ID CVE-2004-2014
Summary Wget 1.9 and 1.9.1 allows local users to overwrite arbitrary files via a symlink attack on the name of the file being downloaded.
References
Vulnerable Configurations
  • GNU wget 1.5.3
    cpe:2.3:a:gnu:wget:1.5.3
  • GNU wget 1.6
    cpe:2.3:a:gnu:wget:1.6
  • GNU wget 1.7
    cpe:2.3:a:gnu:wget:1.7
  • GNU wget 1.7.1
    cpe:2.3:a:gnu:wget:1.7.1
  • GNU wget 1.8
    cpe:2.3:a:gnu:wget:1.8
  • GNU wget 1.8.1
    cpe:2.3:a:gnu:wget:1.8.1
  • GNU wget 1.8.2
    cpe:2.3:a:gnu:wget:1.8.2
  • GNU wget 1.9
    cpe:2.3:a:gnu:wget:1.9
  • GNU wget 1.9.1
    cpe:2.3:a:gnu:wget:1.9.1
CVSS
Base: 2.6 (as of 25-05-2005 - 22:21)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
LOCAL HIGH NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL PARTIAL
exploit-db via4
description WGet 1.x Insecure File Creation Race Condition Vulnerability. CVE-2004-2014. Local exploit for linux platform
id EDB-ID:24123
last seen 2016-02-02
modified 2004-05-17
published 2004-05-17
reporter Hugo Vazquez
source https://www.exploit-db.com/download/24123/
title WGet 1.x Insecure File Creation Race Condition Vulnerability
nessus via4
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2005-771.NASL
    description Updated wget package that fixes several security issues is now available. This update has been rated as having low security impact by the Red Hat Security Response Team. GNU Wget is a file retrieval utility that can use either the HTTP or FTP protocols. A bug was found in the way wget writes files to the local disk. If a malicious local user has write access to the directory wget is saving a file into, it is possible to overwrite files that the user running wget has write access to. (CVE-2004-2014) A bug was found in the way wget filters redirection URLs. It is possible for a malicious Web server to overwrite files the user running wget has write access to. Note: in order for this attack to succeed the local DNS would need to resolve '..' to an IP address, which is an unlikely situation. (CVE-2004-1487) A bug was found in the way wget displays HTTP response codes. It is possible that a malicious web server could inject a specially crafted terminal escape sequence capable of misleading the user running wget. (CVE-2004-1488) Users should upgrade to this updated package, which contains a version of wget that is not vulnerable to these issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 21857
    published 2006-07-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21857
    title CentOS 3 / 4 : wget (CESA-2005:771)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-145-1.NASL
    description Jan Minar discovered a path traversal vulnerability in wget. If the name '..' was a valid host name (which can be achieved with a malicious or poisoned domain name server), it was possible to trick wget into creating downloaded files into arbitrary locations with arbitrary names. For example, wget could silently overwrite the users ~/.bashrc and other configuration files which are executed automatically. (CAN-2004-1487) Jan Minar also discovered that wget printed HTTP response strings from the server to the terminal without any filtering. Malicious HTTP servers could exploit this to send arbitrary terminal sequences and strings which would then be executed and printed to the console. This could potentially lead to arbitrary code execution with the privileges of the user invoking wget. (CAN-2004-1488) Hugo Vazquez Carames discovered a race condition when writing output files. After wget determined the output file name, but before the file was actually opened (the time window is determined by the delay of the first received data packet), a local attacker with with write permission to the download directory could create a symbolic link with the name of the output file. This could be exploited to overwrite arbitrary files with the permissions of the user invoking wget. (CAN-2004-2014). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 20538
    published 2006-01-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=20538
    title Ubuntu 4.10 / 5.04 : wget vulnerabilities (USN-145-1)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2005-771.NASL
    description Updated wget package that fixes several security issues is now available. This update has been rated as having low security impact by the Red Hat Security Response Team. GNU Wget is a file retrieval utility that can use either the HTTP or FTP protocols. A bug was found in the way wget writes files to the local disk. If a malicious local user has write access to the directory wget is saving a file into, it is possible to overwrite files that the user running wget has write access to. (CVE-2004-2014) A bug was found in the way wget filters redirection URLs. It is possible for a malicious Web server to overwrite files the user running wget has write access to. Note: in order for this attack to succeed the local DNS would need to resolve '..' to an IP address, which is an unlikely situation. (CVE-2004-1487) A bug was found in the way wget displays HTTP response codes. It is possible that a malicious web server could inject a specially crafted terminal escape sequence capable of misleading the user running wget. (CVE-2004-1488) Users should upgrade to this updated package, which contains a version of wget that is not vulnerable to these issues.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 19833
    published 2005-10-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=19833
    title RHEL 2.1 / 3 / 4 : wget (RHSA-2005:771)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2005-204.NASL
    description Hugo Vazquez Carames discovered a race condition when writing output files in wget. After wget determined the output file name, but before the file was actually opened, a local attacker with write permissions to the download directory could create a symbolic link with the name of the output file. This could be exploited to overwrite arbitrary files with the permissions of the user invoking wget. The time window of opportunity for the attacker is determined solely by the delay of the first received data packet. The updated packages have been patched to correct this issue.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 20128
    published 2005-11-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=20128
    title Mandrake Linux Security Advisory : wget (MDKSA-2005:204)
oval via4
accepted 2013-04-29T04:22:35.984-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 3
    oval oval:org.mitre.oval:def:11782
  • comment CentOS Linux 3.x
    oval oval:org.mitre.oval:def:16651
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
description Wget 1.9 and 1.9.1 allows local users to overwrite arbitrary files via a symlink attack on the name of the file being downloaded.
family unix
id oval:org.mitre.oval:def:9830
status accepted
submitted 2010-07-09T03:56:16-04:00
title Wget 1.9 and 1.9.1 allows local users to overwrite arbitrary files via a symlink attack on the name of the file being downloaded.
version 23
redhat via4
advisories
rhsa
id RHSA-2005:771
refmap via4
bid 10361
bugtraq 20040516 Wget race condition vulnerability
mandriva MDKSA-2005:204
mlist
  • [wget] 20040517 Re: Wget race condition vulnerability (fwd)
  • [wget] 20040517 Wget race condition vulnerability (fwd)
secunia 17399
ubuntu USN-145-1
xf wget-lock-race-condition(16167)
Last major update 17-10-2016 - 23:04
Published 31-12-2004 - 00:00
Last modified 03-10-2018 - 17:29
Back to Top