Published: 27/10/2017 Updated: 30/12/2017

CVSS v2 Base Score: 9.3 | Impact Score: 10 | Exploitability Score: 8.6

CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8

VMScore: 828

Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C

The retr.c:fd_read_body() function is called when processing OK responses. When the response is sent chunked in wget prior to 1.19.2, the chunk parser uses strtol() to read each chunk's length, but doesn't check that the chunk length is a non-negative number. The code then tries to read the chunk in pieces of 8192 bytes by using the MIN() macro, but ends up passing the negative chunk length to retr.c:fd_read(). As fd_read() takes an int argument, the high 32 bits of the chunk length are discarded, leaving fd_read() with a completely attacker controlled length argument. The attacker can corrupt malloc metadata after the allocated buffer.

Vulnerable Product	Search on Vulmon	Subscribe to Product
gnu wget
debian debian linux 8.0
debian debian linux 9.0

Synopsis Important: wget security update Type/Severity Security Advisory: Important Topic An update for wget is now available for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) base score, which ...

Debian Bug report logs - #879957 wget CVE-2017-13089/CVE-2017-13090 Package: wget; Maintainer for wget is Noël Köthe <noel@debianorg>; Source for wget is src:wget (PTS, buildd, popcon) Reported by: Henri Salo <henri@nervfi> Date: Fri, 27 Oct 2017 16:42:02 UTC Severity: serious Tags: fixed-upstream, security, ups ...

Several security issues were fixed in Wget ...

Heap-based buffer overflow in HTTP protocol handlingA heap-based buffer overflow, when processing chunked encoded HTTP responses, was found in wget By tricking an unsuspecting user into connecting to a malicious HTTP server, an attacker could exploit this flaw to potentially execute arbitrary code (CVE-2017-13090) Stack-based buffer overflow in H ...

A heap-based buffer overflow, when processing chunked encoded HTTP responses, was found in wget By tricking an unsuspecting user into connecting to a malicious HTTP server, an attacker could exploit this flaw to potentially execute arbitrary code ...

A heap-based buffer overflow has been found in the HTTP protocol handling code of wget < 1192, when processing chunked encoded HTTP responses By tricking an unsuspecting user into connecting to a malicious HTTP server, an attacker could exploit this flaw to potentially execute arbitrary code ...

CWE-119 https://www.viestintavirasto.fi/en/cybersecurity/vulnerabilities/2017/haavoittuvuus-2017-037.html http://git.savannah.gnu.org/cgit/wget.git/commit/?id=ba6b44f6745b14dce414761a8e4b35d31b176bba http://www.securitytracker.com/id/1039661 http://www.securityfocus.com/bid/101590 http://www.debian.org/security/2017/dsa-4008 https://security.gentoo.org/glsa/201711-06 https://access.redhat.com/errata/RHSA-2017:3075 https://www.synology.com/support/security/Synology_SA_17_62_Wget https://access.redhat.com/errata/RHSA-2017:3075 https://nvd.nist.gov https://usn.ubuntu.com/3464-1/

CVE-2017-13090

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect