ID CVE-2017-13090
Summary The retr.c:fd_read_body() function is called when processing OK responses. When the response is sent chunked in wget before 1.19.2, the chunk parser uses strtol() to read each chunk's length, but doesn't check that the chunk length is a non-negative number. The code then tries to read the chunk in pieces of 8192 bytes by using the MIN() macro, but ends up passing the negative chunk length to retr.c:fd_read(). As fd_read() takes an int argument, the high 32 bits of the chunk length are discarded, leaving fd_read() with a completely attacker controlled length argument. The attacker can corrupt malloc metadata after the allocated buffer.
References
Vulnerable Configurations
  • GNU wget 1.19.1
    cpe:2.3:a:gnu:wget:1.19.1
  • Debian Linux 8.0 (Jessie)
    cpe:2.3:o:debian:debian_linux:8.0
  • Debian Linux 9.0
    cpe:2.3:o:debian:debian_linux:9.0
CVSS
Base: 9.3
Impact:
Exploitability:
CWE CWE-119
CAPEC
  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
  • Overflow Binary Resource File
    An attack of this type exploits a buffer overflow vulnerability in the handling of binary resources. Binary resources may include music files like MP3, image files like JPEG files, and any other binary file. These attacks may pass unnoticed to the client machine through normal usage of files, such as a browser loading a seemingly innocent JPEG file. This can allow the attacker access to the execution stack and execute arbitrary code in the target process. This attack pattern is a variant of standard buffer overflow attacks using an unexpected vector (binary files) to wrap its attack and open up a new attack vector. The attacker is required to either directly serve the binary content to the victim, or place it in a locale like a MP3 sharing application, for the victim to download. The attacker then is notified upon the download or otherwise locates the vulnerability opened up by the buffer overflow.
  • Buffer Overflow via Symbolic Links
    This type of attack leverages the use of symbolic links to cause buffer overflows. An attacker can try to create or manipulate a symbolic link file such that its contents result in out of bounds data. When the target software processes the symbolic link file, it could potentially overflow internal buffers with insufficient bounds checking.
  • Overflow Variables and Tags
    This type of attack leverages the use of tags or variables from a formatted configuration data to cause buffer overflow. The attacker crafts a malicious HTML page or configuration file that includes oversized strings, thus causing an overflow.
  • Buffer Overflow via Parameter Expansion
    In this attack, the target software is given input that the attacker knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow.
  • Buffer Overflow in an API Call
    This attack targets libraries or shared code modules which are vulnerable to buffer overflow attacks. An attacker who has access to an API may try to embed malicious code in the API function call and exploit a buffer overflow vulnerability in the function's implementation. All clients that make use of the code library thus become vulnerable by association. This has a very broad effect on security across a system, usually affecting more than one software process.
  • Buffer Overflow in Local Command-Line Utilities
    This attack targets command-line utilities available in a number of shells. An attacker can leverage a vulnerability found in a command-line utility to escalate privilege to root.
nessus via4
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3464-1.NASL
    description Antti Levomaki, Christian Jalio, and Joonas Pihlaja discovered that Wget incorrectly handled certain HTTP responses. A remote attacker could use this issue to cause Wget to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2017-13089, CVE-2017-13090) Dawid Golunski discovered that Wget incorrectly handled recursive or mirroring mode. A remote attacker could possibly use this issue to bypass intended access list restrictions. (CVE-2016-7098) Orange Tsai discovered that Wget incorrectly handled CRLF sequences in HTTP headers. A remote attacker could possibly use this issue to inject arbitrary HTTP headers. (CVE-2017-6508). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 104211
    published 2017-10-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104211
    title Ubuntu 14.04 LTS / 16.04 LTS / 17.04 / 17.10 : wget vulnerabilities (USN-3464-1)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2017-1210.NASL
    description This update for wget fixes the following security issues : - CVE-2017-13089,CVE-2017-13090: Missing checks for negative remaining_chunk_size in skip_short_body and fd_read_body could cause stack-based buffer overflows, which could have been exploited by malicious servers. (bsc#1064715,bsc#1064716) This update was imported from the SUSE:SLE-12:Update update project.
    last seen 2019-02-21
    modified 2018-01-26
    plugin id 104240
    published 2017-10-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104240
    title openSUSE Security Update : wget (openSUSE-2017-1210)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201711-06.NASL
    description The remote host is affected by the vulnerability described in GLSA-201711-06 (GNU Wget: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Wget. Please review the referenced CVE identifiers for details. Impact : A remote attacker, by enticing a user to connect to a malicious server, could remotely execute arbitrary code or cause a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-01-26
    plugin id 104514
    published 2017-11-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104514
    title GLSA-201711-06 : GNU Wget: Multiple vulnerabilities
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2017-1270.NASL
    description According to the versions of the wget package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - A stack-based and a heap-based buffer overflow flaws were found in wget when processing chunked encoded HTTP responses. By tricking an unsuspecting user into connecting to a malicious HTTP server, an attacker could exploit these flaws to potentially execute arbitrary code. (CVE-2017-13089, CVE-2017-13090) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-14
    plugin id 104295
    published 2017-11-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104295
    title EulerOS 2.0 SP2 : wget (EulerOS-SA-2017-1270)
  • NASL family PhotonOS Local Security Checks
    NASL id PHOTONOS_PHSA-2017-0047_WGET.NASL
    description An update of the wget package has been released.
    last seen 2019-02-08
    modified 2019-02-07
    plugin id 121766
    published 2019-02-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=121766
    title Photon OS 1.0: Wget PHSA-2017-0047
  • NASL family Virtuozzo Local Security Checks
    NASL id VIRTUOZZO_VZLSA-2017-3075.NASL
    description An update for wget is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The wget packages provide the GNU Wget file retrieval utility for HTTP, HTTPS, and FTP protocols. Security Fix(es) : * A stack-based and a heap-based buffer overflow flaws were found in wget when processing chunked encoded HTTP responses. By tricking an unsuspecting user into connecting to a malicious HTTP server, an attacker could exploit these flaws to potentially execute arbitrary code. (CVE-2017-13089, CVE-2017-13090) Red Hat would like to thank the GNU Wget project for reporting these issues. Note that Tenable Network Security has attempted to extract the preceding description block directly from the corresponding Red Hat security advisory. Virtuozzo provides no description for VZLSA advisories. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-27
    plugin id 119236
    published 2018-11-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=119236
    title Virtuozzo 7 : wget (VZLSA-2017-3075)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-4008.NASL
    description Antti Levomaeki, Christian Jalio, Joonas Pihlaja and Juhani Eronen discovered two buffer overflows in the HTTP protocol handler of the Wget download tool, which could result in the execution of arbitrary code when connecting to a malicious HTTP server.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 104223
    published 2017-10-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104223
    title Debian DSA-4008-1 : wget - security update
  • NASL family PhotonOS Local Security Checks
    NASL id PHOTONOS_PHSA-2017-0046_WGET.NASL
    description An update of the wget package has been released.
    last seen 2019-02-08
    modified 2019-02-07
    plugin id 121765
    published 2019-02-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=121765
    title Photon OS 2.0: Wget PHSA-2017-0046
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2017-1269.NASL
    description According to the versions of the wget package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - A stack-based and a heap-based buffer overflow flaws were found in wget when processing chunked encoded HTTP responses. By tricking an unsuspecting user into connecting to a malicious HTTP server, an attacker could exploit these flaws to potentially execute arbitrary code. (CVE-2017-13089, CVE-2017-13090) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-14
    plugin id 104294
    published 2017-11-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104294
    title EulerOS 2.0 SP1 : wget (EulerOS-SA-2017-1269)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-10FBCE01EC.NASL
    description new upstream release with CVE fixes Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-02-01
    plugin id 105816
    published 2018-01-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=105816
    title Fedora 27 : wget (2017-10fbce01ec)
  • NASL family PhotonOS Local Security Checks
    NASL id PHOTONOS_PHSA-2017-0046.NASL
    description An update of [wget] packages for PhotonOS has been released.
    last seen 2019-02-08
    modified 2019-02-07
    plugin id 111895
    published 2018-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111895
    title Photon OS 2.0: Wget PHSA-2017-0046 (deprecated)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2017-3075.NASL
    description An update for wget is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The wget packages provide the GNU Wget file retrieval utility for HTTP, HTTPS, and FTP protocols. Security Fix(es) : * A stack-based and a heap-based buffer overflow flaws were found in wget when processing chunked encoded HTTP responses. By tricking an unsuspecting user into connecting to a malicious HTTP server, an attacker could exploit these flaws to potentially execute arbitrary code. (CVE-2017-13089, CVE-2017-13090) Red Hat would like to thank the GNU Wget project for reporting these issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 104218
    published 2017-10-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104218
    title CentOS 7 : wget (CESA-2017:3075)
  • NASL family PhotonOS Local Security Checks
    NASL id PHOTONOS_PHSA-2017-0047.NASL
    description An update of [wget] packages for PhotonOS has been released.
    last seen 2019-02-08
    modified 2019-02-07
    plugin id 111896
    published 2018-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111896
    title Photon OS 1.0: Wget PHSA-2017-0047 (deprecated)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-DE8A421DCD.NASL
    description new upstream release with CVE fixes Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-02-02
    plugin id 104609
    published 2017-11-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104609
    title Fedora 25 : wget (2017-de8a421dcd)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2017-916.NASL
    description Heap-based buffer overflow in HTTP protocol handling A heap-based buffer overflow, when processing chunked encoded HTTP responses, was found in wget. By tricking an unsuspecting user into connecting to a malicious HTTP server, an attacker could exploit this flaw to potentially execute arbitrary code. (CVE-2017-13090) Stack-based buffer overflow in HTTP protocol handling A stack-based buffer overflow when processing chunked, encoded HTTP responses was found in wget. By tricking an unsuspecting user into connecting to a malicious HTTP server, an attacker could exploit this flaw to potentially execute arbitrary code. (CVE-2017-13089)
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 104182
    published 2017-10-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104182
    title Amazon Linux AMI : wget (ALAS-2017-916)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_D77CEB8CBB1311E783573065EC6F3643.NASL
    description Antti Levomaki, Christian Jalio, Joonas Pihlaja : Wget contains two vulnerabilities, a stack overflow and a heap overflow, in the handling of HTTP chunked encoding. By convincing a user to download a specific link over HTTP, an attacker may be able to execute arbitrary code with the privileges of the user.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 104228
    published 2017-10-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104228
    title FreeBSD : wget -- Heap overflow in HTTP protocol handling (d77ceb8c-bb13-11e7-8357-3065ec6f3643)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-F0B3231763.NASL
    description new upstream release with CVE fixes Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-02-02
    plugin id 104452
    published 2017-11-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104452
    title Fedora 26 : wget (2017-f0b3231763)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2017-3075.NASL
    description An update for wget is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The wget packages provide the GNU Wget file retrieval utility for HTTP, HTTPS, and FTP protocols. Security Fix(es) : * A stack-based and a heap-based buffer overflow flaws were found in wget when processing chunked encoded HTTP responses. By tricking an unsuspecting user into connecting to a malicious HTTP server, an attacker could exploit these flaws to potentially execute arbitrary code. (CVE-2017-13089, CVE-2017-13090) Red Hat would like to thank the GNU Wget project for reporting these issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 104205
    published 2017-10-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104205
    title RHEL 7 : wget (RHSA-2017:3075)
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2017-300-02.NASL
    description New wget packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, 14.2, and -current to fix security issues.
    last seen 2019-02-21
    modified 2018-01-26
    plugin id 104216
    published 2017-10-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104216
    title Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : wget (SSA:2017-300-02)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-2871-2.NASL
    description This update for wget fixes the following security issues : - CVE-2017-13089,CVE-2017-13090: Missing checks for negative remaining_chunk_size in skip_short_body and fd_read_body could cause stack-based buffer overflows, which could have been exploited by malicious servers. (bsc#1064715,bsc#1064716) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 104650
    published 2017-11-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104650
    title SUSE SLED12 / SLES12 Security Update : wget (SUSE-SU-2017:2871-2)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-1149.NASL
    description CVE-2017-13089 Fix stack overflow in HTTP protocol handling. CVE-2017-13090 Fix heap overflow in HTTP protocol handling. For Debian 7 'Wheezy', these problems have been fixed in version 1.13.4-3+deb7u5. We recommend that you upgrade your wget packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-09
    plugin id 104221
    published 2017-10-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104221
    title Debian DLA-1149-1 : wget security update
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2017-3075.NASL
    description From Red Hat Security Advisory 2017:3075 : An update for wget is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The wget packages provide the GNU Wget file retrieval utility for HTTP, HTTPS, and FTP protocols. Security Fix(es) : * A stack-based and a heap-based buffer overflow flaws were found in wget when processing chunked encoded HTTP responses. By tricking an unsuspecting user into connecting to a malicious HTTP server, an attacker could exploit these flaws to potentially execute arbitrary code. (CVE-2017-13089, CVE-2017-13090) Red Hat would like to thank the GNU Wget project for reporting these issues.
    last seen 2019-02-21
    modified 2018-07-25
    plugin id 104200
    published 2017-10-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104200
    title Oracle Linux 7 : wget (ELSA-2017-3075)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20171026_WGET_ON_SL7_X.NASL
    description Security Fix(es) : - A stack-based and a heap-based buffer overflow flaws were found in wget when processing chunked encoded HTTP responses. By tricking an unsuspecting user into connecting to a malicious HTTP server, an attacker could exploit these flaws to potentially execute arbitrary code. (CVE-2017-13089, CVE-2017-13090)
    last seen 2019-02-21
    modified 2018-12-27
    plugin id 104207
    published 2017-10-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104207
    title Scientific Linux Security Update : wget on SL7.x x86_64
redhat via4
advisories
bugzilla
id 1505445
title CVE-2017-13090 wget: Heap-based buffer overflow in HTTP protocol handling
oval
AND
  • comment wget is earlier than 0:1.14-15.el7_4.1
    oval oval:com.redhat.rhsa:tst:20173075005
  • comment wget is signed with Red Hat redhatrelease2 key
    oval oval:com.redhat.rhsa:tst:20140151006
  • OR
    • comment Red Hat Enterprise Linux 7 Client is installed
      oval oval:com.redhat.rhba:tst:20150364001
    • comment Red Hat Enterprise Linux 7 Server is installed
      oval oval:com.redhat.rhba:tst:20150364002
    • comment Red Hat Enterprise Linux 7 Workstation is installed
      oval oval:com.redhat.rhba:tst:20150364003
    • comment Red Hat Enterprise Linux 7 ComputeNode is installed
      oval oval:com.redhat.rhba:tst:20150364004
rhsa
id RHSA-2017:3075
released 2017-10-26
severity Important
title RHSA-2017:3075: wget security update (Important)
rpms wget-0:1.14-15.el7_4.1
refmap via4
bid 101590
confirm
debian DSA-4008
gentoo GLSA-201711-06
misc https://www.viestintavirasto.fi/en/cybersecurity/vulnerabilities/2017/haavoittuvuus-2017-037.html
sectrack 1039661
Last major update 27-10-2017 - 15:29
Published 27-10-2017 - 15:29
Last modified 29-12-2017 - 21:29
Back to Top