A critical flaw in the open-source Wget application that is widely used on Linux and Unix systems for retrieving files has been patched quietly.
“It was found that wget was susceptible to a symlink attack which could create arbitrary files, directories or symbolic links and set their permissions when retrieving a directory recursively through FTP,” developer Vasyl Kaigorodov wrote in a Red Hat Bugzilla comment.
The flaw was actually first reported to the GNU Wget project by HD Moore, chief research officer at Rapid 7. The vulnerability has now also been publicly identified as CVE-2014-4877.
“Random bug found by accident, but the implication is that the FTP server can overwrite your entire filesystem,” Moore tweeted to eWEEK.
So just to recap here, Wget is on nearly every Linux server in the world, and it had a flaw that could have enabled anyone to overwrite directories on a server. That’s very serious.
Moore is well-known and -respected in security circles as the founder of the open-source Metasploit penetration testing framework. There is now an exploit in Metasploit to let security researchers test the flaw, but Moore and the Metasploit team didn’t jump the gun. The flaw was fixed by the Wget project, with patches available for most modern Linux distributions before there was any hint of trouble publicly reported.
That’s the way security research should work. Flaws are found and then reported to the affected project or vendor, they get patched, and then security tools let researchers go out and make sure everything is secure.
Unlike the overly hyped flaws of 2014 including Heartbleed, ShellShock, POODLE and Sandworm, the Wget flaw doesn’t have a branded name—although there has been some lighthearted banter on Twitter about a few possibilities.
Tod Beardsely joked that the vulnerability should have been named “WGETBLEED,” while security researcher Chris John Riley suggested that the flaw be called “wegetton and the string of death.”
Joshua Smith suggested the somewhat edgier “wtfget,” and Brandon Perry suggested the name “wgetmeafreeshell.”
Personally, I have a different name that I’d like to call this bug—thankful. I’m thankful that Moore found and reported this flaw, as we’re all safer as a result.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
