ID CVE-2016-7098
Summary Race condition in wget 1.17 and earlier, when used in recursive or mirroring mode to download a single file, might allow remote servers to bypass intended access list restrictions by keeping an HTTP connection open.
References
Vulnerable Configurations
  • GNU wget 1.17
    cpe:2.3:a:gnu:wget:1.17
CVSS
Base: 6.8 (as of 27-09-2016 - 09:55)
Impact:
Exploitability:
CWE CWE-362
CAPEC
  • Leveraging Race Conditions
    This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
  • Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
    This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
exploit-db via4
description GNU Wget < 1.18 - Access List Bypass / Race Condition. CVE-2016-7098. Remote exploit for Multiple platform
file exploits/multiple/remote/40824.py
id EDB-ID:40824
last seen 2016-11-24
modified 2016-11-24
platform multiple
port 80
published 2016-11-24
reporter Exploit-DB
source https://www.exploit-db.com/download/40824/
title GNU Wget < 1.18 - Access List Bypass / Race Condition
type remote
nessus via4
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-1073.NASL
    description This update for wget fixes the following issues : - CVE-2016-7098: Fixed a potential race condition by creating files with .tmp ext and making them accessible to the current user only. (boo#995964)
    last seen 2019-02-21
    modified 2016-10-13
    plugin id 93436
    published 2016-09-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93436
    title openSUSE Security Update : wget (openSUSE-2016-1073)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-3268-1.NASL
    description This update for wget fixes the following issues: Security issues fixed : - CVE-2016-7098: Fixed a potential race condition by creating files with .tmp ext and making them accessible to the current user only. (bsc#995964) Non security issues fixed : - bsc#1005091: Don't call xfree() on string returned by usr_error() - bsc#1012677: Add support for enforcing TLSv1.1 and TLSv1.2 (TLS 1.2 support was already present, but it was not enforcable). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 96140
    published 2016-12-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96140
    title SUSE SLED12 / SLES12 Security Update : wget (SUSE-SU-2016:3268-1)
  • NASL family PhotonOS Local Security Checks
    NASL id PHOTONOS_PHSA-2016-0012_WGET.NASL
    description An update of the wget package has been released.
    last seen 2019-02-08
    modified 2019-02-07
    plugin id 121653
    published 2019-02-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=121653
    title Photon OS 1.0: Wget PHSA-2016-0012
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-2358-1.NASL
    description This update for wget fixes the following issues : - CVE-2016-4971: A HTTP to FTP redirection file name confusion vulnerability was fixed. (bsc#984060). - CVE-2016-7098: A potential race condition was fixed by creating files with .tmp ext and making them accessible to the current user only. (bsc#995964) Bug fixed : - Wget failed with basicauth: Failed writing HTTP request: Bad file descriptor (bsc#958342) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 93714
    published 2016-09-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93714
    title SUSE SLES11 Security Update : wget (SUSE-SU-2016:2358-1)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3464-1.NASL
    description Antti Levomaki, Christian Jalio, and Joonas Pihlaja discovered that Wget incorrectly handled certain HTTP responses. A remote attacker could use this issue to cause Wget to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2017-13089, CVE-2017-13090) Dawid Golunski discovered that Wget incorrectly handled recursive or mirroring mode. A remote attacker could possibly use this issue to bypass intended access list restrictions. (CVE-2016-7098) Orange Tsai discovered that Wget incorrectly handled CRLF sequences in HTTP headers. A remote attacker could possibly use this issue to inject arbitrary HTTP headers. (CVE-2017-6508). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 104211
    published 2017-10-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104211
    title Ubuntu 14.04 LTS / 16.04 LTS / 17.04 / 17.10 : wget vulnerabilities (USN-3464-1)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_479C5B91B6CC11E6A04E3417EB99B9A0.NASL
    description Dawid Golunski reports : GNU wget in version 1.17 and earlier, when used in mirroring/recursive mode, is affected by a Race Condition vulnerability that might allow remote attackers to bypass intended wget access list restrictions specified with -A parameter.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 95418
    published 2016-12-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95418
    title FreeBSD : wget -- Access List Bypass / Race Condition (479c5b91-b6cc-11e6-a04e-3417eb99b9a0)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2017-9.NASL
    description This update for wget fixes the following issues : Security issues fixed : - CVE-2016-7098: Fixed a potential race condition by creating files with .tmp ext and making them accessible to the current user only. (bsc#995964) Non security issues fixed : - bsc#1005091: Don't call xfree() on string returned by usr_error() - bsc#1012677: Add support for enforcing TLSv1.1 and TLSv1.2 (TLS 1.2 support was already present, but it was not enforcable). This update was imported from the SUSE:SLE-12:Update update project.
    last seen 2019-02-21
    modified 2017-01-04
    plugin id 96278
    published 2017-01-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96278
    title openSUSE Security Update : wget (openSUSE-2017-9)
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2016-1027.NASL
    description According to the version of the wget package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - Race condition in wget 1.17 and earlier, when used in recursive or mirroring mode to download a single file, might allow remote servers to bypass intended access list restrictions by keeping an HTTP connection open.(CVE-2016-7098) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-14
    plugin id 99790
    published 2017-05-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99790
    title EulerOS 2.0 SP1 : wget (EulerOS-SA-2016-1027)
  • NASL family PhotonOS Local Security Checks
    NASL id PHOTONOS_PHSA-2016-0012.NASL
    description An update of [ linux , wget , vim , grub2 , zookeeper , nginx , dnsmasq , haproxy ] packages for PhotonOS has been released.
    last seen 2019-02-21
    modified 2019-02-07
    plugin id 111846
    published 2018-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111846
    title Photon OS 1.0: Dnsmasq / Grub2 / Haproxy / Linux / Nginx / Vim / Wget / Zookeeper PHSA-2016-0012 (deprecated)
packetstorm via4
data source https://packetstormsecurity.com/files/download/139895/wget-bypassracecondition.txt
id PACKETSTORM:139895
last seen 2016-12-05
published 2016-11-24
reporter Dawid Golunski
source https://packetstormsecurity.com/files/139895/GNU-Wget-Access-List-Bypass-Race-Condition.html
title GNU Wget Access List Bypass / Race Condition
refmap via4
bid 93157
exploit-db 40824
mlist
  • [bug-wget] 20160814 Wget - acess list bypass / race condition PoC
  • [bug-wget] 20160824 Re: Wget - acess list bypass / race condition PoC
  • [oss-security] 20160827 Re: CVE Request - Gnu Wget 1.17 - Design Error Vulnerability
suse
  • openSUSE-SU-2016:2284
  • openSUSE-SU-2017:0015
Last major update 06-01-2017 - 22:00
Published 26-09-2016 - 10:59
Last modified 02-09-2017 - 21:29
Back to Top