[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] bug / security concern
From: |
Tim Rühsen |
Subject: |
Re: [Bug-wget] bug / security concern |
Date: |
Tue, 15 Oct 2019 11:59:59 +0200 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0 |
Hi,
thanks for the report. Is that still an issue on a recent version of
Wget ? The version 1.17.1 you are using is very outdated.
We don't directly support windows binaries, but here is an unofficial
website that provides for binary downloads:
https://eternallybored.org/misc/wget/
If you find possible security issues, please do not make them public by
writing to this mailing list. Instead open an issue at
https://savannah.gnu.org/bugs/?func=additem&group=wget
and set 'Privacy' to 'private'.
Regards, Tim
On 10/14/19 8:15 PM, A.K. Zidani wrote:
> Hello there,
>
> I'm a security researcher and I think I found something interesting when
> using wget to download a file under Windows's BASH environment.
>
> here is a quick poc I created:
> https://addaxsoft.com/poc/AAAAAAAAA%bb%e4%b8%ad%e7AAAAAAAAAAAAAAAA
> when you wget that file; wget will crash at:
>
> Program received signal SIGSEGV, Segmentation fault.
> __memset_avx2 () at ../sysdeps/x86_64/multiarch/memset-avx2.S:161
>
> 0x00007ffffe202ae6 <+374>: sub rax,rdx
> 0x00007ffffe202ae9 <+377>: vzeroupper
> 0x00007ffffe202aec <+380>: ret
> 0x00007ffffe202aed <+381>: nop DWORD PTR [rax]
> 0x00007ffffe202af0 <+384>: sub rcx,0xffffffffffffff80
> 0x00007ffffe202af4 <+388>: vmovd eax,xmm0
> => 0x00007ffffe202af8 <+392>: rep stos BYTE PTR es:[rdi],al
> 0x00007ffffe202afa <+394>: mov rax,rsi
> 0x00007ffffe202afd <+397>: sub rax,rdx
> 0x00007ffffe202b00 <+400>: vzeroupper
> 0x00007ffffe202b03 <+403>: ret
>
> registers:
> (gdb) info registers
> rax 0x20202020 538976288
> rbx 0xffffffffffffffff -1
> rcx 0xffffffffffff5387 -44153
> rdx 0xffffffffffffffff -1
> rsi 0x84b1387 139137927
> rdi 0x84bc000 139182080
> rbp 0x84b1140 0x84b1140
> rsp 0x7ffffffed558 0x7ffffffed558
> r8 0x0 0
> r9 0x1 1
> r10 0x7ffffffed4a8 140737488278696
> r11 0x8279880 136812672
> r12 0x7 7
> r13 0x7 7
> r14 0x82798f0 136812784
> r15 0x84b1388 139137928
> rip 0x7ffffe202af8 0x7ffffe202af8 <__memset_avx2+392>
> eflags 0x10287 [ CF PF SF IF RF ]
> cs 0x33 51
> ss 0x2b 43
> ds 0x0 0
> es 0x0 0
> fs 0x0 0
> gs 0x0 0
>
> rdi is accessing inaccessible memory which the cause of the crash:
> (gdb) x $rdi
> 0x84bc000: Cannot access memory at address 0x84bc000
>
> here is my wget -V output:
> root@PC:~# wget -V
> GNU Wget 1.17.1 built on linux-gnu.
>
> +digest -gpgme +https +ipv6 +iri +large-file -metalink +nls +ntlm
> +opie -psl +ssl/openssl
>
> Wgetrc:
> /etc/wgetrc (system)
> Locale:
> /usr/share/locale
> Compile:
> gcc -DHAVE_CONFIG_H -DSYSTEM_WGETRC="/etc/wgetrc"
> -DLOCALEDIR="/usr/share/locale" -I. -I../../src -I../lib
> -I../../lib -Wdate-time -D_FORTIFY_SOURCE=2 -I/usr/include
> -DHAVE_LIBSSL -DNDEBUG -g -O2 -fPIE -fstack-protector-strong
> -Wformat -Werror=format-security -DNO_SSLv2 -D_FILE_OFFSET_BITS=64
> -g -Wall
> Link:
> gcc -DHAVE_LIBSSL -DNDEBUG -g -O2 -fPIE -fstack-protector-strong
> -Wformat -Werror=format-security -DNO_SSLv2 -D_FILE_OFFSET_BITS=64
> -g -Wall -Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro
> -Wl,-z,now -L/usr/lib -lpcre -luuid -lssl -lcrypto -lz -lidn
> ftp-opie.o openssl.o http-ntlm.o ../lib/libgnu.a
>
> Copyright (C) 2015 Free Software Foundation, Inc.
> Licence GPLv3+: GNU GPL version 3 or later
> <http://www.gnu.org/licenses/gpl.html>.
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.
>
> Originally written by Hrvoje Niksic <address@hidden>.
> Please send bug reports and questions to <address@hidden>.
>
>
>
>
>
> I didn't look into this further, but potentially I can have a memory write
> if I get control of rdi and rax at some point in the code path, which may
> lead to code execution as well.
>
> NOTE: this only crashes wget running in bash in a Windows environment.
> not sure if this is the same as CVE-2019-5953, but I would like to
> investigate further.
>
>
>
>
signature.asc
Description: OpenPGP digital signature