CVE-2002-1344
CVSS5.0
发布时间 :2002-12-18 00:00:00
修订时间 :2016-12-07 21:59:21
NMCOS    

[原文]Directory traversal vulnerability in wget before 1.8.2-4 allows a remote FTP server to create or overwrite files as the wget user via filenames containing (1) /absolute/path or (2) .. (dot dot) sequences.


[CNNVD]WGet NLST客户端文件覆盖漏洞(CNNVD-200212-028)

        
        wget是一款免费开放源代码下载工具,可以运行在Unix和Linux操作系统下。
        wget没有正确处理NLST FTP的服务器应答,远程攻击者可以利用这个漏洞构建恶意FTP服务器,诱使用户访问,把恶意文件覆盖到FTP客户端当前目录之外的位置上。
        当wget处理来自FTP服务器的NLST应答时,RFC规定需要FTP客户端在包含目录信息时需要详细检查输入,而wget没有对此信息进行充分检查,因此,如果恶意FTP服务程序提供的文件包含目录信息如下字符:
        "../","/path","..\"(windows系统下),"C:"(windows系统下),"..." (windows系统下等于../..)
        当wget使用一些通配符进行下载时,没有检查这些文件路径信息,可造成客户端的目录遍历,盲目下载到客户端指定目录以外位置上。如果熟知客户端系统中文件名和相应目录,可以直接覆盖这些文件,造成拒绝服务等攻击。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:gnu:wget:1.5.3GNU wget 1.5.3
cpe:/a:gnu:wget:1.7.1GNU wget 1.7.1
cpe:/a:gnu:wget:1.8GNU wget 1.8
cpe:/a:gnu:wget:1.8.1GNU wget 1.8.1
cpe:/a:gnu:wget:1.8.2GNU wget 1.8.2
cpe:/h:sun:cobalt_raq_xtrSun Cobalt RaQ XTR
cpe:/a:gnu:wget:1.7GNU wget 1.7
cpe:/a:gnu:wget:1.6GNU wget 1.6

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1344
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1344
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200212-028
(官方数据源) CNNVD

- 其它链接及资源

ftp://ftp.sco.com/pub/security/OpenLinux/CSSA-2003-003.0.txt
(UNKNOWN)  SCO  CSSA-2003-003.0
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0102.html
(UNKNOWN)  VULNWATCH  20021210 Directory Traversal Vulnerabilities in FTP Clients
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000552
(UNKNOWN)  CONECTIVA  CLA-2002:552
http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000552
(UNKNOWN)  CONECTIVA  CLSA-2002:552
http://marc.info/?l=bugtraq&m=103962838628940&w=2
(UNKNOWN)  BUGTRAQ  20021211 Directory Traversal Vulnerabilities in FTP Clients
http://marc.info/?l=bugtraq&m=104033016703851&w=2
(UNKNOWN)  BUGTRAQ  20021219 TSLSA-2002-0089 - wget
http://www.ciac.org/ciac/bulletins/n-022.shtml
(UNKNOWN)  CIAC  N-022
http://www.iss.net/security_center/static/10820.php
(UNKNOWN)  XF  wget-ftp-filename-traversal(10820)
http://www.kb.cert.org/vuls/id/210148
(UNKNOWN)  CERT-VN  VU#210148
http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-086.php
(UNKNOWN)  MANDRAKE  MDKSA-2002:086
http://www.openpkg.com/security/advisories/OpenPKG-SA-2003.007.html
(UNKNOWN)  OPENPKG  OpenPKG-SA-2003.007
http://www.redhat.com/support/errata/RHSA-2002-229.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2002:229
http://www.redhat.com/support/errata/RHSA-2002-256.html
(UNKNOWN)  REDHAT  RHSA-2002:256
http://www.securityfocus.com/archive/1/archive/1/307045/30/26300/threaded
(UNKNOWN)  CALDERA  CSSA-2003.003.0
http://www.securityfocus.com/bid/6352
(VENDOR_ADVISORY)  BID  6352
http://www.securityfocus.com/bid/6360
(UNKNOWN)  BID  6360
https://www.debian.org/security/2002/dsa-209
(UNKNOWN)  DEBIAN  DSA-209

- 漏洞信息

WGet NLST客户端文件覆盖漏洞
中危 输入验证
2002-12-18 00:00:00 2005-10-20 00:00:00
远程  
        
        wget是一款免费开放源代码下载工具,可以运行在Unix和Linux操作系统下。
        wget没有正确处理NLST FTP的服务器应答,远程攻击者可以利用这个漏洞构建恶意FTP服务器,诱使用户访问,把恶意文件覆盖到FTP客户端当前目录之外的位置上。
        当wget处理来自FTP服务器的NLST应答时,RFC规定需要FTP客户端在包含目录信息时需要详细检查输入,而wget没有对此信息进行充分检查,因此,如果恶意FTP服务程序提供的文件包含目录信息如下字符:
        "../","/path","..\"(windows系统下),"C:"(windows系统下),"..." (windows系统下等于../..)
        当wget使用一些通配符进行下载时,没有检查这些文件路径信息,可造成客户端的目录遍历,盲目下载到客户端指定目录以外位置上。如果熟知客户端系统中文件名和相应目录,可以直接覆盖这些文件,造成拒绝服务等攻击。
        

- 公告与补丁

        厂商补丁:
        Conectiva
        ---------
        Conectiva已经为此发布了一个安全公告(CLA-2002:552)以及相应补丁:
        CLA-2002:552:wget
        链接:
        http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000552

        补丁下载:
        Conectiva RPM wget-1.8.2-1U60_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/6.0/RPMS/wget-1.8.2-1U60_1cl.i386.rpm
        Conectiva RPM wget-1.8.2-1U70_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/7.0/RPMS/wget-1.8.2-1U70_1cl.i386.rpm
        Conectiva RPM wget-1.8.2-1U80_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/8/RPMS/wget-1.8.2-1U80_1cl.i386.rpm
        Debian
        ------
        Debian已经为此发布了一个安全公告(DSA-209-1)以及相应补丁:
        DSA-209-1:two wget problems
        链接:
        http://www.debian.org/security/2002/dsa-209

        补丁下载:
        Source archives:
        
        http://security.debian.org/pool/updates/main/w/wget/wget_1.5.3-3.1.diff.gz

        Size/MD5 checksum: 75231 61d99d8ab75b95cd9fa2459e74182a50
        
        http://security.debian.org/pool/updates/main/w/wget/wget_1.5.3.orig.tar.gz

        Size/MD5 checksum: 446966 47680b25bf893afdb0c43b24e3fc2fd6
        
        http://security.debian.org/pool/updates/main/w/wget/wget_1.5.3-3.1.dsc

        Size/MD5 checksum: 1163 9eb3c57aa94d74e3c6e4097b5d941563
        alpha architecture (DEC Alpha)
        
        http://security.debian.org/pool/updates/main/w/wget/wget_1.5.3-3.1_alpha.deb

        Size/MD5 checksum: 249228 0eedd7487056460a8de93ea2ed3402f2
        arm architecture (ARM)
        
        http://security.debian.org/pool/updates/main/w/wget/wget_1.5.3-3.1_arm.deb

        Size/MD5 checksum: 233342 9a57b21e6611b46b3991bb38e75dbd08
        i386 architecture (Intel ia32)
        
        http://security.debian.org/pool/updates/main/w/wget/wget_1.5.3-3.1_i386.deb

        Size/MD5 checksum: 227812 fc7c576836d26cebc397c07f3bbd1488
        m68k architecture (Motorola Mc680x0)
        
        http://security.debian.org/pool/updates/main/w/wget/wget_1.5.3-3.1_m68k.deb

        Size/MD5 checksum: 224820 b967f1e1b960be2fce3fb2cae55b6710
        powerpc architecture (PowerPC)
        
        http://security.debian.org/pool/updates/main/w/wget/wget_1.5.3-3.1_powerpc.deb

        Size/MD5 checksum: 234646 48b138d481cebbe85b437d82b63285b7
        sparc architecture (Sun SPARC/UltraSPARC)
        
        http://security.debian.org/pool/updates/main/w/wget/wget_1.5.3-3.1_sparc.deb

        Size/MD5 checksum: 235500 631874205d8d85378555387209a9db37
        Debian GNU/Linux 3.0 alias woody
        - --------------------------------
        Woody was released for alpha, arm, hppa, i386, ia64, m68k, mips, mipsel,
        powerpc, s390 and sparc. An update for mipsel is not available at this
        moment.
        Source archives:
        
        http://security.debian.org/pool/updates/main/w/wget/wget_1.8.1.orig.tar.gz

        Size/MD5 checksum: 1097780 6ca8e939476e840f0ce69a3b31c13060
        
        http://security.debian.org/pool/updates/main/w/wget/wget_1.8.1-6.1.diff.gz

        Size/MD5 checksum: 9939 69f96b6608e043e0d781061a22e90169
        
        http://security.debian.org/pool/updates/main/w/wget/wget_1.8.1-6.1.dsc

        Size/MD5 checksum: 1217 97af60040e8d7a2cd538d18a5120cd87
        alpha architecture (DEC Alpha)
        
        http://security.debian.org/pool/updates/main/w/wget/wget_1.8.1-6.1_alpha.deb

        Size/MD5 checksum: 364338 aeade9ab45904c8b6c64fcdb5934576e
        arm architecture (ARM)
        
        http://security.debian.org/pool/updates/main/w/wget/wget_1.8.1-6.1_arm.deb

        Size/MD5 checksum: 335972 dfe4085e95fd53be9821d1b33d79d134
        hppa architecture (HP PA RISC)
        
        http://security.debian.org/pool/updates/main/w/wget/wget_1.8.1-6.1_hppa.deb

        Size/MD5 c
        补丁安装方法:
        1. 手工安装补丁包:
         首先,使用下面的命令来下载补丁软件:
         # wget url (url是补丁下载链接地址)
         然后,使用下面的命令来安装补丁:
         # dpkg -i file.deb (file是相应的补丁名)
        2. 使用apt-get自动安装补丁包:
         首先,使用下面的命令更新内部数据库:
         # apt-get update
        
         然后,使用下面的命令安装更新软件包:
         # apt-get upgrade
        MandrakeSoft
        ------------
        MandrakeSoft已经为此发布了一个安全公告(MDKSA-2002:086)以及相应补丁:
        MDKSA-2002:086:Updated wget packages fix directory traversal vulnerability
        链接:
        http://www.linux-mandrake.com/en/security/2002/2002-086.php

        补丁下载:
        Updated Packages:
        Linux-Mandrake 7.2:
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/7.2/RPMS/wget-1.8.2-3.1mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/7.2/SRPMS/wget-1.8.2-3.1mdk.src.rpm
        Mandrake Linux 8.0:
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.0/RPMS/wget-1.8.2-3.1mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.0/SRPMS/wget-1.8.2-3.1mdk.src.rpm
        Mandrake Linux 8.0/PPC:
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/8.0/RPMS/wget-1.8.2-3.1mdk.ppc.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/8.0/SRPMS/wget-1.8.2-3.1mdk.src.rpm
        Mandrake Linux 8.1:
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.1/RPMS/wget-1.8.2-3.1mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.1/SRPMS/wget-1.8.2-3.1mdk.src.rpm
        Mandrake Linux 8.1/IA64:
        

- 漏洞信息

6982
GNU wget Arbitrary File Creation / Overwrite
Remote / Network Access Input Manipulation
Loss of Integrity

- 漏洞描述

wget contains a flaw that may allow a remote malicious user to write arbitrary files to the system. The issue is triggered when an NLST response from the server contains directory path information. It is possible that the flaw may allow arbitrary files to be written resulting in a loss of integrity.

- 时间线

2002-12-10 Unknow
Unknow Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, multiple vendors have released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

WGet NLST Client Side File Overwriting Vulnerability
Input Validation Error 6352
Yes No
2002-12-10 12:00:00 2009-07-11 07:16:00
Vulnerability discovery credited to Steve Christey.

- 受影响的程序版本

Sun Cobalt RaQ XTR
GNU wget 1.8.2
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
+ Conectiva Linux 6.0
+ Immunix Immunix OS 7+
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1
+ MandrakeSoft Single Network Firewall 7.2
+ Mandriva Linux Mandrake 9.0
+ Mandriva Linux Mandrake 8.2 ppc
+ Mandriva Linux Mandrake 8.2
+ Mandriva Linux Mandrake 8.1 ia64
+ Mandriva Linux Mandrake 8.1
+ Mandriva Linux Mandrake 8.0 ppc
+ Mandriva Linux Mandrake 8.0
+ Mandriva Linux Mandrake 7.2
+ RedHat Linux 8.0 i386
+ RedHat Linux 7.3 i386
+ RedHat Linux 7.2 ia64
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.1 ia64
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.0 i386
+ RedHat Linux 6.2 i386
+ S.u.S.E. Linux 8.1
+ S.u.S.E. Linux 8.0 i386
+ S.u.S.E. Linux 8.0
+ S.u.S.E. Linux Personal 9.3
+ S.u.S.E. Linux Personal 9.2 x86_64
+ S.u.S.E. Linux Personal 9.2
+ S.u.S.E. Linux Personal 9.1 x86_64
+ S.u.S.E. Linux Personal 9.1
+ S.u.S.E. Linux Personal 9.0 x86_64
+ S.u.S.E. Linux Personal 9.0
+ S.u.S.E. Linux Personal 8.2
+ Trustix Secure Linux 1.5
GNU wget 1.8.1
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
GNU wget 1.8
GNU wget 1.7.1
GNU wget 1.7
GNU wget 1.6
GNU wget 1.5.3
+ Debian Linux 2.2 sparc
+ Debian Linux 2.2 powerpc
+ Debian Linux 2.2 IA-32
+ Debian Linux 2.2 arm
+ Debian Linux 2.2 alpha
+ Debian Linux 2.2 68k

- 漏洞讨论

wget is a freely available, open source FTP utility. It is included with many Unix and Linux operating systems.

wget does not properly handle some types of server responses. When a NLST response is received from an FTP server, RFC specifications require that clients check the input to see if it contains directory information. wget does not properly check this information, which may allow a remote FTP server to overwrite files on the client system.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 解决方案

Sun have released a security update to address this issue in the RAQ XTR. Please see references section for further details. A fix is linked below.

RedHat has released advisory RHSA-2002:229-10 to address this issue.

Mandrake has released a security advisory (MDKSA-2002:86) containing fixes.

Debian has made fixes available. See referenced advisory for additional details.

Gentoo has released an advisory and fix for this issue. Please see the attached advisory for details on obtaining and applying fixes.

SCO has made fixes for Caldera Linux available.

Immunix has released a security advisory (IMNX-2003-7+-011-01) containing fixes to address this issue. Users are advised to upgrade as soon as possible.

Fixes available:


Sun Cobalt RaQ XTR

GNU wget 1.5.3

GNU wget 1.7.1

GNU wget 1.8.1

GNU wget 1.8.2

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站