Install update from vendor's website.

Vulnerable software versions

wget: 1.5.3 - 1.15

External links
https://advisories.mageia.org/MGASA-2014-0431.html
https://git.savannah.gnu.org/cgit/wget.git/commit/?id=18b0979357ed7dc4e11d4f2b1d7e0f5932d82aa7
https://git.savannah.gnu.org/cgit/wget.git/commit/?id=b4440d96cf8173d68ecaa07c36b8f4316ee794d0
https://lists.gnu.org/archive/html/bug-wget/2014-10/msg00150.html
https://lists.opensuse.org/opensuse-security-announce/2014-11/msg00004.html
https://lists.opensuse.org/opensuse-security-announce/2014-11/msg00009.html
https://lists.opensuse.org/opensuse-updates/2014-11/msg00026.html
https://rhn.redhat.com/errata/RHSA-2014-1764.html
https://rhn.redhat.com/errata/RHSA-2014-1955.html
https://security.gentoo.org/glsa/glsa-201411-05.xml
https://www.debian.org/security/2014/dsa-3062
https://www.kb.cert.org/vuls/id/685996
https://www.mandriva.com/security/advisories?name=MDVSA-2015:121
https://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html
https://www.securityfocus.com/bid/70751
https://www.ubuntu.com/usn/USN-2393-1
https://bugzilla.redhat.com/show_bug.cgi?id=1139181
https://community.rapid7.com/community/metasploit/blog/2014/10/28/r7-2014-15-gnu-wget-ftp-symlink-arbitrary-filesystem-access
https://github.com/rapid7/metasploit-framework/pull/4088
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722
https://kc.mcafee.com/corporate/index?page=content&id=SB10106

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.

Latest bulletins with this vulnerability

Path traversal in wget (Alpine package)

Gentoo update for GNU Wget

SUSE Linux update for wget

Amazon Linux AMI update for wget

Fedora 21 update for wget

Slackware Linux update for wget

Path traversal in GNU wget