Thursday, November 24, 2016

Wget Race Condition CVE-2016-7098 | slow timer attack

https://legalhackers.com/advisories/Wget-Exploit-ACL-bypass-RaceCond-CVE-2016-7098.html

- Han Lee,  1337 Overflow

The -A flag is to specify allowed file types that wget can download, and this should work even in recursive mode, -r flag.
However, the filetype check is only performed at the end of the download process, and the file will be deleted if it is not the allowed file type only after the connection terminates.

The attack scenario in short is as follows:
[1] victim server makes a wget request to attacker server with -r (recursive mode) with the -A flag (perform file type check, in this scenario, a jpg for example) and output to be in a publicly accessible folder (bad idea in general)
[2] attacker server serves up a php file, but does not terminate the connection, thus the file will be written to victim's publicly accessible folder
[3] as the connection is still open, wget does not perform the file type check yet
[4] while the connection is still open, the attacker server will call the php file on the victim server for code execution


As you can see, the first request was to only allow jpg, wget actually saves it locally, perform the check, then deleting the file if it does not match