Published: 27/10/2017 Updated: 30/12/2017

CVSS v2 Base Score: 9.3 | Impact Score: 10 | Exploitability Score: 8.6

CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8

VMScore: 829

Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C

The http.c:skip_short_body() function is called in some circumstances, such as when processing redirects. When the response is sent chunked in wget prior to 1.19.2, the chunk parser uses strtol() to read each chunk's length, but doesn't check that the chunk length is a non-negative number. The code then tries to skip the chunk in pieces of 512 bytes by using the MIN() macro, but ends up passing the negative chunk length to connect.c:fd_read(). As fd_read() takes an int argument, the high 32 bits of the chunk length are discarded, leaving fd_read() with a completely attacker controlled length argument.

Vulnerable Product	Search on Vulmon	Subscribe to Product
gnu wget
debian debian linux 8.0
debian debian linux 9.0

Synopsis Important: wget security update Type/Severity Security Advisory: Important Topic An update for wget is now available for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) base score, which ...

Debian Bug report logs - #879957 wget CVE-2017-13089/CVE-2017-13090 Package: wget; Maintainer for wget is Noël Köthe <noel@debianorg>; Source for wget is src:wget (PTS, buildd, popcon) Reported by: Henri Salo <henri@nervfi> Date: Fri, 27 Oct 2017 16:42:02 UTC Severity: serious Tags: fixed-upstream, security, ups ...

Several security issues were fixed in Wget ...

Heap-based buffer overflow in HTTP protocol handlingA heap-based buffer overflow, when processing chunked encoded HTTP responses, was found in wget By tricking an unsuspecting user into connecting to a malicious HTTP server, an attacker could exploit this flaw to potentially execute arbitrary code (CVE-2017-13090) Stack-based buffer overflow in H ...

A stack-based buffer overflow when processing chunked, encoded HTTP responses was found in wget By tricking an unsuspecting user into connecting to a malicious HTTP server, an attacker could exploit this flaw to potentially execute arbitrary code ...

A stack-based buffer overflow has been found in the HTTP protocol handling code of wget < 1192, when processing chunked, encoded HTTP responses By tricking an unsuspecting user into connecting to a malicious HTTP server, an attacker could exploit this flaw to potentially execute arbitrary code ...

PoC for wget v1.19.1

CVE-2017-13089 wget v1191 for exploit dev NOTE This is not a working exploit - under development Usage # Build the container docker build -t cve201713089 # OR docker pull robertcolejensen/cve201713089 # Play around in the container, `src` will be mounted at `/opt/CVE-2017-13089/src` /runsh # Develop an exploit, runs `gdb` with external debugging symbols loaded /r

CVE-2017-13089

CVE-2017-13089 CVE-2017-13089 的payload 的生成程序，此版本需要手动定位出需要执行的栈的地址 # 直接是也是有可能成功的 shellcode 部分中 buf 为利用msf生成出的普通payload 直接替换你所需的payload即可使用方法如下： python shellcodepy&nc -lp 80<payload

CWE-119 https://www.viestintavirasto.fi/en/cybersecurity/vulnerabilities/2017/haavoittuvuus-2017-037.html http://git.savannah.gnu.org/cgit/wget.git/commit/?id=d892291fb8ace4c3b734ea5125770989c215df3f http://www.securitytracker.com/id/1039661 http://www.securityfocus.com/bid/101592 https://github.com/r1b/CVE-2017-13089 http://www.debian.org/security/2017/dsa-4008 https://security.gentoo.org/glsa/201711-06 https://access.redhat.com/errata/RHSA-2017:3075 https://www.synology.com/support/security/Synology_SA_17_62_Wget https://access.redhat.com/errata/RHSA-2017:3075 https://nvd.nist.gov https://usn.ubuntu.com/3464-1/

CVE-2017-13089

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Github Repositories

References

Vulmon Search

About

Products

Connect