Pierluigi Paganini January 02, 2019

Developers that include the GNU’s wget utility in their applications have to use the new version that was released on Boxing Day.

GNU Wget is a free software package for retrieving files using HTTP, HTTPS, FTP and FTPS the most widely-used Internet protocols. It is a non-interactive commandline tool, so it may easily be called from scripts, cron jobs, terminals without X-Windows support, etc. GNU Wget has many features to make retrieving large files or mirroring entire web or FTP sites easy.

The flaw, tracked as CVE-2018-20483, could allow local users to obtain sensitive information (e.g., credentials contained in the URL) by reading the attributes.

The security researcher Gynvael Coldwind (@voltagex) discovered that the stored attributes can include user usernames and passwords.

The security researcher Hanno Böck highlighted that URLs can sometimes contain “secret tokens” used for external services like file hosting. The attributes could be accessed on any logged-in machine using the getfattr command.

“The URL of downloads gets stored via filesystem attributes on systems that support Unix extended attributes.” Böck wrote.

“You can see these attributes on Linux systems by running getfattr -d [filename] (The download URL is stored in a variable “user.xdg.origin.url”)”

“This also applies to Referer information in the user.xdg.referrer.url metadata attribute. According to 2016-07-22 in the Wget ChangeLog, user.xdg.origin.url was partially based on the behavior of fwrite_xattr in tool_xattr.c in curl.” reads the description published by the Mitre.

The issue has been privately reported to Chrome as well and will be fixed soon.

According to the Wget developer Tim Rühsen, the utility stopped using xattrs by default from the version 1.20.1.

The expert Hector Martin pointed out a threat actor wanting to steal stored URLs from can move it from the target’s hard drive to a USB key.

Pierluigi Paganini

(SecurityAffairs – wget, hacking)

[adrotate banner=”5″] [adrotate banner=”13″]