
Wget Arbitrary Commands Execution - walterbell
https://blogs.securiteam.com/index.php/archives/2701
======
raimue
I hate it when blog posts do not have any date and time somewhere on the
article page. The only indicator is that it was filed into "July 2016" in the
archive sidebar.

------
nilved
Am I alone in thinking that this behaviour is expected and intuitive? To the
extent that I had to verify cURL didn't have the same behaviour.

~~~
Puts
It's not a security hole and it's not a bug. Wget even prints out all the
things that are happening. Everybody seems to be grasping at straws right now
just to be able to make the next branded vulnerability.

~~~
icebraining
The wget developers disagree, they call it a security vulnerability. I'm
inclined to agree because knowing that HTTP → HTTP redirections _don 't_ have
this behaviour, it's dangerous for HTTP → FTP to have it.

Whether wget prints it out is irrelevant, as it's often used in scripts.

[http://lists.gnu.org/archive/html/info-
gnu/2016-06/msg00004....](http://lists.gnu.org/archive/html/info-
gnu/2016-06/msg00004.html)

------
rtpg
Well, "good" to see a bug that wouldn't have been solved by using Rust.

I had never really thought about this attack vector though. Writing to
`.bash_profile` is effectively the same as writing executable code.

Though I like the whole "everything is a file" concept (I know this isn't
exactly that but...), it seems like we should be striving for something safer.
For example, I guess in something like Plan9 you could have wget start playing
sound out of your speakers? Crazy.

File handles shouldn't cause RCE vulnerabilities, right?

I suppose sandboxing is one way of dealing with this. Another is having to
explicitly "give a file" to wget and co. for editing. None of this "oh, here
you go program, write to anything in my home directory".

------
_wmd
Peppering your description with 100 uses of the word "arbitrary" and "crafted"
does not cause expected behaviour to become a security vulnerability! That's
not a "crafted" location header, it's a perfectly normal location header.

------
simula67
Shouldn't we stop storing configuration files at $HOME ? Most terminal
emulators also start at $HOME by default which compounds this problem.

~~~
tokenizerrr
Where else would you like to put them?

~~~
simula67
How about /etc/username ?

~~~
icebraining
And then you can't install a package because its name conflicts with the name
of some user?

------
sigcode
Note to securiteam: ns2.beyondsecurity.com 209.40.99.8 appears to be dead

Edit: Ignore this. I was blocking AWS.

~~~
tux3
From my network ns2.beyondsecurity.com is up and running as
ec2-50-18-152-199.us-west-1.compute.amazonaws.com

~~~
sigcode
Correct. My mistake. Only down for me. I block AWS as part of blocking mobile
ads.

