[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug-wget] Incorrect perms if downloaded file exists in the local FS
|
From: |
Borja Ruiz-Castro |
|
Subject: |
[Bug-wget] Incorrect perms if downloaded file exists in the local FS |
|
Date: |
Wed, 14 Mar 2012 14:03:51 +0100 |
Hi!
I just noticed a security problem with wget:
If a non-priv user owns a file (/tmp/test), and the root user downloads a
file with the same name (wget -O /tmp/test), the new-created file still
owns to the former user!!!
EXAMPLE:
==================================================================================================
address@hidden ~ $ cd /tmp/
address@hidden tmp $ id
uid=1000(borja) gid=1000(borja) grupos=1000(borja)
address@hidden tmp $
address@hidden tmp $ wget -q www.marca.es
address@hidden tmp $ ls -lah index.html
-rw-r--r-- 1 borja borja 297K mar 14 14:01 index.html
address@hidden tmp $
address@hidden tmp $
PanoramaBar ~ #
PanoramaBar ~ # cd /tmp/
PanoramaBar tmp # wget -q -O index.html www.marca.es
PanoramaBar tmp # ls -lah index.html
-rw-r--r-- 1 borja borja 297K mar 14 14:02 index.html
PanoramaBar tmp # id
uid=0(root) gid=0(root) grupos=0(root)
PanoramaBar tmp #
==================================================================================================
This can lead to race-condition attacks and privilege scalation.
The new downloaded file must own to the user who exec the wget command.
Regards.
--
Borja Ruiz-Castro
Senior Security Consultant
QA testing engineer
*AlienVault Europe* C/Cronos 63, Planta 2a, Oficina 6
CP: 28037 Madrid, Spain Tlf +34 91 515-1344
Fax +34 91 413-5968
- [Bug-wget] Incorrect perms if downloaded file exists in the local FS,
Borja Ruiz-Castro <=