On Fri, Feb 04, 2005 at 02:57:12AM +0200, Lars Wirzenius wrote: > I had a look at Debian bug 284875, "wget: Arbitrary file > overwriting/appending/creating and other vulnerabilities", specifically > about points (1) and (2) therein. I set up the proof of concept Perl > script to run via inetd, which I think is a working way of setting it > up. The script responds to HTTP queries and does, I think, respond in > the way to trigger the exploit. Lynx and wget both follow the > redirections.
> I can't, however, replicate the points (1) and (2) using version > 1.9.1-10 in Debian sid. Instead of overwriting or appending or other bad > things happening, wget seems to only create a file with ".1" (or ".2" > etc) appended to the filename. The same happens with 1.9.1-8 in Debian > sarge. Anybody wanting to fix this will sooner or later need to RTFM -- no pun intended; the options are really hairy, and many of them have one or another bearing on this. The trick is to use the -c or -N options. Also note that -x can be used instead of -r. See the discussion in the manpage under the `-nc' option. On the server (exploiter's) side, you might use a filename that is highly unlikely to be present on the target system, yet is highly likely to be executed (/etc/cron.d/<sufficiently long number number> comes to mind). Note that it is possible to make an educated guess about the presence/absence of -c, -N, and -r options. Cheers, Jan. -- )^o-o^| jabber: [EMAIL PROTECTED] | .v K e-mail: jjminar FastMail FM ` - .' phone: +44(0)7981 738 696 \ __/Jan icq: 345 355 493 __|o|__Minář irc: [EMAIL PROTECTED]
pgpS94r07ibBZ.pgp
Description: PGP signature
